When it comes to Cybercrime, cyber attack, Most imagine that the supreme threat comes from outside the company / company. To some extent, it is, but the real danger to a company is exactly The worker who has a laptop on his hand or computer connected to internal network The company and who Manipulates sensitive data.
Most of the time, when it appears in your CV: "PC knowledge: environment"Is so important as long as the future employee knows how to handle software that the company uses or an Excel. From here to a disaster in the case of a cyber attack, it's just a ... click.
In a survey conducted by Haystax Technology, 74% of organizations surveyed found themselves vulnerable to internal threats, while 56% of IT security firms surveyed said that in-house dangers increased significantly in the past year .
After the attack WannaCry It was found that most of the vulnerabilities arose because of ignorance and / or Negligence of some employees who Ignored the warnings.
Three types of employees have been identified that can become an internal danger to a company's data.
1. Employees who from innocent actions may compromise important data.
Here comes the category of those who lose their service phones that they have stored emails and other data for the company they work for. More seriously, employees have been reported who, without realizing the danger, have sold the service telephones to a third party.
Also in this category are those who download sensitive business data from their laptops on personal data storage units. Using your home laptop, and it becomes a problem if the "home user" network is not secure or if there are PCs or other infected devices connected to that network. In the case of WannaCry, there have been reports of several instances where the virus was brought into the internal network of companies by employees who had their laptops at home.
This kind of employees can cause greater damage than a malicious hacker might do.
2. Unobtrusive and / or negligent
We all know The blinking warnings on the screen And ask us to do it Immediate action.
In a poll made by Google in 2013, it was discovered that from 25 millions of warnings given by Google Chrome,70.2% have been ignored. Following this disastrous report, Google has decided to simplify the immediate action procedure aimed at blocking or neutralizing the potential danger. This is just an example on Google Chrome. Warnings given by AntiVirus software are often ignored by users or treated with superficiality. There are many situations where the employee does not even check the report of a warning message, much less to inform about the potential danger. A large number of alerts are rejected and the employees continue to work on the laptop / PC.
Opening dubious emails and downloading malicious files is another big problem. Many employees open email attachments without blinking without prior checking. Find Here details.
For both 1 and 2, there is a big part of the blame for the company, which does not do so. Let's ask how many companies explain to employees how an antivirus works and how to optimize their security settings? Better not.
3. Engage bad intentions
Unfortunately, not only human error and inattention are the causes of data compromise within a company. Bad intentional employees play an important role,
This category includes employees who "mock" their frustrations by leaking sensitive data to third parties or even directly on the Internet. There have been situations in which employees of companies, from various dissatisfactions, made public on the Internet sensitive databases of the companies they were working for or for which they worked.
There were also few cases where the data were stolen and sold to another company. Sabotage and computer spying inside are also in this category.
In a study commissioned in 2016 by The cyber security companyNuix, it appears that 93% of those interviewed consider the human factor to be the greatest risk to data integrity.
The solution is in the hands of companies that could sanction negligent employees, those who misunderstand or deliberately violate security and privacy policies.
This is unlikely to happen on a large scale, in an environment where everything is done "fast forward".