With Kaspersky research showing 970 557 phishing attacks detected in South Africa in Q1 2019 alone – an average of 10 783 per day – and 53 829 mobile malware attacks in the same period – an increase of 6% compared to Q1 2018 – one has to ask how vulnerable companies are to these threats and what role does human error play in businesses becoming victim to such attacks in the growing cyber threat landscape?
Riaan Badenhorst, GM of Kaspersky in Africa, believes that human error is a corporate cyber risk that needs far more proactive action to ensure minimal impact.
“While the concept of Bring Your Own Device (BYOD) has presented many opportunities to companies and no doubt adds a positive element to the overall productivity of a growing digital business, it has also brought some serious risk – linked to human error – that can be very costly.”
Kaspersky global research shows that 60% of employees have confidential data on their corporate device. It is not surprising then that further research highlights that 35% of all businesses surveyed in a recent report experienced BYOD related incidents in 2018. In fact, the cost of physical loss of BYOD devices is $489 000 per enterprise and furthermore, the cost of malware infection of BYOD devices is $664 000 per enterprise.
Badenhorst adds: “Considering these statistics, if a business is serious about its BYOD strategy, it must be so with cybersecurity awareness and training in mind, especially knowing that 52% of businesses regard employees as the biggest threat to corporate cyber security³. Such awareness however extends beyond the basic training structures that most organisations have become accustomed to.”
In 2017, Kaspersky reported that 59% of South African companies attributed weaknesses in their IT security strategy to the careless actions of employees. And the global WannaCry and NotPetya ransomware epidemics that caused great impact and concern demonstrated that the human factor often plays a major role in making businesses worldwide vulnerable to cybercrime.
“Minimising, or hopefully eliminating, the potential human error aspect of cybersecurity in a business requires the business to look at building a Human Firewall. This is achieved through the right security awareness and training solutions that go beyond basic training, to offer training that is easily digestible, practical, and importantly, memorable,” says Badenhorst.
Companies should offer training to ensure staff are armed with the very latest skills and knowledge, as the cyber world evolves. To avoid widespread cyber threats and attacks, everyone within a business should know how to identify obviously malicious websites, such as malware that asks a user to update software. Personnel who have access to sensitive information and business-critical systems should be given more advanced training and learn to recognise personalised fake emails that may be of a malicious nature that could cause massive destruction.
“While cyber security policies remain critically important, dedicated training of this nature is not about lecturing staff on cybersecurity obligations and policy rules. Rather, it is about making effective learning open to businesses of any size, ensuring a company can balance security competence levels throughout a business for different groups of employees – all to support the employee learning process to ensure they themselves are invested in cybersecurity measures, which plays a vital role in safeguarding business critical data,” concludes Badenhorst.