Based on 53,000 security incidents from 67 organizations around the world, Verizon’s most recent Data Breach Investigations Report (DBIR) is one of the most in-depth analysis of security breaches ever compiled. According to the report, the most common types of attacks that resulted in breaches involved the use of stolen credentials, followed by RAM scraper malware and phishing.
Of those top three threats, two depend on one common security flaw: human beings. The fact is, the people who keep an organization running are the same people who might be putting data at risk. According to the report, “The human factor continues to be a key weakness: employees are still falling victim to social attacks.”
Let’s take a look at the six most common ways employees might be putting your systems at risk, along with some recommendations for protecting your network.
1. What’s the Pretext?
According to the report, “pretexting” is tricking a victim into handing over information that will be used to steal passwords or credentials. According to the report, financial pretexting and phishing represent 98% of social incidents and 93% of all breaches investigated — with email continuing to be the main entry point (96% of cases). Most shockingly, companies are nearly three times more likely to be breached by social attacks than by actual vulnerabilities, emphasizing the need for ongoing employee cybersecurity education.
The problem arises in part because almost every organization prides itself on being “service oriented.” That means people are trained — often drilled into believing — that the customer is always right and that whenever customers reach out, their jobs are to provide whatever is needed.
Social engineering, or human hacking, takes advantage of this “need to please” by tricking customer service representatives into unlocking defenses. For example, hackers might reach out to Cloud software companies claiming to be angry customers locked out of their accounts, demanding to have the password reset so they can log in and access their data.
THE SOLUTION: First, limit permissions to only those trusted users who must access data to do their jobs, and always limit the number of individuals given advanced and administrator-level permissions. Above all, initiate a policy limiting when and how new users can be added, and control access to reset passwords and other credentials.
2. Avoid Attachments that Kill
It starts innocuously — an employee receives an email with an attachment called “presentation.zip” or something similar. Or, someone is casually surfing the Internet and decides to check out some clickbait, like “The Inside of Katy Parry’s House Is Disgusting.” He or she opens the attachment or link and, just like that, a CryptoLocker Ransomware virus runs wild on your network.
As we highlighted in a recent blog, CryptoLocker ransomware viruses install a program on the infected computer that systematically accesses and locks all of the data files — including network files. To regain access, money (usually hundreds of dollars) must be sent to the hacker. This type of virus can be aggressive and quite lucrative for the hacker, and there’s no guarantee the hacker will honor his side of the deal and unlock the files.
THE SOLUTION: To prevent this type of attack, your first line of defense is to educate employees not to click on anything unknown. Make sure your antivirus programs are regularly updated and can sufficiently block malware file types and remove infected files. And, in the event of a successful attack, make sure you have complete hourly backups of your entire system so you can recover your files without paying off the hackers.
Also, be very suspicious of emails or messages requesting access to an application. It may not be unusual to have a team member inform you that he or she has lost a password or email and request a new PIN number. Unfortunately, it’s easy for anyone to spoof an email address or even pretend to be someone else on the phone. Take advantage of the tools available to continually monitor access and, whenever possible, limit the number of people who can log onto your system.
3. Improve Your Password Policy
All it takes is one employee with a password like “123456” to give a hacker easy access to your company’s data. Passwords are one of the oldest authentication protocols still in use, literally dating back to the invention of spoken language. Even worse, millions of internet-connected devices have default passwords like “welcome” that users never take the time to change. Automated networks of botnets have taken advantage of this to infect hundreds of thousands of IoT devices, including web cameras, security systems and printers.
THE SOLUTION: It only takes 10 minutes to crack a six-character password that’s all lowercase letters. If you capitalize some of those letters, it will take 10 hours. If you replace letters with numbers and symbols, you’re looking at 18 days of safety before someone gets a hold of your password. It can be a painful process, but always enforce complex password policies. To make it less painful, adopt a password vault or similar software system to manage and protect your passwords.
4. Restrict Employee Administrative Rights
If every staff member has permission to install programs or applications within an organization, you have a serious security loophole. If employees are not tech-savvy or aware of common security threats, there’s a good chance they’ll inadvertently download a virus or malicious application.
THE SOLUTION: To prevent these weaknesses and eliminate the risk of downloading malware, lock down administrative rights so only a very limited number of IT managers are responsible for program and application installations.
5. Lock Down Phones and Devices
Personal smartphones, tablets and other devices complicate the process of securing a network. When employees use home computers, a Virtual Private Network (VPN) connects them to the company network for remote access. However, the company doesn’t have any control over the home computer’s security. Even worse, employees use their personal phones for work email and sales applications.
THE SOLUTION: If your employees need a mobile application for work, it is possible to enforce permissions for work-related applications. Make sure security protocols can protect your company’s proprietary information by allowing access to data on those devices, such as images or contacts. Make sure any computers your employees use at home or on the road have the same updated security software as any other company-owned machine. Of course, always remember that security controls have to be reasonable, otherwise users will bypass them. In addition, companies should prohibit:
- Downloading and saving of data on devices
- Direct access to the corporate network from personal devices
6. Should You Assume the Worst?
When you work with people for a long time, typical human nature is to assume the best about your colleagues. But when employees leave a company — whether voluntarily or involuntarily — they may be tempted to surreptitiously take confidential information with them. This can happen if employees take jobs with competitors or strike out on their own, or if an employee is fired and wants to exact a little revenge. An employee in the IT department can do serious damage since he or she probably has access to network passwords and credentials.
THE SOLUTION: The obvious part of the solution is to lock down access, change passwords and monitor employees’ activities if you know they’re leaving the company. Less obvious is the legal requirement: require new employees to sign non-disclosure agreements that prevent them from taking any intellectual property or employee or customer data when they leave the company. It’s also important to remind them about their responsibilities to keep company data confidential. That might discourage some bad actors and provides legal recourse and remedies if something bad does happen.
Employees’ mistakes could have serious consequences to your business. Check out our helpful Cybersecurity Tips for Employees infographic below and take the necessary steps to protect your system today by improving your data security for the future. Fortunately, the IT experts at Gordon Flesch can help you run a full security sweep of your network, printers, computers and mobile devices to identify threats and weaknesses. Contact the Troyka-TC for a no-cost assessment and to learn more about how our Managed IT services can help secure your local or Cloud-based IT infrastructure.