Home
Blog
Employee cybersecurity risks you need to be aware of

Employee cybersecurity risks you need to be aware of

Avatar photo
Hwei Oh
07/22/2024
Share this article:

Employees are a major attack vector for threat actors targeting organizations. Recent research by Stanford University confirms this, revealing that 88% of all data breaches are caused by human error. These human errors might be as simple as sending an email to an incorrect address or leaving a database publicly viewable; but they can also be more involved, as when employees become victims of targeted phishing campaigns.

Let’s detail how employees might be increasing risk for organizations and what organizations can do to protect themselves.

Working on personal devices

Working on personal devices at the office is more common than ever. Eighty-five percent of all organizations have some form of “Bring Your Own Device” (BYOD) system in place, according to research by Samsung. One reason is that companies believe they’ll save on costs if they don’t have to provide their employees’ devices. Unfortunately, the costs of a data breach can be much higher than the perceived savings.

Another contributing factor to using personal devices is the “always on” culture we’ve developed since the emergence of smartphones and the increase in remote workers since the COVID-19 pandemic. Always-on and remote work mean that employees might be using multiple devices for work. This leads to three major problems:

1. Shadow IT

Shadow IT occurs when non-IT personnel start installing software and managing devices instead of the IT department. It prevents IT from having an overview of that device, managing it properly, and being able to identify and close any security holes. Shadow IT results in wild variables that organizations have no control over, and it can easily lead to account compromises and data breaches.

2. Improper security on a personal device

Personal devices lack the security settings and configurations that are possible with work devices. A personal device’s security mostly consists of:

  • A password or PIN.
  • Biometric locking of the device (if the device offers it).
  • In a few devices, encryption in case the device gets stolen.

That’s dismally poor compared to a work device. For one thing, work devices can be connected to a mobile device management (MDM) system, which allows device admins to enforce device security policies. These policies can include:

  • Password-strength policies
  • Password expiry
  • Website whitelists
  • App whitelists
  • Geofencing
  • Remote wipe features
  • Logging device activity for compliance purposes
  • Detecting threats through endpoint detection and response
  • And much more

Even if an employee is vigilant, the sheer lack of support for security on a personal device means they’ll always be far less protected—thus potentially endangering your company data.

3. Exposing sensitive organizational information

The lack of extensive security features listed above means that personal devices are far more susceptible to man-in-the-middle (MITM) or other interception attacks that could lead to data exfiltration and sensitive info being leaked. Although these attacks are quite sophisticated, they’re far easier to carry out on a personal device that doesn’t enforce data encryption.

Almost any device compromise—malware, phishing websites, or ransomware—will lead to data exposure and they’re far more likely to occur on a personal device than on a work device.

Sharing passwords (using the same password across multiple sites)

Security Magazine reports that 78% of people use the same password across multiple accounts. Another report reveals that 64% of people have re-used a password that’s already been exposed in a data breach.

When cybercriminals obtain credentials in a data breach, they try these username and password combinations across different websites. That’s why cybersecurity professionals strongly urge people never to use the same password on multiple websites.

Recently, Ticketmaster suffered a massive data breach caused by hackers using passwords obtained from other data breaches.

Unfortunately, no one can force employees to use a different password on each of their personal accounts. However, your company can enforce that their business password is unique so that you don’t risk your business data if one of their personal accounts is hacked.

Other, secure, “passwordless” methods of logging in have also been developed to improve overall account security.

It’s not difficult for hackers to find a company email address. These are often publicly disclosed or follow similar patterns, such as:

  • The person’s initial and then their last name.
  • The person’s first name only.
  • The person’s initials only.
  • The person’s position.
  • The department (“sales@”, “support@”).
  • Other common patterns (“info@”, “contact@”, “help@”).

If hackers obtain only a password, they’ll try various email combinations with that password on popular websites such as Dropbox, Slack, and Teams.

Without the right security in place, criminals can obtain access to multiple company accounts and look for data that then enables them to penetrate more deeply into the company.

Implementing multi-factor authentication (MFA) can go a long way toward minimizing the risk of stolen credentials. The massive hack of health tech giant Change Healthcare, which resulted in the “huge theft” of Americans’ healthcare data, occurred because of a lack of MFA. The Ticketmaster hack mentioned above also targeted accounts without MFA in place.

Risky activity on organization devices

Various solutions exist for blocking specific apps and websites on business devices, such as Microsoft Intune and VM Workspace ONE. However, totally blocking access to personal apps such as social media and email can also potentially restrict the user from doing their work. Apps and services are highly interconnected these days, with the boundaries between personal and business use becoming more blurred.

Still, some control must be exerted because of the excessive risk certain sites and services pose to organizations.

For example:

  • Social media websites are a hotbed for phishers and scammers. One in four people who’ve been swindled out of money says the fraud began on social media. Fraud losses were higher through social media than on any other platform. Fraudsters can even use social media advertising to promote their scams.
  • Certain website types, such as gambling, pornography, and the dark web, can put your entire organization at legal risk. These sites are also littered with adware and malware. If law enforcement requires access to a personal device to investigate a crime, your company might be held liable if the employee refuses to provide that access.
  • Installing third-party apps poses a massive risk. Malicious apps that connect to Google Drive, Microsoft 365, or other SaaS used by businesses are on the rise. These apps can serve as vectors for APT attacks or can exfiltrate sensitive data.
  • Using insecure, public wifi also poses an enormous risk for organizations. Threat actors can intercept data on a public wifi network because the traffic isn’t encrypted. Work devices typically have safeguards in place against this type of attack.

There’s no one-policy-fits-all here. Organizations should assess their level of risk and levy their policies, blocking, and monitoring accordingly. High-risk industries such as finance need to lean on the side of being overly protective while eCommerce companies have to allow social media access as part of their marketing.

Spearphishing

“Phishing” occurs when threat actors attempt to trick people into divulging sensitive information (such as login credentials), by sending emails or creating websites that impersonate a legitimate business. Most spam emails are phishing emails and they’re sent out by the millions in an attempt to fool people on a large scale.

Spearphishing works along the same method, but the emails are highly targeted and often aimed at a specific organization or individual Since the hackers try to infiltrate both company and personal accounts, this typically involves far more sophisticated social engineering methods, thorough research, and a deep understanding of the target in an attempt to extract a high-value payload.

Executives are common targets for spearphishing because they can lead to more financial gain. Here’s where a spearphishing campaign can transform into a BEC (business email compromise) attack, which happens when criminals impersonate an executive. Through these targeted methods, a hacker can obtain access to an executive’s email account, impersonate that executive, and send emails to employees to demand payment, falsify invoices, or unauthorized wire transfers.

Spearphishing can also target low-level employees who might be more susceptible and willing to give up access and information. This also occurs when threat actors target a third-party vendor or supplier in hopes of compromising a high-value target. That method is how Uber was hacked in 2022 – threat actors targeted a third-party contractor, stole their credentials, and even had them accept a 2FA prompt that allowed the hackers into Uber’s systems.

How organizations can protect themselves

Companies require a comprehensive approach to these risks, encompassing a mix of policies, processes, and training.

Device and other company-wide policies can minimize risky activities on devices. These policies can include account security requirements such as the use of strong, unique passwords, MFA, banning personal devices from accessing digital workspaces, and whitelist implementation for managed devices.

Employee training is a must. Employees have to recognize what threats they’re exposed to, which helps them understand what activities are risky. Training also makes it easier for employees to spot targeted attacks, which is the first line of defense against spearphishing. This training should be ongoing and updated regularly to ensure employees have the most current knowledge to identify, prevent, and swiftly respond in case of an attack.

Lastly, it’s important to instill a culture of security throughout the entire organization. By having department heads support and help communicate the importance of security, your company will have a workforce that is aware and incentivized to minimize their risky activity rather than see cybersecurity as a department that just places limits on employees.

SolCyber has extensive experience in implementing security measures and in advising companies on how best to tackle the issue of employee cybersecurity risks. We’d love to help you minimize those risks.

To learn more about how SolCyber can help you implement a strong culture of security in your company, feel free to reach out to us.

Avatar photo
Hwei Oh
07/22/2024
Share this article:

Table of contents:

The world doesn’t need another traditional MSSP 
or MDR or XDR.

What it requires is practicality and reason.

Related articles

Businesses don’t need more security tools; they need transparent, human-managed cybersecurity and a trusted partner who ensures nothing is hidden.

It’s time to move beyond the inadequacies of current managed services and experience true security management.
No more paying for useless bells and whistles.
No more time wasted on endless security alerts.
No more dealing with poor automated services.
No more services that only detect but don’t respond.
No more breaches caused by all of the above.

Follow us!

Subscribe

Join our newsletter to stay up to date on features and releases.

By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.

CONTACT
©
2025
SolCyber. All rights reserved
|
Made with
by
Jason Pittock

I am interested in
SolCyber XDR++™

I am interested in
SolCyber MDR++™

I am interested in
SolCyber Extended Coverage™

I am interested in
SolCyber Foundational Coverage™

I am interested in a
Free Demo

8754