The biggest threat to any business’ technology infrastructure is its employees. I don’t mean to say that you should worry about your employees being bad people. The threat is usually innocent in nature, though disgruntled employees are a big concern too.
The problem is your employees lack of education surrounding IT Security, and complacency with your procedures and policies.
Let’s be honest. How many people still store their passwords on a sticky note near their computer?
I am amazed at just how easy it is to walk into a medical office and plug a USB drive into a receptionists desktop, or just how many times I see an unlocked computer with charts and medical information of other patients. This is complacency and it’s easy for employees to get to this place in a comfortable environment.
Here are some of the ways your business data and IT infrastructure might be at risk due to employees.
- Casual Browsing/Downloading – It’s not really a secret that a lot of what should be a productive time at work is spent browsing the web. Facebook, Twitter, personal email, online shopping and so many other things to do on the web create distractions for employees during core working hours.
While we could go on about the distractions during work hours that’s not really the purpose of this blog post. Browsing Facebook, Twitter and other social sites come with some degree of risk. Some links on these social platforms are not what they claim to be. Clicking a link could result in the browser being hijacked or software being installed on a company laptop, connected to a company network.
Even worse is personal email. A personal email account has a higher degree of risk because the owner of the account is not likely to be diligent regarding the security of their account or the lists they join. The same dangers that are possible on social media are more likely to occur from a personal email account.
Personal email can be used to send PII (Personally Identifiable Information or PHI (Protected Health Information), or proprietary company information.
Ways to Mitigate: Many corporations opt for content blocking based on categories. For example, you can block social media website, webmail applications or any other site or application type that should not be accessed while at work. Some companies also opt to block uploads and downloads to prevent the transmission of PII or PHI outside of approved transmissions.
If the device in question is provided by the employer blocking access to being able to install applications is also a great way to protect company data
2. Social Engineering/Phishing – The art of social engineering is really very interesting. People hacking has been around for thousands of years. Chances are you have been socially engineered in your lifetime, It’s really not hard.
This is a real-world example of how I social engineered enough information to reset a someone’s account and gain access to their login. By the way, this person works in IT. The names have been changed to protect the innocent.
This happened over a 3 day period in the form of a casual conversation:
Hey John. We were talking earlier and were wondering what your favorite vacation place is.
Day 2: John, did you have any pets as a kid? What was its name?
Day 3: My first car was a piece of junk. It was a Chevy Cavalier. What was your first car John?
I now had enough information to reset his password and did so. This exercise was done to prove that it could be done and with ease. The target was selected because he was known to be very social.
Have you seen those Facebook posts that they ask you to answer 20 something questions, personal questions? There’s a reason I never partake in these posts. This is a form of social engineering, and so many people answer these posts.
You have probably used some form of social engineering in your personal life. Just think about it for a few minutes.
Phishing is most commonly associated with emails being sent with fake links but phishing can occur in multiple ways. The most common method is an email sent to a user that says something to the tune of your PayPal account has been compromised. Click here to log in and reset your password.
Ways to Mitigate: Education is the best way to mitigate these things from happening. Teach your employees what to watch out for, and keep teaching them.
Test them. Hiring a company (like Nwaj Tech) to perform a penetration test that includes employees is a great way to learn what areas need attention. And it’s a lesson they won’t soon forget.
3. Password Practices – There is so much being said about password policies. Some believe regularly changing them is a best practice while others believe this does nothing to mitigate the risk. Some believe that long, complicated policies are best while others believe this will just mean frequent password resets.
Storing your password on a sticky note near your device defeats the purpose of having a password. You may as well leave the computer unlocked.
Shoulder surfing, keyloggers, and social engineering (see above) are all ways of compromising passwords. Shared passwords are another problem and should never happen.
Ways to Mitigate: There is the obvious of course. Never share your password. Never store your password on a sticky note near your computer
Here’s a fact! The longer the password the harder it is to brute force. Requiring a few extra characters will add substantial time and effort into brute forcing a password. Require longer, complex passwords. Use special characters and numbers in your passwords.
I use a password manager and complex passwords of at least 10 characters.
I also use MFA wherever possible. I would strongly encourage using MFA as this will eliminate many of the password related risks.
4. Poor Email Policies – Email is one of the easiest ways into a corporate environment. Phishing (as discussed above) is an easy way to trick someone into exposing their account credentials. Your employees can also send sensitive data through email to their personal email or someone else. People are very lax when it comes to email because of its familiarity. Familiarity builds complacency.
Ways to Mitigate: Setting an email policy and reviewing it with your employees should be a part of your operating procedure.
Blocking external email wherever possible should be a part of your plan. Any employee who does not need to send or receive email externally should not have access. This will mitigate the chances of being compromised.
Beyond that education is a critical component of email security. Educate your employees on what to look out for and to report anything that looks suspicious. Reporting it will help in alerting the rest of your employees.
5. Device Policies – Whether you hand out devices or have a BYOD environment you still need to set policies. Here’s a common scenario:
Employee traveling with their work laptop connects to the public hotspot in a local coffee shop. When they connect to the hotspot Windows asks if this is a work/home network or a public network. Without thinking they select work.
This now makes the documents on their laptop, and potentially access to your internal network, at risk.
With a simple, freely available app on my Android phone I can (and have) scan a free wifi hotspot for devices that can be compromised. I have gained access to email, social media, and documents over free wifi hotspots. I have done this in restaurants, coffee shops, hospitals, and hotels. I have even seen doctors laptops on the free wifi at hospitals.
Don’t worry, I did not do anything bad with this access.
Ways to Mitigate: Education (sensing a theme here?). Require VPN access to be able to get to anything critical or sensitive.
6. Unauthorized Software & Updates – I have logged on to servers and corporate devices to discover freeware (or worse pirated) software on them. I have also dealt with computers that become unusable after a Windows update, an update that should have been tested first.
Freeware can wreak havoc on a device especially when the installation is not completed by someone in IT. Freeware typically comes with other software bundled, software that may not be desirable in your network. Software that may include AdWare or Spyware.
Pirated software is illegal and can cost your business a tremendous amount of money if you are caught. Pirated software usually means the code has been adjusted to do something else on the computer it is installed on. Often the computer is used as a bot in a future DDOS attack but it can also include backdoors, spyware or some other code that is designed to steal your data and sensitive information.
Ways to Mitigate: This one is a little more straightforward. Require administrative credentials when installing software. Use a software repository rather than allowing the software to be downloaded free from the internet. The software repository should only be updated by experienced admins.
As you can see there are a lot of concerns as it relates to your employees. I didn’t include disgruntled employees (that should be a no-brainer and should be addressed by HR ASAP).
One of the most important components of risk mitigation is education. If you don’t already have a process for educating your employees on potential compromises and vulnerabilities then create one immediately. The education needs to be continual. It also needs to be updated as needed to address new and emerging threats.
If you have any questions feel free to contact us today! Send an email to support@nwaj.tech or call 203.680.8151
I work for a company that stresses security…and sometimes they will send us a trick email to see if we will click on it! One challenge I face is how often I have to change my passwords for certain programs at work, and I have about 5 passwords I need to keep straight. If there was a way to sync them all, I think it would help the post-it issue!
To manage passwords I use KeePass on my computer. There’s just no way to remember all passwords anymore, especially if you use complex passwords. Sounds like your company practices good password policy!
Well, I work in a company which is almost paranoid about security that it is suffocating. While being careful is good, one needs to take care it doesn’t smother employees because happy employees make profitable companies!
It’s better to be safe than sorry so I do agree with all these and keeping security in the work place.
Good points! It’s better to be safe than sorry. Keeping security high is a must in a work place.
I feel like a lot of people don’t realize what they are doing can be a threat to internet security. I work at a social media firm and we really have to be careful because we deal with client accounts.
Always need to be careful with cybersecurity no matter what. I’m so scared of my all my electronic devices being hack so I changed my password constantly. Yes, it so stresses but better to be safe than sorry…
Yikes, I am always careful when I’m online. I’m always in shock when others aren’t. You just never know what could happen!
This is such a great post, very interesting and informative. I can say that it is better to be safe and that to be sorry on the end. So as an individual we must ensure and be careful with your own security.
Well said
I can’t help but agree! Not all employees are aware of the IT security issues. The tips to mitigate are very informative.Thanks!
Thank You
While it’s easy to imagine a disgruntled, unhappy employee becoming a malicious actor within an organization, and dumping the family jewels out of spite, it is much more likely that a well-intentioned employee did something they really shouldn’t have.
100% accurate, and that’s why I chose not to focus on a disgruntled employee
keeping secure on the office is really important. That’s why we need to be extra careful when we are online.
I remember when i used to work in finance of all the rules we had computer wise. always locking your screen even if you are away for a minute. keeping everything secure is so important!
Somehow I must say I agree on this. We should really take into consideration making our employees properly taught of information security.
Informative post. I have learned about IT security in my master degree. I am not a IT employee but form then I always take care of my credentials.
What a great informative post. Im not big enough to implement yet but its something Im pinning for later for sure.
I would not have realized this! Something good to keep in mind!
This is full of information! These are scary and I agree that education is the key. We must be aware of this.
Great tips. Even companies with policies need to refresh employees every now and then on good password habits.
i agree. so it is as important to train employees well as equipping them with the right devices!!