If you are not educating your employees on cybersecurity best practices, you are missing the biggest opportunity for improvement in your entire cybersecurity profile. Your employees have business-need access to a lot of important data, and their ability to protect that data — or to inadvertently let it walk out the door of your organization — is strong.
Lack of education has been at the heart of several incidents of a major security breach. Consider the scenario about the new HR employee who got an email from the president of the organization asking for all the W2 information on every employee, so that person sent them exactly as instructed. The employee did not recognize the fact that the email came from a hacker impersonating the CEO, and a major security breach took place.
Entire business models are based on this kind of fraud. Let’s pretend that I am going to build a site with the world’s best collection of cute pet pictures. I’ll give you the first 10 for free (and those 10 are the most adorable pictures you have ever seen), but to see more, you need to set up a username and password. The access is still free, though.
No big deal, right? Wrong. In this scenario, I own this website, I am a criminal, and my business model is to try to use the username and password you just entered at every major banking website, on all major email providers, on your company’s VPN portal, and anywhere else that I think you might have used the same username and password. I will then extract any valuable information I can from those sites, sell the information for a profit, possibly ransom your own data from you to make even more money, and then move on to the next victim.
Need some numbers to illustrate why educating your employees about cybersecurity practices is important?
- The IDG 2018 Global State of Information Security Survey reported that during the past year, the top sources of security incidents were current employees (30%), former employees (27%), and unknown hackers (23%). The main impacts include customer and employee records being compromised, and the loss or damage of internal records.
- According to the Ponemon Institute, 60% of employees use the exact same password for everything they access. Meanwhile, 63% of confirmed data breaches leverage a weak, default or stolen password.
So where can your company start? Start with a training program. Your employees need to be educated on cybersecurity best practices.
Any cybersecurity awareness training program should address implementing real password policies. There’s no easy way to say this, so I’m just going to say it: Passwords stink. They are no fun to create, no fun to remember, and no fun to type in. But passwords are still the most common authentication method today. It is imperative to implement a password policy requiring complex passwords that can’t easily be guessed, and end-user training to go along with it. Microsoft’s Active Directory “require complex passwords” setting is a start, but end-user training is also mandatory.
Many users apply the same passwords for every online system in which a password is needed. This is a problem. If one site gets hacked, cybercriminals will try your credentials at all common websites, and possibly at your firm’s VPN. It is imperative that your cybersecurity awareness training program encourage your team members to use different passwords for different sites, and especially for any system that your company uses.
Most companies have some sort of safety guidelines that their employees must follow or be aware of and cybersecurity should be no different. There are a number of companies that specialize in this type of training and picking the right type of training is critical.
Today’s cybercriminals come at your company from many angles. Their motivations are often more practical than many law-abiding citizens would expect.
Profit. They want money, and you have information they can monetize.
Influence. They can use data to manipulate business or personal situations in their favor.
Power. If your company dominates an industry or owns critical trade secrets, others wish to take that power away from you and use it for their own advantage. Cybercrime is one way to accomplish that goal.
Motives such as these change the way cybercriminals operate. They are organized. They share information among each other. They are often well-funded. And these things make them more dangerous. Some cybercriminals are also your employees. This is a difficult topic. While it’s true that internal employees are responsible for a large number of cybersecurity breaches, it’s also true that most of these are unintentional. They are a result of good people doing something they shouldn’t, either out of ignorance or because a cybercriminal tricked them into doing it (if you saw the movie “Catch Me if You Can” this is Frank Abagnale’s social-engineering behavior). Statistics on the exact percentage of “insider” cyber breaches that are deliberate vs. inadvertent vary widely, but the opinion can be held that the vast majority of insider threats are not malicious. No matter which statistic you believe, everyone agrees that many insider threats would have been prevented if the insider had understood how his or her behavior allowed a breach to occur. It’s easy to see why a good cybersecurity awareness training program is so important to the success of your company.
There is a risk of an employee with malicious intent to breach your sensitive data. Whether it be to share sensitive details to a competitor, profit from your data, or a disgruntled employee looking to carry out revenge against your company. If your company falls victim of a malicious-intentioned employee, finding out what happened is even more difficult because they often have high level system privileges that allow them to erase their tracks.
If your company is one of the unlucky ones where an insider deliberately caused a security breach, then you are automatically in the highest risk category of those susceptible to cybercrime. The keys to mitigate this risk are simple.
- Educate your employees. Establish a strong mandatory and frequent cybersecurity awareness training program for your employees that clearly lays out the policy for cybersecurity and the consequences of violating the policy. Don’t allow employees to take home devices that contain sensitive files due to the risk of the device being stolen or sensitive data being transmitted over insecure networks at their home or other locations. Instruct your employees to never share their passwords.
- Know your people. Perform background checks on your employees to assist in identifying those that may take deliberate actions that would harm your company. Know which people have access to the most sensitive data.
- Guard your most sensitive data. Limit your employees’ ability to obtain access (intentional or unintentional) to sensitive information via a least-privileged approach to your data. Identify your most sensitive and valuable data. Then assign that data the highest safeguarding and most persistent monitoring.
Remove “local administrator privileges” from your users to their company-provided laptops or desktops. A local administrator is someone who can do anything he or she chooses to with a computer, such as install programs, delete files, change sensitive security settings, and so on. Turning on “egress filtering” on your network and limiting the use of USB thumb drives will make it harder for anyone to make copies of it and move them outside of your organization.
Ensure that you have forensics available to you. Tracking down an internal cybercriminal requires logging of network activity, especially for any access to sensitive information. Any logs need to be stored in an area that is limited to the fewest number of employees as possible.
In short, your employees are your most valuable asset, but can also be your greatest liability. They need to be trained on best practices to keep your data safe, and they also need to understand that you have forensic systems in place that will likely catch them if they attempt to access data they should not. A “trust but verify” approach regarding employee access to your critical intellectual property is an important part of your company’s cybersecurity program.
Bryce Austin is the CEO of TCE Strategy, and actively advises companies across a wide variety of industries on effective methods to mitigate cyber threats.