Defence technology company QinetIQ's whitepaper, Protecting your organisation from itself; The threat from within and how to mitigate it, drew on data from a 2015 then-Department for Business, Innovation and Skills (now the Department for Business, Energy and Industrial Strategy), which found that 72% of businesses where security policies were poorly understood had experienced a staff-related breach.
The report warns that employees could aid an attacker through social engineering (such as a phone call asking for computer passwords), phishing (where employees are tricked into giving out sensitive data online), or by finding and using a USB stick armed with malicious code designed to disrupt IT services.
Simon Bowyer, senior consultant, human performance at QinetiQ and co-author of the paper, said that training could be critical to halting possible data breaches.
“To educate and influence the behaviour of employees is to restrict the easiest attack route into a business,” he said. “When staff have a natural inclination towards security by virtue of an integrated company ethos they are motivated to remain alert to risks and unusual behaviours.
“If firms are to stand a chance against cyber threats they must design their security strategy taking into account human behaviour and propensity of employees to act in a security-conscious fashion. Firms must work towards a vision where staff recognise the importance of cyber security best practice and how even actions that we all take for granted, like checking a Facebook page at lunchtime, could provide cyber criminals with an avenue into a business."
He warned that leaving it up to one department would not be sufficient. “Cyber security is no longer the sole responsibility of the IT department,” he said. “It is the responsibility of everyone. It needs to be closely integrated with the aims of the business and the entire employment lifecycle.”
