Having the best cyber-security defences in the world means nothing if your employees are loose lipped with company secrets, there is nothing that to protect you.

Cyber Security Risk from Employees
While 98% of cyber attacks come from external sources, it is companies' own employees which are leaking the vital information. (Credit: Reuters)

Firewalls, anti-virus, cyber-security policies, active threat monitoring. These are all vital tools for business in the war against cyber-criminals. However, if your employees decide to reveal sensitive company secrets to the world, then these tools become redundant and there is very little you can do to protect yourself from attack.

That is the consensus of Cyber Security division at Salamanca Group which advises some of the biggest companies in the world on their cyber policy.

Heyrick Bond Gunning, managing director of Salamanca Group, says that you can spend a lot of money on security but "the weakest link is often the human element."

Gunning explained that his group had been employed to do penetration testing in oprder to asses a company's cyber-security risk. As part of that testing, they didn't just test the company's networks and systems, but looked at its employees.

Down the pub

It discovered that in a lot of situations the biggest leaks come while employees are outside having a cigarette or down the pub on a Friday evening, when they openly talk about private, sensitive information which could be used against their company in targeted attacks.

For example, if someone looking to attack a major corporation overheard an employee talking about a major deal about to be signed and who was involved, it would be very easy for them to create a tailor spear-phishing email about the deal, send it to one of those involved with a link to a compromised website and before you know it, the cyber-criminal has installed malware on your company's internal systems.

Another major avenue for leaks are social networks, and while some companies have completely shut down access to Facebook or Twitter, this leads to its own problems. Lior Arbel from security consultancy Performanta told IBTimes UK this week that denying access to Facebook was leading to prospective employees turning down job offers in favour of companies who allowed access.

Getting the balance right

So getting the balance right is key, according to Gunning:

"You've got to carry on with your business. You can't be military about life and ultra-secretive about [your] information but you do need probably need to understand [which information] is critical, what are the crown jewels, and protect those elements."

Gunning gave the example of last year's Olympic Games where the volunteers were leaking "a lot of information." Rather than simply firing them all, Salamanca was called in to help get the message across about which information is critical and which can be shared.

A report this week by KPMG on the top 350 companies listed on the London Stock Exchange highlighted that every single one of the companies on the list was leaking sensitive information which could be used by cyber-criminals in targeted attacks.


One of the main problems, according to the manager of Salamanca's Cyber Security Division, Feras Tappuni, is that the job of the person in charge of defending the network has gotten a lot tougher in recent years.

Tappunui said the person in charge may be dealing with the same number of staff, but "the number of devices has gone up threefold." This is as a result of the smartphone and tablet explosion and the BYOD (bring your own device) phenomenon.

Threats, Tappuni says have also "escalated" and the "real challenge is educating [the] team and the board about what the threats are."

Size doesn't matter

No matter what size your business is, information is now seen as a company's most important asset. Earlier this week, kitchen retailer Lakeland admitted it had been the victim of a "sophisticated and sustained attack," revealing hackers had gained access to two encrypted databases containing customers' passwords.

But that information is just as important whether you are Merril Lynch or Lakeland as it is "the heart of your business, and can do irreparable damage to your business. So you have to secure that," Tappuni added.

Salamanca is of the belief that 97% of attacks can be prevented by implementing the basic level of security - including boring stuff like checking your network, internal training, documenting and pen testing.

"You cannot be reactive to these issues you have to be on the front foot. You cannot bulletproof your network, because if people like Lockheed Martin and RSA can get hack, then you can get hacked. What you can do is raise the wall high enough that they go somewhere else," Tappuni said.

Tappuni says he "does feel sorry for his clients" because of the level of threats they face nowadays, but you cannot hide your head in the sand, because "doing nothing can be the most expensive thing."