Cybersecurity in the Workplace; It’s Everyone's Business

In observance of National Cyber Security Awareness Month, Bitdefender delivers a series of articles on hot topics such as best practices in online safety and protecting your company’s assets and integrity. We also provide a set of prerequisites to consider before seeking a career in cybersecurity. We encourage you to bookmark this blog or connect with Bitdefender on LinkedIn or Twitter to receive follow-on articles (filled with security tips) as they are published.

Insider sabotage and employee errors pose a significant risk for all companies and represent the main threats that companies are unprepared to handle, according to a recent Bitdefender survey on 250 IT security purchase professionals from enterprises with 1,000+ PCs based in the US.

Besides the common risks of device loss and theft, employees can unknowingly expose company data to malicious software. Human negligence, one of the most efficient weapons attackers use to reach a company’s most valuable assets, is still widely exploited. Phishing for information through an unwitting employee, either by carelessness or a lack of awareness, is easier and more effective than hacking through established network defenses.

Bring your own device at work, but not your threats

The shift toward using personal computing devices to conduct business seems like a win-win for both the enterprise and its employees. Employees work from the comfort of their own device while employers enjoy increased productivity and reduced technology costs.

While BYOD or BYOT (bring your own technology) programs offer benefits to both companies and employees, many companies struggle to design programs that effectively protect sensitive data.

Much customer and employee data stored on employee-owned devices is out of reach of company systems and firewalls. Employers lose some control every time an employee stores or transmits work-related information using a personal laptop, tablet or smartphone.

Employees can also expose corporate data by failing to apply software security updates on their devices. These known vulnerabilities can serve as a gateway to the company network.

Apart from policies, employers should consider partitioning work-related content from personal content on personal devices.

Educate, educate, educate

The “hapless” user is an insider, such as an employee, contractor, or other authorized user, who amplifies information security risks by carelessness. This could be inadvertently clicking on a phishing email, using a rogue wireless network, visiting dangerous places such as websites or peer-to-peer sharing, sharing passwords – all the bad computer hygiene most of us know to avoid, but many don’t. 

The easiest way to gain access is via spear-phishing scams targeted at specific employees. Once the malware is downloaded onto the user’s computing device, the company’s assets are in jeopardy.

Other risky practices include connecting computers to the Internet through an insecure wireless network, password sharing and reuse, BYOD through an unsafe device or employees losing a device when travelling. This is why teaching employees to recognize phishing scams and avoid e-threats is vital in maintaining security.

IT departments should educate their companies’ employees in both how their actions can make the firm vulnerable, and what they can do personally to support cyber security. Cybersecurity trainings can reduce the risk of a breach by up to 90%, according to recent surveys.

Most organizations are much more concerned about threats such as malware, APTs and phishing. The majority of these types relate directly to another type of threat: accidental breaches enabled or caused by hapless users. But because organizations do not think about these threats in this way, most focus on traditional perimeter-based security measures. This means they are looking in the wrong places to detect attacks and avoid breaches caused by hapless users. 

Keep sensitive data away

Only authorized personnel need access to critical and sensitive data, and only by adhering to strict security protocols and advanced authentication mechanisms. Besides two-factor authentication, even two-man authentication could be used for critical systems, lke financial institutions where large transactions must be authorized by two or more individuals.

One of the most frequent mistakes employees make is to send sensitive documents to unintended recipients. People also transfer work documents to personal email, place them on consumer-grade file-sharing sites or copy them onto removable media such as USB sticks. And while flash drives seem harmless, if someone connects an infected USB drive to the office network, a worm can upload and replicate itself on the network.

To mitigate human errors, an organization should start deploying security controls to monitor who has access to proprietary data. Other must-have data protection and security measures include: managing and monitoring end-user privileges; conducting background checks on an employee’s online activity before granting privileged access; network segregation for better control and security.

Regular employees aren’t the only ones whose activities should be monitored. Even highly skilled system administrators sometimes do make mistakes. Reports show system misconfigurations, poor patch management practices and the use of default names and passwords are among their most common errors.

Key takeaways

Here is a short list of FBI recommendations to avoid email scams: 

• Immediately report and delete unsolicited e-mail (spam) from unknown parties. DO NOT open spam e-mail, click on links in the e-mail, or open attachments. These often contain malware that will give subjects access to your computer system.
• Be careful what you post to social media and company websites, especially job duties and descriptions, hierarchal information, and out-of-office details.
• Be suspicious of requests for secrecy or pressure to take action quickly.
• Consider additional IT and financial security procedures, including the implementation of a two-step verification process.
• Do not use the “Reply” option to respond to any business e-mails. Instead, use the “Forward” option and either type in the correct e-mail address or select it from the e-mail address book to ensure the intended recipient’s correct e-mail address is used.
• Consider implementing two-factor authentication for corporate e-mail accounts. Two-factor authentication mitigates the threat of a subject gaining access to an employee’s e-mail account through a compromised password by requiring two pieces of information to log in: (1) something you know (a password) and (2) something you have (such as a dynamic PIN or code).
• Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via their personal e-mail address when all previous official correspondence has been through company e-mail, the request could be fraudulent. Always verify via other channels that you are still communicating with your legitimate business partner.
• Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail. For example, a detection system for legitimate e-mail of abc_company.com would flag fraudulent e-mail from abc-company.com.
• Carefully scrutinize all e-mail requests for transfers of funds to determine if the requests are out of the ordinary.