11 Ways Employees Can Be Your Weak Link for Cybersecurity
Each year, incidences of cyberattacks on companies are increasing with the intent to steal sensitive information. There are cybersecurity tools made to protect organizations, but many of these tools focus on external attacks, not internal weaknesses. Many security systems do not focus on the possibility of employees unknowingly becoming a security threat and do nothing to mitigate accidental internal threats. Employee cybersecurity is an important issue.
The 2018 Insider Threat Report asserted that 90% of organizations are likely to be attacked or exposed to attacks through an insider, and more than 50% experienced an attack through an insider.
Furthermore, about 44% of top companies are exposed to potential threats as a result of exposure of passwords on the internet by their employees or theft of login details.
According to a recent report by Shred-it, an information security company, employee negligence is the primary source of data breaches. According to that report, 47% of business leaders blamed human error (i.e., accidental loss of a device or document by an employee) for a data breach within their organization.
The Threat of a Negligent Employee
A negligent employee does not have the intention of exposing a company to threats but does so unknowingly in several ways that could have grave implications. It is simply negligence. Here are some of the most common unintentional insider threats and some creative ways organizations can educate their employees about them.
1) Phishing and various iterations of it, like spear phishing.
Phishing is one of the ways a careless employee can expose sensitive information. Phishing is the luring of an internet user to reveal sensitive details on a counterfeit web page or email that is made to look like it is legitimate.
A creative way to educate your employees: Create a presentation for employees on spotting a phishing email and share it. Then test them with your own fake phishing emails. If they fall for it and click through, bring them to a site that has a list of your organization’s “heroes”—the people that did not click through, but instead sent the email to your security team since they suspected it was phishing.
2) Using unsecured networks.
Using personal devices and company devices on unknown networks is very risky. The risk is much higher with a network provided by or offered in public places, like a café or an airport. Data may not be encrypted in these networks and could easily be intercepted, then stolen. Login details can be exposed when there is an attempt to access emails or social media on a public network. Viruses and malware are also frequently distributed over a public network.
A creative way to educate your employees: Provide video training for employees on insecure networks and then set up a spoofing one in your office. The people that connect to the spoofing network get a pop-up window with a 3-minute video on unsecured networks then prompts them to connect to the real network.
3) Using the same password on multiple sites.
Unfortunately, most employees use the same or similar passwords for work and personal devices. By using the same password on personal accounts, which are often also less-secure, they risk exposing their employer to threats. Password reuse means an attacker can obtain credentials from one website and then use it to gain access to that user’s account on another website. Some employees will even use their company email accounts to join personal-related forums. Many online forums are free and someone’s side hobby. Because they are not a paid service, they are not patched for security flaws frequently. Additionally, they often do not have adequate security to protect their login credentials, so this is yet another threat to the employer.
A creative way to educate your employees: Train your employees on the dangers of password reuse, especially between corporate and personal accounts. Install a compromised credential screening tool if you host any online customer or user accounts. Use an Active Directory password screening tool that prevents your employees from reusing compromised passwords.
4) Not performing system updates and upgrades.
It is necessary to keep personal and work devices up to date as this provides security patches that will block cyber attackers from exploiting vulnerabilities in the device. Many employees do not keep up with updates and do not understand the importance of them.
A creative way to educate your employees: Give each department lists of companies that have been breached because of unpatched systems by the department and by the tool. Many of these lists are available online, and it is eye-opening for employees to see that other companies have been vulnerable to a breach because of an un-patched tool that they are using. You will see a bunch of updates happen soon after that.
5) Accidental installation of malicious apps.
Employees might get tricked into downloading and installing an application or extension with the sole aim of using their productive features for free, but may contain malware which is capable of exposing information on the device to threats.
A creative way to educate your employees: Make a video showing your employees a real-life example of installing a malicious app and what the experience is afterwards. Once you see what happens to someone else’s device, you will be more cautious.
6) Using unsecured data storage.
Sensitive data should not be stored on devices or within unsecured storage sites. Depending on the data, it could be a significant threat if it falls into the wrong hands. An employee may lose possession of an external device that contains sensitive company data. London’s Heathrow airport, for example, was fined £120,000 for losing a USB drive, which contained confidential information that should have never have been stored on a USB drive in the first place.
A creative way to educate your employees: There are a plethora of real-life examples of unsecured data storage breaches in the news. However, it is not just unsecured S3 buckets or plain text PII storage. It can be sensitive data on spreadsheets on an unsecured laptop, improper usage of USBs, etc. Test your employees and publish the results. Leave some USBs sitting in a conference room and monitor how many people use them or alert security. Upload a PPT on the USB that outlines why data storage is so important and to stop putting random USBs into their computers.
7) Leaving information and devices laying around.
Some habits are still seen as trivial by employees, such as leaving a work computer unlocked and unattended. Leaving unsecured devices unattended is a common habit, and over 25% of workers admit they do this often. Unlocked and unattended computers and devices are a natural entry point for a cybercriminal. Leaving out documents and other written communications can have the same issue.
A creative way to educate your employees: You can train your employees by leaving dollars out around the office in unattended locations. Put sticky-notes on the back that explains that leaving your devices laying around is like leaving money sitting out on a table. Someone is going to take it. Another creative security training team we work with even “stole” all the devices and paperwork that was left unattended in an office and held it hostage. Then they required a quick and comical 3-minute online security training video for the employee to get it back.
8) Lax Bring Your Own Device (BYOD) habits.
With the advent of new technologies, employees can take work home on their mobile devices and tablets. Not setting a passcode or biometrics lock on a mobile phone or tablet is a substantial risk. As so many employees access company data on their phones, this also puts the organization at risk. Mobile technology has increased the productivity of employees with the consent of the company; however, it poses some of the following risks:
- Data leakage: employees can take work to places that do not have adequate security and can pose a threat to data. There are countless stories about information stolen by fellow passengers on a plane.
- Device loss: employees can lose their device, which may improperly contain sensitive information that someone can take.
- Hacking and Malware: Personal devices may be vulnerable to hacking and malware, part of which was outlined above.
A creative way to educate your employees: Train your employees on security for different devices because most people are still very lax when it comes to mobile phone security. If they access any company data or applications for their mobile devices, deploy a mandatory MDM security solution. Set a requirement for a passcode or biometric locks. There are a lot of great videos on YouTube showing how mobile phones can be hacked and just because it is BYOD, that doesn’t mean it needs to be less secure.
9) Weak employee cybersecurity when remote.
Many US-based organizations allow employees to work remotely from home. While working from home is considered the future of work, it poses similar risks as a BYOD policy. Many people do not have robust home wi-fi security, and they do not always run their corporate VPN when online at home.
Creative ways to educate your employees: Train your employees on home-based security and VPNs if they work remotely. Remind them that IoT devices and guests need to be on separate networks. Many family members and friends may have viruses and malware on their laptops, so it is essential for them to use a distinct guest network that is not associated with any network you apply for work purposes. One company we work with has a lot of distributed employees and small offices around the world. Just like the office safety volunteers that help employees in the case of a fire, they have a designated cybersecurity volunteer in each office to support the local employees to understand cybersecurity. For the remote employees, they had virtual cybersecurity volunteers that would reach out to remote employees on a quarterly basis and host informal remote cybersecurity training.
10) Using default admin passwords.
Default passwords are an easy target for bad actors because worms have been built to seek out systems that leverage the default credentials. There is a whole dark web exchange for default passwords. Make it a corporate policy to change default passwords immediately.
A creative way to educate your employees: This is another area where testing is hard, so videotape some examples of how a bad actor can penetrate other sensitive systems through gaining access through an IoT device. Alternatively, share some of the articles on default password attacks, such as the attack on an HVAC system or one of the numerous attacks on printers.
11) Using weak passwords, especially admin passwords.
44% of employees admit to having insecure passwords at work, which makes it easy for an intended attacker to break such a password. Use an Active Directory password screening tool that prevents your employees from using compromised passwords or bad passwords that are commonly found in cracking dictionaries or password blacklists.
A creative way to educate your employees: Most people think their password is strong and secure. There are plenty of online tools that you can use to demonstrate good or bad passwords. These tools use secure APIs to access a backend password database and password blacklist but we recommend that people not use their real passwords. One customer of Enzoic ran a contest at a set time for a week for employees to make up passwords that they think would be secure. Each day there was a new guideline on character length and special characters. The week built up to the final day and what would be most secure- a long passphrase. But the employees also got to use the link above to test out what would be secure. Employees who submitted a secure password first won a prize and it was a good demonstration to everyone about strong and weak passwords and passphrases.
These are all significant threats to employers, and these are just some simple examples of how to educate employees. These examples may not be appropriate for every environment. We have heard creative things from our customers on how they are trying to reduce insider threats and wanted to share some of them.
Our key point is that organizations need to educate their employees on information security, and one effective way to do that is to make it interactive and give real-life examples. Give them real-life experiences of how some of these threats work and what the fallout can be for them. Make videos with other real employees to help them relate. Most employees care about their job and don’t want to create issues for their employers but are unaware of the threat they unknowingly bring into the business. It is important to take employee cybersecurity seriously.
Industry: Cyber Security
- Sailpoint IIQ Consultant
- Up to £75,000
SailPoint IIQ consultant- London We are looking for a strong SailPoint IIQ consultant to work for this global enterprise, in this position you will be the lead consultant in regard to the IAM and PAM tools Duties include Responsible for designing, developing, testing, implementing, and integrating IAM (SailPoint) systems and solutions. Assessing requirements for Identity and Access Management solutions to meet stakeholders needs. Provide support for production IAM infrastructure systems and processes. Ensures the maintenance, patching, operating, and monitoring of IAM systems. Ensures senior management and staff are informed of any changes and updates in a timely manner. Experience with Maintaining and supporting SailPoint IIQ Assessing requirements for Privilege Access Management solutions to meet stakeholders needs We are looking for someone with the following experience SailPoint IIQ experience Expertise working with SailPoint Identity IQ platform - Access Lifecycle Management, Certifications, Role Management Expertise in onboarding applications with various connectors like Active Directory, JDBC, SCIM 2.0, Azure Active Directory Expertise in developing APIs (SCIM, REST) leveraging Java based developmentExperience of Privileged Access Management concepts and use cases Unfortunatly we are unable to provide sponsorship for this opportunity, therefore applications will need to be able to work in the UK
- SailPoint Consultant- Netherland-
- upto €700 per day
We are looking for a highly skilled SailPoint IIQ Consultant to work on a major deployment project. The ideal candidate will have experience with all aspects of SailPoint IIQ, including development, configuration, and administration. They will also be able to work independently and as part of a team to deliver high-quality results. · Responsibilities · Develop and configure Sailpoint IIQ solutions · Integrate SailPoint IIQ with other systems · Support SailPoint IIQ deployments · Provide technical support to users If you are a highly skilled SailPoint IIQ consultant who is looking for their next project, we encourage you to apply. look forward to hearing from you!
- Lead CyberArk deployment Consultant
- Upto £80,000 plus benefits
CyberArk Consultant is needed to be responsible for leading the deployment of CyberArk solutions for this expanding IT services business, You will work with customer both pre and post sales, getting involved in CyberArk Solution Design, helping to create CyberArk Strategic Roadmaps, on-boarding accounts, product and process integration into the CyberArk Solution and Proviso of Installation and technical Documentation. We are looking for this individual to have experience in: Installation of CyberArk PAS for V11.X and V12.X (Vault, DR Vault, Central Policy Manager and Password Vault Web Access) Upgrade of CyberArk from V9 and V10 (Vault, DR Vault, Central Policy Manager and Password Vault Web Access) Installation and Upgrade of Privilege Session Manager and Privilege Session Manager Proxy As some of your client will be government site, all individual will need to be put through SC clearance, therefore you must be eligible to receive this and happy to be put through(With a British Citizen or to have lived in the UK for the past 5 years) We are unable to provide work visa sponsorship for this opportunity
- Senior Business Analyst - Outside IR35 Contract, SC Clearance Required, London
- £400 per day outside IR35
Senior Business Analyst - Outside IR35 Contract, SC Clearance Required, Based in London Project- to engage with colleagues and stakeholders to investigate and model business functions, processes, information flows and data structures, using a range of business analysis techniques. • You will translate the solution to the business problem into detailed requirements by creating user stories and well-defined acceptance criteria. • Elicit end-to-end business requirements for a live cross-government service • Working across the Government departments to bring together varied business and operational outcomes to form a holistic overall set of service requirements Current SC clearance is required. As is the ability to travel to London.