With every passing day, we are seeing more and more security breaches announced globally. Whether it’s the massive Capital One data breach or the latest CafePress data breach, organizations of all sizes are being targeted and breached by malicious actors. While these breaches grab headlines, reporters are constantly highlighting the hackers, information or the failure of technology.
These stories may be exciting for your casual reader, we should be asking ourselves what is the real reason these breaches are happening. Unfortunately, companies prefer not to admit to it but the reality is that breaches, no matter the size, tend to be caused by a mistake from someone inside the company.
According to an industry report by Shred-it, 47% of business leaders cited human error as the main cause of a data breach at their organization. These simple but harmful mistakes are hurting organizations financially and ruining customer’s trust in their service or product. One of the main reasons for these mistakes is that far too many employees are not fully aware of the security policies implemented at their company. By not following these security policies, employees are lowering their guard and presenting an easier target for hackers.
The adoption of remote workers for organizations is increasing by the day. More and more companies are hiring remote workers and allowing employees to work on the go, which presents an increase of potential security risks. For example, when remote workers are using an unsecured public Wi-Fi network, it provides an easy path for hackers to gain access to your organization’s critical resources and network.
When allowing employees to work remotely, organizations must clearly outline those remote employees’ responsibilities regarding IT security best practices and the importance of data protection. To provide another layer of defense, organizations must implement remote worker specific security policies which include device monitoring, multi-factor authentication and forcing employees to specific locations with secure Wi-Fi networks.
While remote workers might be easier targets for hackers, all types of employees must be aware of all the different kinds of attacks that will exploit human behavior to open the door for hackers.
Phishing is the most common and easiest way to attack company employees due to its low costs and its organic nature. Hackers target your employees by sending official-looking emails requesting that they send them critical information from their work device. Despite it being one of the oldest and original methods of hacking, most phishing emails can fool the common employee.
The most famous phishing attack was Phish Phry, where hundreds of bank and credit card customers received an official-looking email directing them towards fake financial websites. People entered their account numbers and passwords into fraudulent forms, giving the attackers easy access to their private data.
Pro Tip: Remind your employees to always make sure the email address, email tone, requests fit the sender’s tendencies and if suspicious to report it to the security team. Another confirmation of a phishing email can help prevent a future phishing attack.
This kind of attack is when hackers lure your employees into the trap by gathering personal data on them or your organization from the internet or social media. Hackers will use psychological manipulation to trick users into making security mistakes or giving away sensitive information. Hackers will investigate on how to gather the necessary background information and then gain the employee’s trust, which will result in the person breaking security practices, such as revealing sensitive information or granting access to critical resources.
The most famous social engineering attack was 2013’s Yahoo data breach. Leaked data included names, email addresses, phone numbers, security questions (encrypted or unencrypted), dates of birth, and passwords. Furthermore, the breach was used to falsify login data, allowing hackers to grant access to any account without the use of a password.
Pro tip: Check the source. Make sure your employees check the URL links to see if they are real, and the person sending you the email is actually someone you know or work with. Usually, a spelling error is a dead giveaway that they are being attacked.
This kind of attack is a type of malicious software which is designed to deny access to critical files unless a ransom is paid. Companies that don’t give in to ransomware attacks tend to result in the publishing of their critical data on the dark web or in the headlines. Even if organizations pay the ransom it’s not guaranteed that they will regain access.
The most famous ransomware attack was Wannacry. It struck a number of important and high-profile systems globally. This attack exploited a Windows vulnerability that was suspected to have been first discovered by the United States National Security Agency
Pro Tip: To fight off ransomware attacks, your employees should regularly update their devices’ software and block fake email messages using email authentication.
Fighting off potential attacks such as described above starts with continuous and ongoing security training with your employees. The better trained your employees and organization are with IT security best practices, the lesser chance of a successful attack sneaking into your networks and resources.
One of the key steps for better employee security hygiene is knowing the best practices and how to implement them in your daily workday. It is important to train employees on security policies and to explain the rationale behind those policies.
Employees don’t care about creating a strong password or watching for phishing emails if they don’t understand the risks behind them. You don’t need to teach employees about every technical detail in security protocols, but they should know which risks can impact their jobs. Organizations should frequently run training sessions to keep their employees up to date with security best practices. Solutions like DNS Filtering and Automatic Wi-fi Security can also improve your security level without asking more from your employees.
If you provide all your employees access to every resource in your organization, they are potentially creating more levels of risks. To keep it simple, only give access to employees that need those resources to do their job. By limiting access, you will be safeguarded from potential leaking of your organization’s sensitive information (personal information, financial information) of the organization that shouldn’t be seen by your entire staff. You can follow this recommendation by applying Zero Trust Security principles and implementing a SASE platform
It’s 2019 and MFA is everywhere. Despite its importance, MFA frustrates many employees, even though it is one of the most effective practices today. By forcing a second factor for identity verification, risks are eliminated by ensuring that stolen credentials alone won’t be enough to ensure access. When you implement MFA capabilities with strong passwords, SSH keys, and strong internet hygiene, you can further reduce the chances of a breach.
One of the most effective ways to make sure your employees aren’t creating security risks is by implementing user-friendly security solutions throughout the entire organization. By implementing employee-friendly security solutions, another layer of defense against hackers will be added. To make the user experience more useful and enjoyable for your employees, these solutions should be easy to implement, straightforward, not too technical and optimized for their work environment. The better the user experience, the more secure your employees are.
The common misconception is that malicious actors are gaining access to devices and networks by exploiting systems and vulnerabilities. In reality, they are actually targeting your employees with simple and effective attacks.
Moving forward, your organization should implement a combination of engaging employee training and the adoption of security solutions. By implementing periodic employee security training and security solutions, your organization and its employees will be moving in the right direction to fight off attacks from hackers.
We hope you found this post helpful! If you’d like to learn more about the many advantages a Zero Trust Network as a Service solution, check out our blog 5 Non-Disruptive Tips to Get Started with Zero Trust Network Security.