New research from CyberArk has highlighted the need for improved training to help counter the insider threats that now pose such significant challenges to businesses.
Based upon the views of over 1,300 IT security decision makers and DevOps professionals across seven countries worldwide, the CyberArk Global Advanced Threat Landscape Report 2018 revealed that more than half (51%) of respondents believed insider threats are one of the greatest threats to their organisation.
These insider threats come in various forms:
• Accidental – your employees might just not be educated enough on cybersecurity best practices and are, therefore, prone to making errors such as clicking on phishing links or downloading viruses.
• Negligent – your employees try to avoid the policies you’ve put in place to protect endpoints and valuable data.
• Malicious – certain employees are using user permissions to applications, resources and data which they have been granted as part of their job in order to steal information, perhaps for financial gain or as some act of revenge if they are disgruntled for any particular reason.
And despite the fact that insider threats are seen as one of the greatest security threats to businesses, the proportion of employees who have been given local administrative privileges to install new software and change configuration settings on their endpoint devices at work has actually increased from 62% in 2016 to 87% in 2018.
Educating employees is key
Because of the different levels of insider threats, there’s a requirement for different levels and degrees of training to effectively counter these.
First and foremost there’s a need for switched-on IT security professionals who have received specialist training and understand their organisation’s security practices, how exposed they are to risk and where they are vulnerable. As always, prevention is better than cure, and if organisations understand how they could be compromised in advance, they can secure business critical accounts and intellectual property more quickly in the event of an attack.
In addition, since human error and negligence also accounts for so many security blunders, it’s important to implement cyber-security awareness training across all employees in your organisation, not least because security is increasingly viewed as the responsibility of all employees.
Consider the quality of the training
However, it’s not enough to simply implement a programme of security-related training and sit back – it’s vital that the training is of appropriate quality.
Indeed, the Institute of Information Security Professionals (IISP), a not-for-profit organisation with over 2,800 individual members across both private and government sectors, has voiced caution about the current quality of some cyber-security training.
The worry is that inexperienced or narrowly focused training providers are jumping on the bandwagon in the light of the spate of recent high profile attacks. The can lead to some of the cyber-security courses on offer not providing the level of skills that businesses require to prevent and deal with such attacks, thus giving them a misplaced sense of confidence.
Amanda Finch, general manager at the IISP, explained: “While the move by companies to be more proactive in educating their practitioners and staff about cyber-security is certainly very positive, the risk is that overwrought teams will invest in training that provides only high-level or regurgitated content, which isn’t adequate and fails to reflect the evolving threat landscape, new technologies and significant changes in cyber-skill profiles and challenges.”
European Product Manager