One of the corollaries of Murphy’s Law is that nothing can be made foolproof because fools are so ingenious. Few businesses would call out their employees as fools, but privately, many business managers implicitly acknowledge that human error by employees (regardless of whether those employees are ingenious, or otherwise) is the catalyst for a majority of business problems. Nowhere is this more accurate than in cybersecurity.
Notwithstanding all of the technical defenses and cybersecurity education that businesses might invest in, employee error causes up to half of all data breaches and cybersecurity incidents. In one noteworthy ransomware incident, for example, a new employee at a small company opened an email from an unrecognized sender with a .zip file attachment that was purportedly a shipping invoice. Although the employee claimed that she was unable to remember if she clicked on the attachment, the company’s systems were rapidly infected with ransomware that froze up every workstation within a matter of minutes.
In a more egregious incident, an employee of the European cable and wire manufacturer, Leoni AG fell prey to a phishing scam when she complied with a request in an email that appeared to have been sent to her by one of the company’s executive officers. The email asked her to wire almost $44 million into a third-party account. She complied with the request because the email included enough detail to give it a gloss of legitimacy. This incident was not an outlier in the world of email scams. The FBI reported that in 2016 companies lost an aggregate of more than $3 billion in similar business email scams that targeted gullible employees.
The impetus behind these and similar scams is obvious. Hackers take a path of least resistance and go after people, rather than attempting to crack the technology that poses greater roadblocks. Phishing scams like the one that targeted Leoni AG play into an employee’s tendency to respond to digital communications quickly and with little critical thinking. Hackers rely on this same tendency to con unwitting employees into opening attachments that launch ransomware. Most cybersecurity experts agree that regular employee education is the key to reducing employee-related cybersecurity incidents. That education should include:
* Techniques and tips for recognizing phishing emails and ransomware attachments. Many cyberattacks follow common fact patterns. The patterns do change, but regular training and education will keep awareness of this form of scam at the forefront of an employee’s mindset.
* Usage policies for computers and portable devices. Businesses should maintain tight control over the mobile apps installed on smartphones and tablets and should strictly preclude employees from logging into business networks through free Wi-Fi hotspots.
* Mandatory use of strong passwords for network logins. Passwords should also be changed frequently and different passwords should be used for logins to other online services.
* Policies for reporting problems quickly. Employees will not want to admit mistakes, but the chances of stemming fallout from a phishing or ransomware attack are much better if a problem is addressed quickly.
* Physical device security. Lost or stolen laptops and mobile devices are the source of a significant percentage of cybersecurity problems.
In the final analysis, businesses should understand that even with the best of training and education, accidents do happen and employees will make mistakes. Just as liability insurers provide coverage for losses and liabilities that flow from physical accidents, cyber insurance companies can provide coverage for direct losses and third-party liabilities that arise when a cyberattack shuts down internal systems, creates fraud-based financial losses, or compromises customer financial information. Cyber insurance can be the difference between getting a business back on track quickly following a cyberattack, rather than spending weeks or months and significant financial resources to recover from an employee’s mistake.