Dawn Kawamoto - 1/25/2016 - Photo Above Credited (Image: alengo/iStockphoto)
As you walk through the door of your company each morning, you are potentially poised to be the weakest link in your organization’s defense against hackers and malicious attackers. Here are the 10 boneheaded moves you make — often without realizing the security risk.
Despite companies spending billions of dollars on information security technology, it turns out that the greatest threat to their security may be you — their clueless employee.
Granted, employees’ intentions are not always meant to be malicious, but, rather, it’s often a case of boneheaded maneuvers, say security experts.
And employees, as a collective group, account for a wide swath of the confidential data loss at companies, according to a recent study. Of the 5,564 IT professionals queried in the Global IT Security Risks Survey by Kaspersky Lab and B2B International, 73% were affected by internal security incidents. It turns out that employees were the largest single group that created this confidential data loss, accounting for 42% of the incidents.
“It is staggering how often this happens,” said Andrey Pozhogin, senior product marketing manager from Kaspersky, in reference to the frequency of employees creating this data loss.
Rob Sadowski, technology solutions director at RSA, the security division of storage titan EMC, noted, “End users are the front line of defense. The first stage of an attack is to gain a foothold in the organization. It’s not to circumvent (the security system in place) but to gain access…Once access is gained, then the attack begins and it’s off to the races and the threat spiders out.”
And what are companies doing to educate their employees on security issues, given they are the first line of defense? An estimated 75% of companies with more than 100 employees have some sort of training, said Chester Wisneiwski, a senior security advisor at security firm Sophos. That training can range from selecting a complex password to an awareness of phishing attacks, which is when an attacker tries to lure a user to click on a link to a malicious website or download an attachment loaded with nefarious code, like software that will log a user’s keystrokes.
Wisneiwski added that the larger the company, generally, the more extensive the training program. He added that the type of industry a company is in will also make a difference, noting even small companies in the tech sector usually have some form of security training.
That said, however, Wisneiwski noted, “A lawyer, an accountant, or someone in marketing will…never be computer nerds.” As a result, here are 10 boneheaded moves to avoid to reduce your chances of becoming the weakest security link at your company. Are you guilty of any of these missteps? Did we leave any out? What are you doing at your company to minimize potential security risks? Let us know in the comments.
Although companies may encrypt their corporate financial information or valuable intellectual property, it doesn’t do any good if the employee who is accessing the encrypted information forgets to return the device to a state where you have to enter the code when they step away from the computer of smartphone. “I was in Starbucks and a guy had his financial spreadsheet on his laptop, but left his computer on the table while he got his coffee. I see this happen often,” Wisneiwski said. “In order for encryption to the useful, you have to lock your screen…I think people think encryption is magic and their device is protected all the time.”
Surprisingly, 30% of the 1,700 IT decision makers who were polled in a recent Sophos survey indicated their organization failed to always encrypt their corporate financial information, and 41% said they only occasionally encrypted files filled with valuable intellectual property.
Half of employers by 2017 are expected to require their workers to use their own devices for work-related tasks, research firm Gartner predicted.
But with Bring Your Own Device (BYOD) comes certain security problems, notes Bruce Snell, security and privacy director with Intel Security. Consumers are known to unlock their phones, otherwise known as jailbreaking the phone, and then engage in the risky business of downloading apps outside of Apple’s App Store, which undergo a vetting process by Apple before they are included in the store.
Snell noted that employees who load up non-Apple sanctioned apps on their iPhone or third-party apps outside of Google Play for their Android phones may be at greater risk of unwittingly loading malicious software onto their mobile devices, then infecting their companies when they connect their devices to their corporate network. “Users should stick to legitimate and major app stores,” Snell advised.
One security risk also comes from employees putting data on USB devices and not cleaning, or removing unneeded data, from the thumb drive after it has been used, said Michael Angelo, chief security architect at Micro Focus.
“The question is, can the USB device be lost or used by someone else?” Angelo said. “If so, will the sensitive data still be on it? In any case, could the data be exposed on the USB device?”
Social Media Blabbermouth
With social media, it’s hard not to be, well, social. But there is one huge drawback for those who are blabbermouths. They can give the proverbial bad guys enough information to become a target of a security attack, not to mention a wealth of information about the best approach to take, Sadowski said.
“By posting a lot of sensitive details about your job, your role, your responsibilities, that may be unsafe use of social media,” he noted. For example, an Oracle database administrator may tout how many servers they are responsible for and the work-related apps that they know well. An attacker may want to target this “high-value” user because by breaking into their computer or mobile device, they receive more bang for the buck in terms of their effort. The same can be said for the administrative assistant to the CEO of a company.
“This tactic is used by the more advanced attackers, who do reconnaissance on a company and its high-value targets,” Sadowski said.
Although it can be annoying to receive an alert or ping to do an update to your computer or device while under a crushing deadline to complete some work, security experts across the board say don’t delay.
“People need to update when they get the notice, because it will keep them resistant to attacks,” Sadowski said. “When a patch is issued, often a vendor will do this based on a security vulnerability that is out there, and an employee will be at an increased risk if they don’t apply the update in a timely manner.”
Employees have more than telemarketers to worry about when answering the phone. They should be on alert to the possibility of being phished by phone. With these phone phishing attacks, a data thief will call the employee and use social engineering to extract such private information as account numbers or social security numbers, and the like.
Jeff Schilling, chief security officer at security company Armor, cited examples of a phone phishing scam. “Someone calls your work phone claiming to be from the IT helpdesk and asks you for your user name and password,” Schilling said. Or, citing another example, the scammer “calls you on your phone and directs you to go to a website to download a program to ‘patch’ a problem with your company computer.”
One of the best steps an employee can take is to be hyper-skeptical of the emails that come their way, and question whether the sender is really who he or she claims to be. In a phishing attack, an attacker tries to lure a user to click on a link that will take them to a nefarious website, or open an attachment that downloads malicious software onto their computer.
“If you don’t know who the sender is, or you do know who the sender is but the contents of the email looks suspicious, then you need to take a long hard look and be circumspect on whether to click on it,” Sadowski said. “You may want to send it to the IT department and ask them if it is suspicious.”
As amazing as it sounds, there are some employees who say they don’t use antivirus software. “They’ll say it slows down my computer. But I’m wondering if it’s maybe the 30 web browsers that you have running,” Snell said. “Attackers go after employees first, and if you don’t have security software on your device, you’ll get compromised. I see that all the time.”
One trend that Snell has seen is when companies buy security software for their infrastructure they will also purchase a component enabling an employee to use the security software for home use. “It’s a good way to extend the safety net,” said Snell, who estimates that 75% of employees who are offered this extended security would make use of it.
Unreported Stolen Devices
If you suspected your wallet or purse was stolen, how quickly would you react and contact your bank and credit card companies to report the loss? Well, if you would move immediately to make the call, then consider doing that if your laptop or mobile devices come up missing. Assume they were stolen and notify your company’s IT department as soon as possible, security experts say.
“Most people fail to notify their IT department if they think they lost their device. They think they left it at home and will wait until they get home to check,” said Kaspersky’s Pozhogin. “But that will give the attacker more time to use brute force to break into their device and jeopardize the whole IT security for the company.” He added that if your device is stolen, the first step is to notify the IT department.
In Kaspersky’s 2014 IT Security Risks survey, 19% of the respondents said they lost their mobile device that contained corporate data at least once a year. And 38% of employees surveyed said it takes up to two days before they notify employers that their mobile device went missing, and 9% said it takes three to five days before they report the loss.
Many employees have heard the mantra of avoiding weak passwords. But a large number of people worldwide do not subscribe to such a practice. According to the “Consumer Security Risks Survey” by Kaspersky, it found only 58% of the 12,335 consumers it surveyed use password protection on their devices. And 16% don’t use any password protection at all.
RSA’s Sadowski noted users will often create simple passwords — like 1,2,3,4,5 or a,b,c,d,e — and said that there is even a list of weak passwords in circulation. “These are the ones that hackers use first,” Sadowski said. “Two breaches usually occur. Attackers will try the same password that works in one instance on a number of websites that the user may login to professionally and personally.”
In other cases, an attacker may use a hacked email password from a user’s company account on that same user’s personal email accounts, Sadowski said.