For years when it came to cyber security the trend was always, make sure you had a strong password that you changed regularly, install the best antivirus application available, and steer clear of any unscrupulous websites that are bound to be infected with viruses. Over the past 5 years the trend of fortifying external defences has been changing to focus on mitigating the threat from within.

As has been said by a number of cyber professionals time and time again, it is impossible to stop a bad actor from penetrating your network. Given enough time and connectivity to the internet they will find a way. That doesn’t mean that systems should not be regularly updated and patched whenever and wherever possible. It simply means having the latest and greatest system protection in place does not guarantee it will not be penetrated. Thomas Farley, president of the New York Stock Exchange recently remarked that they take a three factor approach with their security: try to keep the bad actors out of their networks, assume they are already in there, and that the biggest threats are insider threats.

Your greatest exposure by far are your employees which not only include full time staff but also independent contractors, remote staff and most importantly upper management and executives who attract the most attention as they usually have the greatest access to your systems.

There are of course the long standing concerns such as employees who want to supplement their income by selling trade secrets or disgruntled employees who deliberately set out to cause harm to their employers or co-workers but these incidents are very few and far between. The most common threat from a cyber security perspective is from employees who unknowingly put their company at risk because they don’t comply with, or don’t know how to follow security procedures. According to John Chen, the CEO of Blackberry, the number one security breach at any company comes from within, attacks from the outside represent only about 20% of all cyber incidents.

Why target employees

First and foremost employees are a much easier target than hacking into a company’s server. In today’s work environment when productivity is paramount, how many times in a week do you speak with employees from other companies or your own co-workers and hear that they are “swamped or “buried”. Bad actors not only recognize this but count on it by designing phishing emails that are difficult to identify in a rushed environment. The larger the company, the greater the chances of coming across an employee who is not following protocol for one reason or another. It could be because they were up late the night before and are having trouble concentrating or they are not feeling well and just want to get through their work. Or something as simple as being a new employee or having been absent on the day the employees were trained on security protocols. All an intruder needs to find is one employee who fits one of those scenarios and they are in. This manipulation of employees is most commonly referred to as Social Engineering which can be defined as the use of deception to manipulate individuals into disclosing confidential or personal information that may be used for fraudulent purposes. As productivity demands placed on staff increase they look for alternatives to make tasks easier and quicker. A survey completed by a group of IT professionals revealed that about one third of employees working in the financial sector use file sharing applications not approved by their IT departments and while this may be convenient and easy to use, it creates the problem of transferring data over unsecured or unauthorized personal accounts. Other reasons why employees make easy targets is because of the amount of crossover between personal and business devices as well as using personal email accounts in a business context.

How are employees targeted?

By now we have all heard and seen examples of phishing emails. These have come a long way from the email that told you of being left a large inheritance by a long lost relative and all you have to do is send your banking information and it will be deposited into your account. The phishing emails of today are so well manufactured even the company who has supposedly sent the email can’t tell if it’s real or not. Take for example the Netflix phishing email last January with the subject heading payment declined. Not only did it look real but it even sent you to a real Netflix page once you entered your credit card information. These types of scam emails are a numbers game. They are sent to thousands of addresses in hopes that they may catch that person who is too rushed to identify it. Phishing emails can be widespread or targeted, known as spear phishing. This type of attack involves researching a particular target to replicate commonly received emails. By mimicking an email they get regularly, the chance of detection is small. Risk is increased when a key player or “whale” is targeted as they have greater access to company information. Most of us are aware of Canada’s first coverage decision involving social engineering (Brick vs. Chubb) in which the Bricks accounts payable department received a call from someone claiming to be from Toshiba, one of its suppliers saying that Toshiba had changed bank accounts and providing the new bank account information. The Brick adjusted its records and over $338,000 was transferred to the new account. Needless to say that account information had nothing to do with Toshiba. The fraud was not discovered until the fraudster called the Brick again claiming to be a different supplier with new banking information. The number and type of scams used to defraud companies through their employees is boundless. With unlimited methods and opportunities to gain access to a company, the manipulation of internal staff has become the method of choice for fraudsters.

What can be done to limit your exposure?

No one change is going to prevent a loss from occurring but the best way to limit your exposure is by making sure you follow some key guidelines.

  1. The single most important thing is the education of your staff which is the best defense against social engineering scams. If your staff don’t know what to look for or how people are being scammed how can they beexpected to be part of the prevention.
  2. Make sure employees know not to reveal any company or financial information in an email and do not respond to requests for same.
  3. Make sure passwords are strong and changed on a regular basis.
  4. From a systems perspective make sure all applications are updated whenever an update/patch is available. While updates can cause other hiccups in the systems those do not compare to what can result in failing to update. The main reason that the WannaCry virus in May 2017 was so widespread was because so many organizations failed to install the patch put out by Microsoft just before the exploit was released.
  5. Install antivirus software, firewalls and email filters to cut down on suspicious email traffic that might find its way to your employees.


As with most things in cyber security, the trend of infiltrating through a company’s own employees will surely grow and evolve rapidly. Methods of gaining access will become more sophisticated and difficult to detect as criminals get smarter. Avoid playing catch up with the ever changing landscape by reinforcing your systems and employees through updates and education. Until the next trend emerges, defending your company from the threat within is the best form of defence.

Original Post: Clive Wayne, CIP, CRM, Cyber Claims Canada