What’s the biggest cyber threat to your company: hackers, employees, or ransomware?


Given the tremendous growth in cyberattacks during the COVID pandemic, it may be tempting to assume that external threats must naturally pose more of a cyber risk to organizations than internal threats. Yet, it’s a dangerous misconception.

A recent Solar Winds report found that hackers are the biggest source of cyber threats to public sector organizations today, but they are only marginally more of a risk than employees themselves.

These employees are not a risk due to unethical practices or nefarious morals, however, but rather due to a fundamental lack of skills and awareness of the practices they can and should be adopting to be cyber secure. The report marks the first year in the past five in which employees were not the biggest threat faced by organizations.

“Cybersecurity has been traditionally thought of as mainly an external threat but insiders - malicious or accidental can pose an equal or greater risk to organizations,” says Chris Pogue, Head of Strategic Alliances at Nuix. “Insiders typically have access to sensitive information. They know what sorts of activities their organizations are engaged in and more crucially where the critical value data sits including projects they are working on, IP, and pricing. They also likely know who would be most interested in obtaining that information, be it a competitor, a hostile or failed nation-state, or the media.“

Hackers, sloppy employees, or ransomware?

Whereas state and local governments were most likely to be concerned by external hackers, the opposite was the case with federal civilian agencies, who reported that sloppy employees remained their biggest cause for concern. Interestingly, when discussing external threats, the majority of respondents said that foreign governments represented their biggest concern, with this especially so among those in the defense sector.

State and local governments were far more likely to be threatened by hackers than other forms of public institutions, with ransomware, malware, and phishing the areas of most concern for security teams in these agencies. The ability of security teams to tackle these growing threats has been compounded by budget constraints, with half of state government-based respondents saying their budgets were being squeezed.

"Government agencies that deal with sensitive personal information and national security have to be much more aware of cybersecurity threats than they currently seem to be," says Martin Smith MBE, Founder and Chairman of SASIG, the Security Awareness Special Interest Group. "Good people do make mistakes, and approximately half of incidents result from careless and avoidable breaches in security. Creating a culture that makes staff aware of threats, so that recognizing them becomes second nature, will improve protection significantly."

Spotting threats

The budget constraints faced by public bodies mean that neither the time to detection nor the successful resolution of cyber breaches had improved in recent years, and especially not in comparison to the growing threat faced by organizations. This was especially problematic for educational institutions, which struggled to successfully identify the root cause of the security issues they faced, with obvious implications for their ability to successfully resolve them. In response to this, there was a consensus across public sector bodies that they would like to spend more to enhance their investigative and remediation capabilities. Improving capabilities in these areas was widely seen as crucial in order to comply with the Cybersecurity Executive Order introduced by the federal government in order to improve the nation’s cybersecurity.

As well as a fundamental lack of budget to do the increasingly complex job required of them, organizations complained about a lack of training and the expanded perimeter caused by the surge in remote working during the pandemic as particular problems. Often this training needs to be directed across operational teams, as the security teams themselves thought that they were well prepared for the threats faced today.

Most teams utilized the principle of least privilege, with 70% already implementing such a solution and even more relying on either formal or informal zero-trust-based approaches. There was also a strong desire to focus spending on replacing legacy applications, with a migration onto the cloud also strongly favored.

“Companies need to facilitate more accessible digital workplaces to allow people to work remotely. High levels of accessibility and privacy should be essential parts of the future of work,” Yoshihisa Naganuma told Cybernews.