Why your employees are a cybersecurity threat.
In mid-April, Bodybuilding.com announced that its company network had been breached by hackers. This would only be a blip in the endless stream of data breach headlines – security firm Positive Technologies reports that cyberattacks affected billions of people in 2018 – except that it was Bodybuilding.com employees who inadvertently let hackers in.
With the volume of emails and amount of business conducted through the internet, it is employees who are often the weakest link in a company's security chain. According to the Ponemon Institute, two out of three cybersecurity incidents occur because of employee negligence. At least one employee at Bodybuilding.com fell victim to a phishing email back in July 2018. While hackers could not access sensitive information such as social security numbers or payment details, they could use the hijacked usernames and passwords to steal other user information elsewhere on the web. This case highlights the need to shore up security defenses, starting with your employees.
No matter the size of your business, your employees are on the front lines of your company's cybersecurity. From that position, they can be either your best defense or your biggest liability. They need security awareness training so they can hold the line against hackers trying to break through your defenses.
Training your frontline defense
Security awareness training takes time and money, but it is well worth the protection as it could save you huge sums and untold headaches down the road. Look to your IT support to initiate, or augment, a training program for employees. That may mean tasking your in-house team to develop a curriculum and materials or calling on your outside IT service provider.
With a well-developed training curriculum based on the latest evolution of cyberthreats, you can train and test your employees and get regular reports on progress. To ensure your security training is actually making your networks more secure, it should include three essential components.
Make password management mandatory
As your company grows, so do the odds that your employees are reusing the same passwords they use everywhere else. Reusing passwords is a risky practice because it makes it easier for sensitive information to get into the wrong hands. When your network is breached, hackers take customer login information and sell it on the dark web for pennies. Other cybercriminals buy it and conduct credential stuffing attacks in which they try those login credentials (along with slight variations) on every website, app or company portal they can find. Considering that 2018 saw billions of people's data stolen, one of your employees was almost certainly involved in a breach.
Implement policies that require employees to change passwords every few months and make sure that employees are inventing entirely new passwords each time. Teach them how to create secure passwords that are easy to remember and recommend trustworthy password management tools. On average, business employees have 191 passwords, so it is no wonder they repeat some. With a password manager, users remember just one very secure password instead of juggling hundreds of credentials.
Password managers are not infallible – in particular, password managers which include autofill features are a particular risk – but reputable password managers that randomly generate strong passwords and support two-factor authentication are a much safer alternative to allowing continued practices of predictable or repeated employee passwords.
Teach employees to spot phishing attempts
Phishing attacks continue to plague businesses everywhere. According to CSO Online, 56% of IT leaders report phishing attacks as their top security threat.
The attacks are constantly evolving to net as many victims as possible. For example, hackers are now directing users to sites that use HTTPS encryption because users are trained to identify these sites as secure. While HTTPS indicates that a site does use encryption, it does not mean the site itself is safe. Between 2016 and third-quarter 2018, the number of redirects to encrypted phishing sites increased almost 900%.
Teach employees to spot the tell-tale signs of a phishing attempt, including spelling and grammar errors, suspicious attachments, requests for personal or payment information, false promises or free offers. No one is giving out free Amazon gift cards and the IRS will not offer to double your tax refund. If it sounds too good to be true, it is a scam.
Training is the first half of the equation, but testing is equally important. Conduct tests each month in which you send out phishing attempts. The employees who take the bait will need additional training to help shore up company defenses.
Keep an eye out for malicious ads
Many breaches happen when employees are the target of direct attacks, but they can also occur when employees are just browsing the web. Cybercriminals can sometimes take over legitimate sites or get an ad to pop up on a legitimate site that offers a substantial discount or free reward. One click later and your network is infected with malware or possibly ransomware – to which one organization falls victim every 40 seconds – depending on the hackers intentions.
On top of malicious ads, sometimes just visiting a site can infect your network – even if you do not click on anything once you are there. To maintain security, your employees should do their web browsing on a different network. Alternately, you can maintain a list of approved sites with formidable cybersecurity defenses that are likely to be safe. No matter what you decide, teach employees to hover over links before they click them so that they see the actual URL, which shows where the link will actually lead, rather than just the masking text. If it looks suspicious, it is best to err on the safe side.
Untrained employees are your biggest cybersecurity threat, but the right instruction can turn them into a dependable line of defense. Training does not have to be difficult. If you have been meaning to implement a plan but you have not found the time, consider a subscription solution from a proven security organization. The earlier you start, the sooner your organization will be safe. Jon Schram