Cybersecurity is on the minds of board executives, but not necessarily on the minds of bored employees. Corporations have spent billions of dollars on an alphabet soup of security products designed to keep the bad guys out of the hen house, not realizing the enemy may already be among us because we are our own Achilles heel.

The list of companies that have been compromised from within is millions of dollars long. A short list starts here: Uber. Colonial Pipeline. Optus. All of the companies had cybersecurity defenses and policies in place that checked boxes and calmed corporate leaders, only to find out that after they thought they had locked everything down, someone on the inside had given the bad guys the keys to the castle and all of the secrets within.

Rather than just checking boxes, some companies are looking to deliver cybersecurity education at the point of an infraction, strengthening the reinforcement of the message as well as improving the company's cyber security posture.

Why Break Down the Door When Someone Will Let You In?

In September, Uber was hacked by an 18-year-old young man. He used a contractor’s credentials to socially engineer a multifactor authentication fatigue attack that allowed the young man to post and exfiltrate Slack messages, view vulnerability reports, and rummage through the company’s invoices. If the kid was looking for gold, not glory, who knows how many millions of dollars Uber would have coughed up to keep everything quiet?

Colonial Pipeline did pay a ransom, but not before the company shut down the pipeline to prevent a breach from leaking out across the entire organization. The hackers were able to carry out their attack when an employee reused a VPN password. In this case, simple multifactor authentication would have kept the doorway closed. The Darkside struck quickly, exfiltrating 100 gigabytes of data within a two-hour window and then $4.4 million in ransom when the company understood that was the cost of doing business with hackers.

The Optus breach happened when an outside hacker found some credentials for an internal IT team member. Then, the attacker socially engineered that individual to give up his multi-factor authentication, which opened the network doors but did not set off alarms. What led to the breach being so large was that another individual, an IT administrator, had put a script on one of these servers, which had plaintext passwords to their privileged access management tool.

It's a People Problem – Talk About Insider Risk!

In each of the cases above, it is safe to say that these multi-billion-dollar companies thought that they had the best cybersecurity defenses that money could buy in place, only to find that non-malicious employees were the source of their crises. It is also a fair bet that each of these companies had robust cybersecurity training programs in place. In practice, when you build a fool-proof defense, intelligent people make expensive mistakes and shatter the illusion of security.

So, what is a company to do? Simple. Do a better job with cybersecurity training for employees and contractors. Deliver just-in-time cybersecurity training.

Sometimes when you have a security problem, hiring more security personnel is not the answer. Education is the answer, delivering cybersecurity training at the moment of an infraction is one of your best weapons in curbing a future insider threat by reducing insider risk.

Corporate policies on what is permissible within an organization vary widely. For example, some companies do not allow personal email accounts on company laptops. Others do. But in either case, most companies frown on employees walking out of the door with thumb drives of sensitive IP, sending work projects to personal e-mail accounts, or depositing corporate sales data in a personal Dropbox account. These are insider cybersecurity risks that employees do not know or flat-out ignore.

Often the person committing the offense isn't doing it maliciously, they're simply trying to get their jobs done in the most efficient way possible. However, their increased efficiency comes at the expense of weakening an organization’s cyber-security posture.

Education Delivered at the Right Time Is Key

Just about every company, regardless of size, has an annual cybersecurity training, typically a video that employees must watch, followed by a quiz at the end. You have probably taken one of these and felt that it was as useless as teaching a dog to sing. No one is happy with the outcome in the end.

Instead of pushing mandatory tests that everyone passes but fail to make the company safer, it is better to deliver cybersecurity training at the moment of an infraction. Providing security warnings when someone inserts a thumb drive where it does not belong reinforces the company’s cybersecurity policies. If the message is delivered in the right way, it helps the employee understand their role in preventing data breaches. Even better, because the alerts can be amalgamated by the security team, they can make the next annual cybersecurity training more relevant.

Strengthening the Weakest Link

Porcupines have quills that protect them from most predators, but they have a soft underbelly that, once exposed, makes them quite vulnerable. In cybersecurity, people are often the weakest link, and they must be protected from themselves. Companies need to acknowledge this weakness and provide better and on-time training. We must treat this as a people problem. By helping people help themselves with improved cybersecurity training, we can better protect the corporate cybersecurity underbelly and save millions.