Nine out of 10 UK organisational cybersecurity risks are internal, says Telstra report
The biggest risk to a British company’s cybersecurity is not, as often believed, external hackers and overseas-based virus attacks, but an organisation’s own employees. Whether unknowingly or intentional, the actions of those within an organisation have been shown to be the biggest threat to the digital security of a company, according to new research by technology and telecommunications company Telstra.
One of the key findings from the Telstra Cyber Security Report 2019, the study found that 89% of surveyed UK organisations were impacted by unintentional human error in the past year resulting in at least one incident of compromised security, integrity or availability of service.
The study, which surveyed close to 1,300 professionals across 13 countries, also revealed the frequency of these instances – 12% of British companies reported experiencing weekly occurrences, 14% reported monthly occurrences and 22% experienced incidents quarterly. Compounding this is the time it takes to detect an unintentional security incident – 21% of those who were surveyed said it took days, on average, to identify such errors, while 19% said it took weeks.
Perhaps even more concerning for UK businesses is the number and frequency of malicious actions that are deliberately inflicted by employees. The study found that a quarter (25%) of companies surveyed experienced security incidents due to intentional employee actions on a monthly basis, and 22% said it occurred every six months.
Robert Robinson, security practice lead at Company85, a Telstra company said that organisations are so focused on external threats that they can often forget about the threat posed by their own employees.
“While unintentional human error and malicious activity are not ‘traditional’ methods of attack, it is no surprise that these are some of the leading causes of business disruption. This is because so much investment goes towards preventing external threats, the risks posed by internal employees can often be underestimated.
“What organisations need to do is make sure that their cyber security investment is proportioned well enough to properly train, educate and review staff and internal processes to ensure human error and malicious threats can be minimised.”
Other key findings from the data include:
- 46% of European respondents surveyed indicated that the level of concern from customers on data privacy has increased over the past 12 months
- 83% of European organisations surveyed spend up to 20% of their overall IT budget on security
- Cloud and mobile devices are the biggest source of concern related to UK security attacks (34%)
- More than half of victims (51%) who experienced a ransomware attack paid the ransom
The Report also found that security breaches of all types are still extremely prevalent as 65% of UK organisations suffered at least one security breach in the past year that resulted in a confirmed disclosure.
It showed that vulnerable unpatched systems and operational technologies such as video cameras and building management systems are the most popular gateways for external attacks (89%). These were followed closely by malware attacks such as spyware, downloader, adminware (88%), web application attacks, phishing attacks and operational technology attacks (86%) and Distributed Denial of Service (DDoS) attacks (83%). Rounding out the most popular methods of attack were business email compromises (82%), ransomware (79%), hacking (77%), identity theft (74%) and advanced persistent threat (APT) attacks (69%).
Robinson continued, “Conventional attacks should still be a huge worry for organisations as the research shows they are still incredibly widespread. To help prevent incapacitating external attacks, organisations must ensure they have effective, enterprise-grade solutions and systems that can help reduce the chances of an attack being successful and recovering from the attack should it breach the walls.”