The biggest threat to any business’ technology infrastructure is its employees. I don’t mean to say that you should worry about your employees being bad people. The threat is usually innocent in nature, though disgruntled employees are a big concern too.
The problem is your employees lack of education surrounding IT Security, and complacency with your procedures and policies.
Let’s be honest. How many people still store their passwords on a sticky note near their computer?
I am amazed at just how easy it is to walk into a medical office and plug a USB drive into a receptionists desktop, or just how many times I see an unlocked computer with charts and medical information of other patients. This is complacency and it’s easy for employees to get to this place in a comfortable environment.
Here are some of the ways your business data and IT infrastructure might be at risk due to employees.
- Casual Browsing/Downloading – It’s not really a secret that a lot of what should be a productive time at work is spent browsing the web. Facebook, Twitter, personal email, online shopping and so many other things to do on the web create distractions for employees during core working hours.
While we could go on about the distractions during work hours that’s not really the purpose of this blog post. Browsing Facebook, Twitter and other social sites come with some degree of risk. Some links on these social platforms are not what they claim to be. Clicking a link could result in the browser being hijacked or software being installed on a company laptop, connected to a company network.
Even worse is personal email. A personal email account has a higher degree of risk because the owner of the account is not likely to be diligent regarding the security of their account or the lists they join. The same dangers that are possible on social media are more likely to occur from a personal email account.
Personal email can be used to send PII (Personally Identifiable Information or PHI (Protected Health Information), or proprietary company information.
Ways to Mitigate: Many corporations opt for content blocking based on categories. For example, you can block social media website, webmail applications or any other site or application type that should not be accessed while at work. Some companies also opt to block uploads and downloads to prevent the transmission of PII or PHI outside of approved transmissions.
If the device in question is provided by the employer blocking access to being able to install applications is also a great way to protect company data
2. Social Engineering/Phishing – The art of social engineering is really very interesting. People hacking has been around for thousands of years. Chances are you have been socially engineered in your lifetime, It’s really not hard.
This is a real-world example of how I social engineered enough information to reset a someone’s account and gain access to their login. By the way, this person works in IT. The names have been changed to protect the innocent.
This happened over a 3 day period in the form of a casual conversation:
Hey John. We were talking earlier and were wondering what your favorite vacation place is.
Day 2: John, did you have any pets as a kid? What was its name?
Day 3: My first car was a piece of junk. It was a Chevy Cavalier. What was your first car John?
I now had enough information to reset his password and did so. This exercise was done to prove that it could be done and with ease. The target was selected because he was known to be very social.
Have you seen those Facebook posts that they ask you to answer 20 something questions, personal questions? There’s a reason I never partake in these posts. This is a form of social engineering, and so many people answer these posts.
You have probably used some form of social engineering in your personal life. Just think about it for a few minutes.
Phishing is most commonly associated with emails being sent with fake links but phishing can occur in multiple ways. The most common method is an email sent to a user that says something to the tune of your PayPal account has been compromised. Click here to log in and reset your password.
Ways to Mitigate: Education is the best way to mitigate these things from happening. Teach your employees what to watch out for, and keep teaching them.
Test them. Hiring a company (like Nwaj Tech) to perform a penetration test that includes employees is a great way to learn what areas need attention. And it’s a lesson they won’t soon forget.
3. Password Practices – There is so much being said about password policies. Some believe regularly changing them is a best practice while others believe this does nothing to mitigate the risk. Some believe that long, complicated policies are best while others believe this will just mean frequent password resets.
Storing your password on a sticky note near your device defeats the purpose of having a password. You may as well leave the computer unlocked.
Shoulder surfing, keyloggers, and social engineering (see above) are all ways of compromising passwords. Shared passwords are another problem and should never happen.
Ways to Mitigate: There is the obvious of course. Never share your password. Never store your password on a sticky note near your computer
Here’s a fact! The longer the password the harder it is to brute force. Requiring a few extra characters will add substantial time and effort into brute forcing a password. Require longer, complex passwords. Use special characters and numbers in your passwords.
I use a password manager and complex passwords of at least 10 characters.
I also use MFA wherever possible. I would strongly encourage using MFA as this will eliminate many of the password related risks.
4. Poor Email Policies – Email is one of the easiest ways into a corporate environment. Phishing (as discussed above) is an easy way to trick someone into exposing their account credentials. Your employees can also send sensitive data through email to their personal email or someone else. People are very lax when it comes to email because of its familiarity. Familiarity builds complacency.
Ways to Mitigate: Setting an email policy and reviewing it with your employees should be a part of your operating procedure.
Blocking external email wherever possible should be a part of your plan. Any employee who does not need to send or receive email externally should not have access. This will mitigate the chances of being compromised.
Beyond that education is a critical component of email security. Educate your employees on what to look out for and to report anything that looks suspicious. Reporting it will help in alerting the rest of your employees.
5. Device Policies – Whether you hand out devices or have a BYOD environment you still need to set policies. Here’s a common scenario:
Employee traveling with their work laptop connects to the public hotspot in a local coffee shop. When they connect to the hotspot Windows asks if this is a work/home network or a public network. Without thinking they select work.
This now makes the documents on their laptop, and potentially access to your internal network, at risk.
With a simple, freely available app on my Android phone I can (and have) scan a free wifi hotspot for devices that can be compromised. I have gained access to email, social media, and documents over free wifi hotspots. I have done this in restaurants, coffee shops, hospitals, and hotels. I have even seen doctors laptops on the free wifi at hospitals.
Don’t worry, I did not do anything bad with this access.
Ways to Mitigate: Education (sensing a theme here?). Require VPN access to be able to get to anything critical or sensitive.
6. Unauthorized Software & Updates – I have logged on to servers and corporate devices to discover freeware (or worse pirated) software on them. I have also dealt with computers that become unusable after a Windows update, an update that should have been tested first.
Freeware can wreak havoc on a device especially when the installation is not completed by someone in IT. Freeware typically comes with other software bundled, software that may not be desirable in your network. Software that may include AdWare or Spyware.
Pirated software is illegal and can cost your business a tremendous amount of money if you are caught. Pirated software usually means the code has been adjusted to do something else on the computer it is installed on. Often the computer is used as a bot in a future DDOS attack but it can also include backdoors, spyware or some other code that is designed to steal your data and sensitive information.
Ways to Mitigate: This one is a little more straightforward. Require administrative credentials when installing software. Use a software repository rather than allowing the software to be downloaded free from the internet. The software repository should only be updated by experienced admins.
As you can see there are a lot of concerns as it relates to your employees. I didn’t include disgruntled employees (that should be a no-brainer and should be addressed by HR ASAP).
One of the most important components of risk mitigation is education. If you don’t already have a process for educating your employees on potential compromises and vulnerabilities then create one immediately. The education needs to be continual. It also needs to be updated as needed to address new and emerging threats.