Today, cybersecurity has become the focus of all reputed organizations and all big businesses are taking proactive measures for setting up an IT security framework for tackling cyberattack. Organizations are establishing best practices and risk committees to close any loopholes and vulnerabilities in a company’s IT landscape. Despite the efforts taken by them, companies fail to realize that most of the cyberattacks that take place are due to the employees working in the organization. In the 2016 Cyber Security Intelligence Index, IBM found that 60% of all cyberattacks involved insiders either directly or indirectly. As a part of its best practices, organizations must groom their employees to avoid committing the most common mistakes that may lead to a disastrous cyberattack. The succeeding paragraphs highlight some of the mistakes that must be highlighted while educating the employees with regard to cyberattacks.
Getting Fooled by Phishing
Phishing is type of a cybercrime in which cybercriminals pretend to be from a reputable source and send email to employees for extracting confidential information. According to FBI, more than 7000 US companies were reported to be victims of phishing between 2013 and 2015. The overall loses were reportedly in excess of $740 million. Some fraudulent emails induce employees to click a link that triggers the installing of a malicious program. Some phishing emails have encouraged accountants to transfer funds to fake accounts that are claimed to be owned by senior executives. As a part of security awareness training, employees need to be educated about the harmful effects of phishing. Moreover, they must be encouraged to take utmost care to prevent leaking of confidential or sensitive information.
Plugging in Mystery Devices
Employees usually make the mistake of sharing USB sticks or using unidentified devices that can be plugged-in any machine on the network. Some of the curious employees also commit the grave mistake of plugging in mystery USB thumb drives into their laptops that they find on the premises. These devices may contain virus or other malware that can spread from one infected computer to another. One of the biggest cyberattacks reportedly took place in the Saudi Aramco oil company and the attack was reportedly carried out by infecting computers using a thumb drive. Employees must avoid using unauthorized devices on the premises and administrators must block employees from inserting unauthorized devices into the computer system. Moreover, policies must prohibit employees from bringing their own devices that may be a part of a botnet, a hacked networked of computers that can be controlled remotely by a cybercriminal.
Using Weak Passwords
The biggest source of cybersecurity risk might be perhaps the threat posed by weak passwords set by employees. Weak passwords exposes the computer systems to brute force attacks in which hackers use software to generate various combinations of passwords to break into the system. Security policies must stipulate that passwords be made unique and robust. Moreover, employees must be required to change their password after every three months. The password must not be used for social media accounts. Administrators must deactivate the accounts of those employees who are leaving the company.
Failure to use least-privilege principle
The least-privilege principle stipulates that employees must be given access to minimum amount of sensitive data that is relevant to their job profile. However, many organizations fail to implement this policy because roles and responsibilities of employees change continually throughout their lifetime. Managers often grant administrative privileges that are unnecessary for subordinates. These privileges are often not required and the data can be misused by employees. The human error involved can be rectified by implementing strict administrative policies that are implemented by the IT department.
Storing sensitive data on employee devices
Employees often fail to backup sensitive information and remove it from their machines. This poses a security risk when the machine is accesses by a person other than the employee. The machine can be either accessed by a computer engineer or it may be handed over to another employee when the previous owner leaves the company. The risk of leaking sensitive information maximizes when the employee’s machine is stolen or it gets misplaced. One can very well fathom the serious consequences when such a machine falls into wrong hands. To prevent such incidences from occurring, organizations must encrypt all the employee devices and portable media.
Falling Victim to Social Engineering
Cybercriminals may resort to social engineering tactics where an employee is either deceived or manipulated to divulge confidential and sensitive information. Employee must be made aware of such threats and only trusted employees should be granted access to sensitive information. Moreover, organizations can deploy data loss prevention software to block the transmission of sensitive information outside the company’s IT network. Organizations must deploy security tools that warn employees about probable hazards before they click on an unfamiliar link, before visiting a website or before opening an email attachment. This makes sure that the employees are continuously aware of the security threats.
Using public Wi-Fi
Public Wi-Fi hotspots can be convenient to people who can access internet even while sitting in restaurants, café’s, malls and other venues. However, connecting to public Wi-Fi for accessing their organization’s network can prove risky to employees as these networks are easy to hack. Cybercriminals can gain access to confidential information like confidential emails, credit card credentials and access details to the company’s network. The hacker can then easily access the company’s confidential and sensitive. Hackers can also use public Wi-Fi to install malware on the mobile devices of those employees who have enabled file-sharing on their system.
A careful analysis of various cybercrimes reveals that most of the IT security breaches have occurred due to human error. Rarely does a cybercriminal try to hack into the computer system using direct methods. Today, more and more cyberattacks are carried out in a sophisticated indirect way. Even the next-generate IT security technologies will prove ineffective if careless employee behavior enables hackers to directly penetrate into the organization’s computer network. It is imperative that organization’s train their employees to avoid making common and crucial mistakes that might cost millions in future. Ultimately, IT security is every employee’s responsibility.