Employees are one of the most overlooked and most dangerous areas of security risk in an organization. The human element is susceptible to all types of attack and error, not to mention their ability to act with malicious intent.
But for the sake of this post, let’s focus on non-malicious insiders, i.e., those who don’t want to harm the organization but could inadvertently leak sensitive information. Common examples of this scenario include employees using weak passwords, sending emails to the wrong party, providing credentials or personal information over the phone, and uploading unencrypted data files to the Internet.
There’s also the issue of malware infection. According to the 2016 Verizon Data Breach Investigations Report, social engineering campaigns targeting employees have steadily increased since 2013. These campaigns continue to be extremely successful in exploiting the human element to deliver malware.
What can be done to mitigate human security risk?
While human security risk can never be completely eliminated, it can be significantly reduced. Begin by assessing the areas of risk related to your industry and human interaction in that sector—email, messaging and phone calls, to name a few—and prioritize your approach for addressing the identified risks.
Implementing a robust security awareness training program is the one of the most tried-and-true methods for successfully reducing human security risk. Constant, repetitive training changes behavior by increasing individual and collective security awareness. Be sure to regularly assess and modify the program to reflect your training results and industry trends.
Finally, keep in mind that your efforts to evaluate and address human security risk should be part of a comprehensive organizational risk management program. The overarching goal here is to proactively review your organization’s risk using a formal plan on an ongoing basis.