By Alex Viall, Director, Mustard IT
As businesses become more aware of the threat of cyber-attacks, technical defences are becoming stronger. It’s far more difficult to hack into corporate networks than it used to be. Because of this, hackers are creating new methods of accessing secure data. These efforts are being directed at the new weakest link in corporate cyber security: employees.
Hackers are using social engineering methods and phishing attempts to convince employees to click on impersonated links, open malware-loaded attachments, or even give away confidential data. If a networked computer is accessed, data mining or ransomware attacks can occur very quickly.
This is not a small-scale issue. As recently as August 2017, over 700 million email accounts were manipulated to send malicious emails loaded with malware (that were designed to scrape computers for sensitive data). In many cases they were able to mimic official corporate email addresses, and appeared to be sent from legitimate servers.
In addition to this primary risk, some sophisticated hacking teams are planting employees within large corporations in order to gain access to data first hand. In other instances, disgruntled employees are acting individually to enact malicious damage to company networks, data or reputation.
What can be done to reduce this internal cyber-attack risk? It’s a combination of systematic training and awareness campaigns, consistent engineering of employee behaviour and investment from the top of the company down. Here is a list of actions you can implement in your business to help reduce employee related cyber-attacks.
Employee risk awareness and training
Assess the culture of your business. Is there a high awareness of cyber-security issues? How is training currently conducted? Is it effective? Understanding how your employees think about security will help you to position the rollout of the following action steps. Training programs can be tailored to your environment, and could range from conference style sessions to gamification methods (or a combination thereof).
Training must be relevant and cover the most common ways employees are exposed to cyber-attack risks. Importantly, this training cannot be a one-off initiative. As hackers create new methods of attack, employees must be kept up to date and be reminded of their crucial role in protecting the company from incursions. Make information readily available for staff to access at any time after training is conducted.
Control for risk
A thorough risk assessment will be required in order to identify potential weaknesses and entry points for malicious software. Implement controls at every point a hacker could have contact with your systems. For example, a hacker may impersonate a corporate email, gain access to a genuine employee account, execute transactions, create further phishing emails, and install malware. Update these controls and test them frequently.
Strategic use of analytics
Periodic analyses of network use should be run to identify unusual interactions with the system. The following activities may be red flags for deliberate malicious activity or for hijacked accounts:
- An employee is accessing company networks out of hours,
- A poorly performing employee is spending time accessing secure or sensitive information without apparent cause,
- Unusually large files being downloaded, or
- Any other out-of-character actions being recorded.
Identifying these digital trails early can alert employers to attacks that had otherwise gone unnoticed. It may also provide a chance to sharpen employee focus on appropriate use of employer networks.
Accountability and modelling behaviour
Taking a top-down approach to cyber-security is critical to ensuring employee engagement with the issue. If management is seen to value proactive security, it’s more likely to filter down to departments and staff. This could manifest as allowing a larger budget for training and processes, or regular company-wide communications. In addition, a single manager should be ultimately responsible for cyber-security at the company. The chain of accountability should be clear. Depending on the size of the company, this could be a full-time role or an additional responsibility for a manager. In either case, cyber-security should be an absolute priority role.
Engineer employee behaviour
Even the best training programs and behaviour modelling cannot protect against natural human error, or the apathy that can surround particular security issues like password changes. In the case of passwords, it is best to ask system administrators to force password updates every 3-6 months. Employees can be guilty of using a generic password across personal and work accounts. This means a breach of personal cyber-security can lead to a corporate level cyber-attack.
Use other behaviour change strategies to encourage employees to engage in more considered and secure behaviour.
- Connect education and training with a charitable goal (‘for every engagement with this training video, the company will donate a pound to X charity’).
- Implement brief, timed delays before sending emails or downloading links.
- Publically acknowledge proactive efforts to identify threats or report issues.
Implement physical controls
Data security can also be weakened by employee’s physical behaviour and choices. Consider implementing some or all of the policies below:
- Do not use private USBs on company devices (or company USBs on private devices) as malware is commonly transmitted through this technology,
- Do not remove physical company documents from the office,
- Do not connect company devices to unsecured Wi-Fi networks,
- Do not connect personal devices to the company Wi-Fi network (a guest network can be established with no access to company servers).
If you ensure your technical cyber-security protocols are up to date, along with training, behaviour modelling, and smart use of analytics, you will build a comprehensive multi-tiered protection shield against hackers.