Why employees are your number one risk

In more than 15 years of responding to security incidents both large and small, the actions of a user have contributed to the overwhelming majority of incidents I have been involved with.

As we know, human error is one of the most common reasons for compromises, and their actions can circumvent most every security control you have invested in. With data compromises being arguably a business’ biggest threat, security awareness training is critical to prevent your users from being your number one risk.

We’ve watched big name companies pay millions of dollars in settlements after security breaches and lose customer confidence. The most notable of these hacks from a credit card perspective being Target in 2013 and Home Depot in 2014.

When retail giants are hacked, we’re suddenly all aware that it could happen to us, too. If hackers can take down businesses of that size, what can’t they do? We fret for a while, and, soon, we’ve all but forgotten. That’s when we let vulnerabilities slip through the cracks.

Unfortunately, hackers are waiting for that exact moment. They know that as soon as we let our guards down, they can send a phishing email, find a vulnerability, or use a brute force or spraying attack on our passwords.

List of Quick Defenses

In the interest of keeping your company safe from opportunistic and targeted attacks, we’ve compiled a list of quick defenses.

1. Enable two-factor authentication.

Added layers of security are always a plus. Two-factor authentication consists of two different forms of identification. A factor can be:

  • Something you know (a password, PIN code, or security question)
  • Something you have (a phone, key fob, or card)
  • Something you are (a biometric factor such as a fingerprint or voice recognition)

This second level of authentication strengthens any login and gives you more peace of mind.

2. Use a VPN.

A VPN (virtual private network) is a great way to avoid possible attacks while using public WI-FI. The network acts as a middleman, securing your data and changing your IP address. You’ll browse on public WI-FI without fear of hackers using the opportunity to steal your information.

VPNs are ideal for employees who work remotely or who travel for work frequently. There are both free and paid versions of VPNs available. Take the time to research the networks that fit best for your company’s needs.

3. Install security updates.

Without fail, security update windows pop up right in the middle of that important project you’re working on. The remind-me-later button is nearly a reflex, making sure it doesn’t slow you down. After all, you will remember to update when you’re done. Won’t you?

We’re all human. Unfortunately, that means we’re all forgetful. When the pop-up comes back, we’ll be right in the middle of something important again, and the cycle continues.

Your computer’s security, and ultimately your company’s security, depends on simple vulnerabilities being fixed. A hacker could take the most insignificant vulnerability and turn it into a serious security incident.

Take a moment to save your work and install the updates.

4. Use strong, varied passwords.

This is perhaps the simplest of the five tips. A strong password helps to protect you from a hacker guessing your credentials. We tend to use passwords that contain words easily found in a dictionary or maybe our pet’s name. It’s understandable because we like to choose something we know we’ll remember.

As easy as it makes it for us to remember, this method makes it even easier for a hacker to guess your password and access your personal and work information. Even worse, if they guess that password, and you’re using the same one for multiple accounts, they now have easy access to a multitude of information.

5. Train your employees.

The question is not, “Will your employees get your company hacked?” but rather “When will your employees get your company hacked?” While employee actions can circumvent almost every security control you have invested in, security awareness training is critical to prevent your employees from being your number one risk. Users are often the last line in your cyber-defense efforts, and there is no patch for people wanting to be helpful or wanting to do the right thing.

In this podcast, I explain why ongoing employee security training is crucial to ensuring employees know how to spot a hacking attempt, ultimately protecting your organization from a potential cyber-attack.

Listen to my Podcast Now

Key takeaways:

  • Reasons why employees often do not realize how important they are to the process
  • How not enabling multi-factor authentication on remote access to email allows hackers to easily access employee email accounts
  • Why 91% of cyberattacks begin with a spear-phishing email
  • The importance of having strong passwords for employees
  • Why backing up data is a must for protecting against cyber-attacks

Subscribe to the Cybersecurity Sense Podcast on iTunes.

HITECH Answers Article—“How Will Your Employees Get You Hacked?”

The HITECH Answers article covers some very good points of conversation to help support (or gain support) for your user awareness training initiatives.

  • Being lazy—Employees often feel that it’s not their job to worry about security, or that IT will protect them. Unfortunately, they often do not realize how important they are to the process. Many organizations often lack adequate IT security resources, especially equipped to handle more sophisticated attacks from nation states. Employees need to know they are the target for cyber-criminals to enable their ability to obtain sensitive information. Therefore, it is their responsibility to help the organization identify and thwart these attacks.
  • Unprotected email—Email hacking continues to be one of the most popular cybercrimes, with millions and possibly billions of stolen emails, and subsequent emails credentials, for sale on the dark web. Recent attacks, such as the DNC, quickly come to mind. Employees often do not have multi-factor authentication enabled on their remote access to email, allowing hackers easy access to those email accounts if they have the stolen credentials. This is one of the most prominent attacks we are currently seeing in our incident response practice. Once a hacker is in that email account, they have free range to access any data that may be stored in the account, such a personally identifiable information (PII), credit card data, and additional log-in credentials, as well as the ability to send “trusted” email from that account to others to continue the attack to other organizations. Multi-factor verification is possible in most popular email platforms. After multi-factor verification is enabled, a code will be texted to the employees’ phone, making it so that a cyber-criminal would have no way to access that email account. Outlook web access is a place I strongly compel you to consider implementing multi-factor.
  • Phishing emails—According to the cybersecurity company PhishMe (now Cofense), 91% of cyberattacks begin with a spear-phishing email. In these phishing emails, hackers design the email to look authenticated so the employee thinks it is coming from the real source it’s claiming to be, and sometimes, it is actually coming from a legitimate source. These phishing emails may appear to come from credible companies’ customer support departments, such as Microsoft or Google, or could even appear to come from their boss or colleague. In many cases, once an employee falls for a phishing scam, their computers/mobile devices become infected with malware, or they provide their company credentials to the attacker.
  • Lousy passwords—SplashData reported that the most common password in use today is 123456. Not only is this a very weak password to begin with, but people are often reusing their easy-to-crack password across multiple sites and accounts, as well as sharing them with co-workers. One part of most all our penetration tests is to use password spraying but gathering usernames and slowly trying common passwords for each, avoiding detection. Why do we do this? If often bears fruit.
  • No backup—There’s a good possibility that at least one employee in your company isn’t backing up the data he or she is supposed to be, which is a major problem. Most of this is due to local storage of important data on mobile devices. Not only is there a risk of files being lost due to technical issues, there is also danger in losing those files to a cyber-criminal. During a ransomware attack, a cyber-criminal locks the user out of their account and denies them access to their files unless a ransom is paid. Even after the ransom is paid, there is no guarantee that the files will be returned to the user, making backup files crucial.

Key Takeaways

  • Users are often the last line in your cyber-defense efforts.
  • There is no patch for people wanting to be helpful or wanting to do the right thing.
  • Simply stated, train them:
    • Pre-texting
    • Phishing
    • Training
    • Baiting
    • Tailgating

References:

Your preparation could be the difference between smooth sailing and a huge financial and reputation loss. You can employ any of these tactics quickly to strengthen your defenses. For a more in-depth resource on the topic, our free guide, Breach: A Guide to Network Security, Best Practices for Prevention, Detection, and Response, is available for download.

Content provided by LBMC Information Security professional, Bill Dean.

We can help keep your business safe from hackers. Contact LBMC Information Security today to learn more!