As the number of devices connected to enterprise networks proliferates, and the sophistication of hackers and malwares grows, cybersecurity is only becoming a bigger concern for organisations worldwide – and this goes double for Australian organisations. According to a survey by PwC, the frequency of cybersecurity incidents in Australia almost tripled that of the rest of the world from 2014 to 2015. And more than six million people were victims of cybercrime in 2017– constituting more than one in three (36 per cent) of the adult online population, and a 13 percent increase from 2016, according to the 2017 Norton cybersecurity Insights Report.
However, the biggest cybersecurity risk your organisation faces is not from malicious outside forces – it’s from your very own employees. In 2014, IBM reported that “over 95% of all [security] incidents investigated recognise ‘human error’ as a contributing factor”. In some cases, simple human error can have devastating effects, as shown by the recent breach of Equifax, which exposed the sensitive personal information of nearly 146 million Americans. According to former CEO Richard F. Smith, the breach was caused by a single employee who had failed to implement software fixes for a system vulnerability.
Of course, many employees are simply unaware of the ways in which they expose their workplaces to potential breaches, which is why education is key.
Here are just some of the ways in which employees can inadvertently expose your organisation to cybersecurity threats, and how you can mitigate those risks.
Risk: Employees using insecure bring-your-own-device (BYOD) devices when working in public spaces
More workplaces are opting for BYOD policy, as it reduces overhead costs, gives employees more flexibility and improves productivity. But more devices means more endpoints that are potentially vulnerable to breaches, particularly if employees aren’t diligent about security measures.
BYOD devices are particularly vulnerable when employees are out and about. Most people wouldn’t think twice about sending off a quick email while they’re sitting in a café or at the airport, or leaving their device unattended for a minute or two at a hotel, or even letting their teenage son use their laptop or smartphone for an hour, all of which can expose the device to being infiltrated by malicious users.
- Develop stringent and enforceable BYOD policies that dictate what security measures BYOD devices are required to have, as well as behaviours employees are required to follow. This might include things like:
- Ensuring devices are set to lock automatically when not in use
- Limiting connectivity to the network
- Ensuring antivirus and anti-malware software is up-to-date and running
- Enforcing software updates and patches
- Practising physical security measures off-site or in open plan areas
- Implement mobile device management (MDM) software, which can configure devices to use a PIN number to lock the device; locate, lock and wipe lost devices; and keep personal and corporate data separate in the event the device does have to be wiped.
Risk: Employees using public wifis to access corporate information
Employees might think it’s perfectly fine to use a free public wifi to send an email or download an attachment. Public wifis, however, can make devices highly vulnerable as they are usually unencrypted, and therefore allow malicious users to intercept any data that is transferred over the link. Hackers can even go so far as to create hotspots with legitimate-sounding names (“Starbucks Free Wifi”, for example) with their devices, so that when people unwittingly connect to their hotspot, they can then spy on their activity.
- Educate employees about the risks of using free public wifi.
- Ask that employees always use a VPN when doing anything work-related on public wifi.
- If employees don’t have a VPN, ensure they only access secure websites (make sure links start with “https” rather than “http”, and look for lock icon next to links), or that they access the internet via their phone network instead.
Risk: Employees ‘stashing’ sensitive data on their own devices and cloud services
Workplaces are evolving to become more flexible, but legacy systems, which are usually designed to keep content within an organisation, are sometimes unable to keep up. As a result, employees have to find other, less secure, ways to access the information they need while they’re at home or travelling, and this can include stashing information on personal hard drives, USBs or personal cloud services, which can be unsecured and vulnerable to being intercepted or lost.
- Teach employees how to encrypt hard drives and USBs before they put any work-related information on them.
- Store information in a central location, and provide users with a user-friendly mechanism for secure remote access (such as a mobile app that requires a login and uses an encrypted connection to communicate with corporate servers).
Risk: Employees falling prey to social engineering
Social engineering, or the act of psychologically manipulating someone into performing an action or divulging confidential information, is growing both in frequency and sophistication, with one of the most common social engineering techniques, phishing, becoming particularly prevalent. According to a 2017 study by Keeper Security and the Ponemon Institute, 79% of SMBs who said they had experienced a ransomware attack reported that the ransomware entered their system through a phishing or social engineering attack.
Attackers are starting to opt for smaller, more targeted campaigns to infiltrate networks, using information about employees, gleaned from research into social media and other activities, to make emails even more convincing.
- Educate employees about how to recognise suspicious emails.
- Educate employees about social media use, and how information they post on social media can make them and their workplace vulnerable. In short, employees shouldn’t be posting anything they wouldn’t want displayed on a public banner.
- Test employees’ ability to recognise suspicious emails, by using software like Phishme, which sends out fake phishing emails to employees on a regular basis, allowing you to target those employees that might be particularly susceptible.
Risk: Employees installing unsecured IoT devices in the workplace
According to the Keeper Security and the Ponemon Institute study, 56% of IT professionals said they believed that IoT and mobile devices were the most vulnerable endpoint in their organisation’s network. This is mainly because unsecured IoT devices can make networks vulnerable to distributed denial of service (DDOS) attacks, whereby IoT devices are infected with malware that makes them bombard web servers with junk traffic, causing them to crash.
Employees, however, may be unaware of these risks; in fact, they may not even know their IoT device is even connected to the internet. Even wireless mice and keyboards are susceptible to being hacked.
- Educate employees about the risk of IoT devices.
- Ensure IoT devices are covered in BYOD policies.
- Disconnect any IoT devices that don’t necessarily need to be connected to the internet.
- Change the default passwords of IoT devices, and ensure firmware is up to date.
- Monitor networks carefully, looking for unusual traffic spikes that can’t be explained.
- Implement a strong firewall and upstream filtering to help identify good and bad traffic.
General cybersecurity best practices
All of these risks can also be mitigated by implementing these general cybersecurity best practices:
- Have a strong and enforceable password policy: According to the Verizon Data Breach Investigations Report for 2016, 63% of small business hackers take advantage of weak passwords, so having a password policy, and ensuring it is enforced, is essential. Your policy may include ensuring passwords have at least 8 characters with upper and lower-case letters, numbers, and special characters; and have different passwords for different accounts. A password management application can help ensure employees comply.
- Employ role-based access control: Employee access should be restricted to the systems required to their jobs. For example, there’s no reason someone in Sales should be able to access HR documents, nor should someone in HR be able to access Sales data. Restricting access in this way significantly reduces an organisation’s vulnerability in the event that an employee’s credentials are stolen, and also helps to prevent malicious activity conducted by employees themselves.
- Have a comprehensive cybersecurity incident response plan: In the event of a data breach, organisations need to be able to act fast. Having a detailed response plan helps to mitigate any further damage.
- Perform regular backups: Employees should also be educated about the importance of regular backups, so that data can easily be restored if need be.
The reality is that no organisation, no matter how small or big, is safe from cybersecurity threats. With stringent policies, regular training and good use of technology to help with compliance, organisations can help to keep their data safe from malicious attacks.
Want to know more about how devices are putting your organisation at risk? Check out our free ebook Cautionary Tales: cybersecurity and the Internet of Things to find out what the most common sources of cyber attacks are, and learn more about how to prepare your organisation for such attacks. Download it now.