The employee effect: Keeping your business secure

userawareness

Keeping your business safe and secure, through the use of best practices, hardware appliances, various accreditations and Cyber Essentials is all well and good, and I hope more companies continue to do this, but it only takes the actions of a single employee to undo all that hard work that has been put in place.

According to the Ponemon Institute’s 2017 Cost of Data Breach Study, it was found that after surveying over 400 businesses, over a quarter of all attacks are the results of negligent employees or contractor behaviour within the business.

Media outlets are focussed on the more fancy and interesting attacks, such as the recent WannaCry outbreak.  However, the majority of times a data breach or cyber related incident is not down to an attack like this, but down to the end-user the employee.  These types of attacks tend to go unnoticed, and unreported.

Through the use of targeted attacks and social engineering, companies are being tricked into exposing vulnerabilities into their business, which would not otherwise be present.  Employees (or indeed yourself at home) who open email attachments who are not what they seem can open the door to untold issues.

This blog post has been written to help spread the word about securing the business from a human perspective and help avoid any potential breaches.

Mitigating risk

There is good news however, the majority of attacks which target the human aspect can be resolved through education and security awareness training.  If your business doesn’t have a security awareness training program in place, now is the time to look into implementing one and having the right support in place.

Above all, ensure that you regularly educate your users, ensure that policies are in place to help them and the business and ensure that your network and operational administrators have the backing of the business.

Weak passwords

All too often we see people using weak passwords, the passwords will be less than 7 characters, and are dictionary based. If the employee is not technical you can be certain that the password will be used for multiple sites and systems.

The business needs to ensure that they implement a password policy and uphold it, having passwords that are complex and over 8 characters in length, contains upper and lower case characters with special characters will greatly help to ensure that systems are not compromised.

In order to help with the additional burden in remembering passwords, the business should utilise password managers, such as:

With the hardware that is generally available to hackers now, cracking a weak password can now take a matter of minutes, once this password has been obtained it could open the keys to many systems, causing untold reputational damage.

Social Engineering / Phishing

This is something people will see on a daily basis, you will receive an email from a company such as UPS, ebay, Amazon etc which says that you owe money or there has been an issue with your delivery, please click on this link.  DON’T!.

Cyber criminals are becoming experts in duplicating emails that look very realistic in their appearance, however the links will be going to a server of theirs and not to UPS or Amazon.  Once you click on that link, it can either ask you to deposit money, or worse still execute a payload that will open a backdoor into your business.

According to recent reports, it’s been found that nearly two thirds of malware is installed via malicious email attachments.

To make sure this doesn’t happen to you, make sure that you check the links in the emails (hover the mouse of the link and check the actual link).

Check for spelling and grammar mistakes, the majority of malicious email will have some mistakes in there.

If a bank sends you an email or rings you, never give your password or pin umber to them, ring the bank and start the process again.

Malicious files

The majority of businesses allow users to surf the internet and download any files they like without any thought, however, like email it only takes for one employee to visit the wrong website and download the wrong file.

Make sure that you have some web filtering enabled either at the border of the company or on the host, through the use of Anti-virus and other technology.

Network access

Make sure that the business is utilising least privilege access, all too often employees are granted too much access, whether this is to access any server or system they like, or are allowed access to all the information that the business has.  Should a developer really have access to potential HR or finance information?  Check your permissions.

If someone changes their job role you should also re-evaluate their permissions within the network and business.  If they don’t need access to something, remove it.  If you have policies in place for this from day one, there should be no issues.

BYOD / removal devices

One of the pain points in any business if that employees bring in their own equipment and simply plug it into any business machine.  This goes for people connecting their mobile devices to the company wireless.  How many people actually use the company guest wireless to connect their mobile device?

There should be policies in place to state what a employee can and can’t do with regards to BYOD and removal devices.  Are all USB devices scanned upon insertion of a business machine?  What about the removal of business information?

Summary

I hope that this post will help, although only scratching the surface on how to keep you business safe from a human point, it should make you start to think about what you are and are not doing within your business.

Ensure that you have policies in place to police passwords and removal devices, if you don’t have these policies, create some.  Make sure that you start educating your employees on a regular basis, this goes for everyone, talk about social engineering, bring your own device and more.

Ensure that you actively encourage your employees to take an active role in this and help enforce the security of the business, it shouldn’t feel like it’s been forced upon them.

Lastly, look at undertaking a regular vulnerability or penetration test from a company such as TeraByte, this will help you see how good (or bad) your information security is.