Poorly instructed employees are dangerous for the company. This is true for any industry and position. This applies to the full in the sphere of information security: clicking on an attachment or brining an infected USB flash drive from home - and you are done, that is all. A dangerous ransomware virus now entered the company’s network, all files are locked, the work is paralyzed, the IT department looks for up-to-date backups to restore disks, and management calculates losses from downtime.
At the same time, according to Dunning-Kruger effect, illiterate employees remain full of confidence that they are doing everything right, or at least they do nothing terrible. And it is precisely this that often leads to disastrous consequences.
In fact, almost any security system is useless if employees do not understand the basics of information security. Such employees become the main vulnerabilities in your company's computer system.
Understanding this state of affairs perfectly, cybercriminals increasingly use their victims’ employees as the main point for launching attacks. Taking advantage of a person’s illiteracy is much easier than finding a vulnerability in the corporate network.
Below I am going to talk about several types of attacks that employees are exposed to.
Using your gadgets and laptops (Bring Your Own Device, BYOD) is a fashion trend that is especially popular among startups. It seems that such an organization of the process represents the perfect Win-Win principle. The company does not have to spend money on the acquisition and maintenance of workplaces, and the employee works on a laptop that he personally chose and set up. If he wants to work at home, he will not have to copy work files, access to corporate systems is also already set up. The cost of purchasing the device is compensated by the possibility to sleep longer or even stay at home working remotely.
From the point of view of information security, the use of one device for solving work and home tasks is a source of serious risks, especially if the employee is not too diligent in learning the basics of information security.
Sometimes, after a long busy day, you want to have some rest. Downloading movies and music, searching for games or pirated programs can bring something malicious on your computer. And then, when connected to the corporate network, all company data will face serious risks.
If you run into the cafe and connect to the corporate network through a public Wi-Fi in order to finish the report drinking a cup of coffee, corporate account credentials can be intercepted and used to steal confidential information. And even a laptop or tablet can be stolen on the way from home to office.
Many faces of phishing
The traditional way of organizing the workflow in the form of desktop computers partially removes the risks associated with BYOD, but even in this case, an insufficient level of information security skills can be fatal for the organization. All employees use email, which means they are potential victims of phishing - fraudulent emails disguised as messages from delivery services, contractors, technical support or management.
Using phishing, cybercriminals can force the victim to launch malicious software attached to the letter, enter their network credentials, or even make payments using the fraudsters details instead of the real counterparty.
Targeted phishing (spear phishing) is the most dangerous. Cybercriminals first collect information about the organization, its structure, employees, and workflows, and then prepare letters containing real names and positions structured in accordance with the standards adopted by the organization. Recognizing these letters is very difficult, so the effectiveness of such rogue mailings is much higher.
What to do with it?
Despite the abundance of software and hardware protection tools available in the market, it is worthwhile to devote part of the budget to counter attacks that target employees. Here are the most important recommendations:
- Educate. All employees should understand that ignorance of the principles of information security is not an excuse, and therefore, be interested in raising their awareness in this matter. On the company's side, the costs of organizing and conducting training seminars on information security should be considered as an investment in reducing risks and preventing damage.
- Train. Theoretical knowledge gets quickly removed from the memory by more important information. Practicing skills will help to strengthen the knowledge.
- Implement the “See something, say something” policy. When confronted with cyber threats, an employee may keep silence, fearing dismissal or trying to eliminate it on his own. Meanwhile, timely notification of the incident prevents the spread of malware throughout the corporate network. It is important to build up regulations in such a way that the employee who reports the attack receives rewards.
Any computer system is vulnerable, and the weakest link in it, as a rule, is a man. The task of each business executive is to minimize the risks in the field of information security associated with attacks on employees. Trainings and proper organization of the process of dealing with cyber security incidents will always help. Ideally, good knowledge of the basics of cybersecurity should be part of corporate philosophy.