While the threats posed by hackers and other cybercriminals to organisations’ networks and data are common knowledge, what is less known is that the biggest cyberthreat often resides within the organisation itself – in the form of its employees.

This is according to Munsoft regional client relations director Matome Lemekoana, who notes that internal cybersecurity threats are those posed by individuals that originate within an organisation itself. These can be current employees, former employees or external contractors and vendors. Essentially, anyone who has access to an organisation’s devices or data.

“At the same time, we are seeing a worrying trend where some of the country’s national government departments, state-owned enterprises and local municipalities are increasingly being targeted by cyberattacks,” Lemekoana says.

“Attacks on municipal IT infrastructure are seeing a rise in both the number of attacks and frequency, as hackers target local governments for the purpose of stealing intellectual property, mining critical data and simply for financial gain.”

Despite following cybersecurity best practices and protecting their IT environments with the latest security solutions and systems, municipalities still remain vulnerable to attacks as the weak link in their security posture often manifests internally. The actions of employees – whether malicious or simply careless – can render the most robust IT security systems ineffectual, exposing sensitive data to attack.

Misused user credentials

“Internal threats arise when legitimate user credentials are misused to the detriment of the municipality’s networks, systems and data. Internal threats may be executed intentionally or unintentionally, but regardless of the intent, the result is potentially compromised confidentiality, availability and/or integrity of systems and data,” says Lemekoana.

He points out that aside from the intentional actions by disgruntled or former employees, municipalities should be particularly vigilant about the risk that stem from unintentional actions that can lead to a security breach. This includes employees who use their personal email addresses, phones or other device for work, which could comprise the municipality’s overall data security and protection.

“It is important to remember that personal email accounts and devices exist outside the control of the IT department. Hence, they are not subject to backup, archiving, security or governance, which means that using them for business purposes would be a violation of compliance regulations,” says Lemekoana.

“This could lead to serious risks of intellectual property theft, loss of an organisation’s sensitive data or the violation of customer privacy.”

Furthermore, using personal email accounts for work can create a security vulnerability that can be exploited by hackers. For example, a municipality’s email system would typically be protected by an enterprise-grade security solution to defend against viruses and malware, but this level of protection is unlikely to be present on an employee’s personal email account.

Vulnerable to malware

“So, when an employee opens an infected email on an organisation’s computer, it could leave the organisation’s entire network vulnerable to malware. Any municipality that allows its employees to use personal emails for work is risking its business data being stored on external mail servers and outside of its control. They would have no way of knowing where this data is stored, how it is secured or where it is transmitted,” says Lemekoana.

Similarly, bring-your-own-device (BYOD) practices – using personal devices in working environments – have the potential to create their own host of cybersecurity issues that could expose a municipality to cyberthreats.

“By allowing their employees to use their own devices unchecked, municipalities could be opening themselves up to data theft. Some of the personal applications that employees use on their devices might not have stringent security requirements, so if an account they have for personal use is hacked, it could ultimately expose organisational data and confidential information,” says Lemekoana.

Additionally, employees use their personal devices to download various types of files and applications, some of which could carry hidden viruses or malware. The malware could then be passed onto the municipality’s network when the employee logs in from the infected device.

Stolen or missing devices

“Another potential danger is when an employee’s device is stolen or goes missing, which could cause serious issues. If the employee wasn’t following organisational security protocols when using their device, it could cause a major breach if the device ends up in the wrong hands,” says Lemekoana.

“But even if the employee followed security protocols, hacking technology is now so sophisticated that even a robust password or fingerprint authentication requirement might not be enough to hackers locked out of the device.”

While strictly monitoring or prohibiting the use of personal email accounts and devices for work, municipalities should foster a cybersecurity awareness culture to ensure that their employees willingly embrace and proactively use cyber-secure practices, both professionally and personally.

Lemekoana concludes: “It is only by instilling a culture of security among their workforce that municipalities will be able to ensure that their employees play an active role in safeguarding organisational data from being exposed to cyberthreats, instead of being the weakest link in the cybersecurity chain that hackers can readily exploit.”