Are Your Employees Increasing Your Cybersecurity Risk?
The digital economy is in full swing. This offers employees easy access to data and information. Therefore, we expect greater productivity from our employees than ever before. This is not an unreasonable expectation. Unfortunately, not all aspects of easy access to data are positive. This situation exposes us to entities who use the internet in malicious ways. These cyber criminals often use clever means to trick employees into giving them access to sensitive information.
In this post, we describe how employees can expose your company’s sensitive data and information. Additionally, we provide recommendations to help you limit the related employee cybersecurity risk.
Employee Cybersecurity Risk 1 – Internet of Things and Mobile Applications
Employee use of mobile and IoT devices can expose your company to cybersecurity risk.
According to the FBI, cyber criminals are using nearby mobile and IoT devices as proxies for anonymity and pursuit of malicious cyber activities. In other words, the cyber criminals are transmitting data and information using the IP address from a nearby mobile or IoT device. This activity does not directly expose your company information. However, it may generate unwanted attention to your company’s IP addresses.
A wide range of sources offer of mobile applications free of charge. These applications may offer easy access to data, steep or sales discounts on merchandise, or some other attractive feature. In exchange for the offer of the free application, the provider expects something in return. As the old saying goes ‘If it seems too good to be true, it probably is’. In other words, it pays to be suspicious of any ‘free’ offering. The entity offering something of value ALWAYS seeks a return on their investment. If the payoff to the party offering something of value is not obvious, it is best to leave the offer unanswered.
Often, the party providing the ‘free’ app or service will install malware that gives the cyber criminals access to sensitive data. They may steal credit card information, monitor your email, or download apps without your knowledge. Before downloading any apps or opening any files, thoroughly review the terms and conditions of acceptance. A good cyber security policy will suggest employees do not download any apps or open any files from any source they do not know well. Additionally, we recommend that your employees scan downloaded files with a good cyber security risk analysis tool before executing or opening it.
Employee Cybersecurity Risk 2 – Email
Email has been, and continues to be, one of the most prolific platforms for transmission of malware and viruses. Generally, cybersecurity software can detect the more prevalent malware and viruses. Unfortunately, the software cannot detect all virus and malware threats. The best protection against malware of virus infection is to enforce strict email protocols.
Many business leaders consider phishing one of the most prevalent cybersecurity risks. Malicious websites trick web searchers into giving up information that allows access to company data. One common technique is for the website to suggest the web searcher to log in to the website using their personal or work email address. Then when prompting for the password, the employee enters the PW associated with their personal or work email account, thinking that this will log them into their email service. What is actually happening is the password provided is for the new account that is being created. At this stage, the cyber criminals can simply use the user ID and password provided to gain access to the users email.
Another popular phishing mechanism used is for the cyber criminals to propose a great offer. Clicking on the icon to activate to the supposed offer initiates downloading of malware or some other cybersecurity threat.
Your employees need to clearly understand and adhere to cybersecurity guidelines. This includes the requirement for all employees to not click on or otherwise open attachments coming from unknown sources. Similarly, employees should refrain from visiting websites they are unfamiliar with.
Employee Cybersecurity Risk 3 – Exposing Company Data
Internet access is essential for many job functions in modern businesses. However, the degree of freedom needed for employees to do their job varies. Employees may argue that they need unrestricted internet access in order to achieve peak performance. On the other hand, a CISO may support controlled internet access. Company policy is likely to fall somewhere between these two extremes. In any case, use of cyber security protection will reduce risk of cyber threats from becoming cyber attacks.
Employees can increase risk of cyber attacks in a variety of ways:
Employees accessing company data on public WiFi
Incidence of WiFi router hacking has increased significantly in 2018. When employees log into your company network using publicly available WiFi, they are risking data theft. The hacker can intercept data and information the employee is actively transferring.
Additionally, the hacker has the opportunity to access other data on the network. The hacker downloads malware to your employee’s computer, which accesses the information on our company’s network. Providing password protection for individual files and databases can mitigate this unwanted access threat.
Employees keeping sensitive data on personal devices and cloud services
Employees may download work files to their personal devices to allow them to perform work remotely from the office. This may be necessary if they have a need to complete work outside the office, but do not have a portable company computer to take out of the office. This situation can expose the company to data or information theft if the level of security protection on the employee’s personal device is not adequate to prevent intrusion from outside sources.
Also, when the employee backs up their personal data to the cloud, company information is exposed to a storage site that is not monitored by the company. The employee can use a secure portal for access to company files. This is one way to reduce risk of exposing data while the employee works away from the office. This allows the employee to work on company material outside the office, without downloading the file to their personal devices.
Lost devices with company info on hard drive or SSD
InfoWorld published an article on laptop theft, which was based on a study conducted by The Ponemon Institute. The study suggests the rate of laptop theft is one in ten laptops within a 3 year lifespan. Password protecting files and databases on the laptop reduces risk of the gaining access to information the computer HD and/or SDD. The study identified the cost of data theft much higher than the cost of the laptop and installed software. In some cases, the stolen data provided information on the company’s customers. This activity exposes the company to lawsuits from their clients.
Employees using unsecured IoT devices in the workplace
Use of IoT devices is growing at a rapid pace. An article published by Workplaceanswers states: According to research conducted by Hewlett Packard Enterprise (HPE), 60 percent of the tested IoT devices raised “security erns” with their interfaces, including poor session management and weak default credentials. And 80 percent of devices either required no password or permitted passwords of insufficient complexity, such as “1234.”
One example of IoT devices that present potential security risks arises with use of Wireless Mouse and Wireless Keyboards. An app known as MouseJack allows hackers to add keystrokes from up to 100m away. An app known as KeySniffer lets hackers record keystrokes. This combination can allow an attacker to take control of a computer and gain access to company data archives.
Bring Your Own Device (BYOD) is allowed in some companies. This poses significant cybersecurity risk. We recommend that your company enforce appropriate cybersecurity policy for personal devices used in the workplace. Bear in mind that it is possible for data theft to occur with BYOD devices when used outside the workplace as well. This may require installation of security features on the personal device, in addition to security systems used with the company’s computing network.
Installation and use of unauthorized applications
Beware of any applications used at the workplace that have not been approved by company IT management. Apps can present security threats whether installed on company owned devices or on personal devices. Applications can house malicious software, in addition to their advertised functions. For example, some applications include features that allows interception of data sent through wireless routers.
Methods for Reducing Employee Induced Cyber Security Threats
Implementing proper procedures, policy, security software, and employee training will help the company effectively manage cybersecurity risk. A quality IT MSP can help you consider a customized solution that will protect your sensitive information, while limiting impact to business workflow efficiency. The list below identifies some key methods of providing cybersecurity.
- PCI Data Security Standard – A wide range of cyber security concerns are addressed in this helpful standard. The standard provides guidance for Best Practices in Organizational Security Awareness, Security Awareness Training Content, and a Security Awareness Program Checklist.
- NIST – The National Institute of Standards and Technology, is managed by the U.S. Department of Commerce. The NIST mission is ‘To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.’ Topics addressed in the NIST website include Cybersecurity and Information Technology. Support for these topics addresses current issues, for example, a library on Role Based Access Control that describes the philosophy, operating guidelines, etc.
- Strong PW Policy – Perhaps the last line of defense for data protection, after intrusion has occurred, is to maintain a strong password control policy. With this in place, stolen data is much more difficult to extract.
- Role Based Access Control (RBAC) – As mentioned in the NIST bullet point, the NIST maintains a library on RABC. This methodology provides a means of limited access to data, based on the function an individual performs. Thus, an intruder of the system who comes through an individual’s access point will has limited access to data.
Cybersecurity Incident Response Plan
In the event of a significant security breach, following a pre-planned course of action can significantly reduce damage caused by the security breach. A cybersecurity incident response plan should address the following:
- Having a Pre-Defined Incident Response Team
- Creating a Response Plan Specific to The Company
- Testing the Plan and Creating Lessons Learned Log from Incidents that Occur
A qualified IT MSP can help your company establish a quality Cybersecurity Incidence Response Plan.
- Cybersecurity Awareness Training – To maintain effective employee cybersecurity performance, employees must be properly trained. There is a significant amount of information to learn in order for an employee to maintain compliance with the company cybersecurity policy. If the employee has a good understanding of the what/how/why of cybersecurity measures in place, they will be in a much better position to make the right move when encountered with a potential cybersecurity situation not defined in the policy.
- Cybersecurity Risk Assessment – Generally, some assumptions are made during the definition and design of a cybersecurity protection plan. However, due to the complex nature of cybersecurity systems, it is a good idea to drill deep into the plan to ensure compatibility and effectiveness, before commissioning and installing the system. Conducting a Cybersecurity Risk Assessment provides key insights into your company’s cybersecurity vulnerabilities. This activity also can be used to test the suitability of a specific cybersecurity plan.