Many organizations fail to secure one of their biggest defences, their employees. According to a cyber risk report by insurance company Chubb, only 31% of companies receive annual cybersecurity training. This means nearly 70% of companies fail to update employees on the latest cyber threats, leaving their first line of defence vulnerable.
Source: nCipher
Employees play a great role in your organization’s overall security. They hold the keys to your organization and have the power to let in bad actors. A simple click on the wrong link or falling for a BEC scam can lead to great financial loss. It’s important to increase security with your employees to avoid insider threats. Here are 5 ways employees can put your security at risk.
Employees as Your Weakest Cybersecurity Link
1. Lack of security awareness: Some employees may not intend to expose a company to cyber threats but may do so due to lack of knowledge of common cyber threats or human error. Hackers can easily exploit uniformed employees by crafting very convincing and legitimate looking phishing emails. Phishing is a common cyber attack employees encounter and 83% of global organisations experienced phishing attacks in 2018 according to a phishing report by Proofpoint. Employees can inadvertently fall victim to phishing attacks by clicking on malicious links or accidentally sending confidential or financial information to hackers.
How to fix: Build good user security habits by engaging employees with cyber awareness training. It’s important to continuously refresh employees’ cyber knowledge so that they remain alert and retain the information.
2. Bad password habits: Employees often reuse passwords across multiple sites or use simple, easy to guess passwords. While most do this to save time and avoid forgetting passwords, this puts credentials at risk. If a hacker buys stolen credentials off the dark web, they can use brute force attacks to try to gain access to the person’s other accounts.
The fix: Require all passwords to have alphanumeric characters to ensure that weak, common passwords are not used. To help combat the issue of forgetting passwords, consider tweaking your password for each website so that every password is slightly unique. For example, your Twitter password may be Popc0rntwt but your Facebook password may be Popc0rnfcbk. Since the base password is the same overall, it might help users remember their passwords better.
3. Using unsecure networks: Remote employees or those on the go may be tempted to use public WiFi to work or access important documents. While public WiFi is convenient it is usually not secure or encrypted, meaning there is a chance that bad actors can intercept or steal data. Even networks in shared office spaces can be vulnerable. Just recently, shared workspace WeWork came under fire for having insecure WiFi that allowed several companies’ devices, client databases and financial records to be visible on the building’s network.
The fix: Employees on the go should either use a VPN or their cellular data when working with or accessing corporate materials/information.
4. Browsing unsafe websites: Whether by accident or on purpose, employees sometimes access unsafe websites while at work or connected to the corporate network. Many unsafe websites have malicious links embedded in ads or hidden within the website, meaning malware can be installed in just one click.
The fix: Installing endpoint security on corporate devices will provide advanced protection against the latest cyber threats. Blocking malicious websites from the corporate network will also ensure that no one will be able to access them.
5. Using unauthorized devices/apps: Shadow IT is a growing threat for organizations as more employees connect to corporate networks with their own IoT devices. Most unauthorized devices or apps are not supported with the security functions or standards that are present in those that are managed by an organization. This means that employees could be using vulnerable or outdated technology that could expose an organization to attacks.
The fix: Monitor the corporate network to learn what devices are being used within the corporate network infrastructure. SIEM log data can also help identify the use of traffic over time to identify shadow IT.