Why Employee Behavior Is Your No. 1 Cyber Defense

People are often an organization's biggest asset — and its biggest cybersecurity liability.


According to research by Duo Security, a cloud-based trusted access provider based in Ann Arbor, Michigan, 31% of internet users click on links in phishing emails if they look to be from someone they know or from inside their company, and another 17% willingly provide username and password combinations when prompted to by scams.


They do so at their employer's peril. According to the 2016 Ponemon Cost of Data Breach Study, the average cost to businesses for each stolen record containing personal or sensitive information is $158.


Phishing is one of the oldest methods of spreading malware, but it continues to be one of the most effective. The reason: It's often deployed using so-called “social engineering” techniques, which rely on human behavior such as curiosity, greed, vanity, or even kindness to entice users to click links, open attachments, or visit websites.


“This is why phishing emails and other social engineering attacks are becoming more commonly used,” says Nathan Wenzler, principal security architect at AsTech Consulting, a San Francisco-based independent security consulting company. “It's simply easier to gain the assistance of a curious user than it is to penetrate increasingly secure networks and servers.”


Indeed, though your networks may be fortified by security software, your best defense may be a staff trained to outsmart cybercriminals.

Phishing scams are often highly targeted

Phishing scams work because they turn normal human behavior into network vulnerabilities. Cybercriminals will go to great lengths to learn about potential targets — trolling social-media sites to learn a target's interests and habits, for example, or business websites to study executives and management — and then use that information to design targeted attacks. As a result, users may not think twice when an attack lands in their inbox.


What's more is that many people are naturally trusting. “Some people are very honest and do not expect to encounter dishonest, clever scams via email,” explains Kevin Curran, PhD, Institute of Electrical and Electronics Engineers (IEEE) senior member and senior computer science lecturer at Ulster University in the U.K.


Then there are those who lack familiarity with email scams. While it's true that email is ubiquitous in today's workplace, there are still those who use it infrequently and may lack the experience to flag a scam — especially one that's well targeted.


That said, even seasoned users fall for phishing attacks. As Wenzler points out, if employees are not thinking proactively about security and are not cognizant of these threats, they will continue to open emails and click on links without regard for the potentially dangerous consequences. On the other hand, he says organizations with vigilant employees who keep cybersecurity front-of-mind are less likely to fall victim to an attack.

Using behavior to fight phishing attacks

Employee education is part of the first line of defense, right up there with firewalls and anti-virus software, says Curran. One way to educate employees is to use their own risky behavior as a learning opportunity. For example, security teams can send phishing emails containing fake malware to employees. When activated, the links simply lead those who fell for the bait to a site explaining their mistake and the dangers of what they did.


Also, Wenzler adds, employees should always feel empowered to exercise caution when it comes to potential phishing scams. If an email seems odd — words are misspelled or strange words or phrases are used anywhere in the subject or body, for instance — employees need to feel comfortable leaving it untouched and reporting it to IT.


Other awareness training steps include regular email updates outlining the latest scams, making sure spam filters are working, providing training on smart internet browsing (and blocking certain websites if necessary), and bringing in outside security professionals to lead training sessions and/or review email systems to see if they are able to detect phishing scams.


But in the end, it comes down to employees themselves to take action.


“It's absolutely critical that employee behavior patterns are a core part of any security education program,” Wenzler says. “As a hacker or criminal, all of the security protocols and technology in place can be circumvented if you are able to get an authorized user to access the system for you.”

More information

Protecting your business against cyberthreats doesn’t have to be overwhelming. Start with the simplest and most affordable tools available. And for more tips on managing cybersecurity risk, see this resource list from the U.S. Small Business Administration, and review our business-protection tips.

Disclaimer: Views expressed in this article and the third party links contained herein may not necessarily reflect those of Citizens Bank. Citizens Bank does not guarantee the accuracy of the information contained on the third party websites linked to in this article, nor do we endorse the products or services mentioned or provided on said third party websites. The information contained herein is for informational purposes only as a service to the public, and is not legal advice or a substitute for legal counsel, nor does it constitute advertising or a solicitation. You should do your own research and/or contact your own legal or tax advisor for assistance with questions you may have on the information contained herein.