Employees are a major attack vector for threat actors targeting organizations. Recent research by Stanford University confirms this, revealing that 88% of all data breaches are caused by human error. These human errors might be as simple as sending an email to an incorrect address or leaving a database publicly viewable; but they can also be more involved, as when employees become victims of targeted phishing campaigns.
Let’s detail how employees might be increasing risk for organizations and what organizations can do to protect themselves.
Working on personal devices at the office is more common than ever. Eighty-five percent of all organizations have some form of “Bring Your Own Device” (BYOD) system in place, according to research by Samsung. One reason is that companies believe they’ll save on costs if they don’t have to provide their employees’ devices. Unfortunately, the costs of a data breach can be much higher than the perceived savings.
Another contributing factor to using personal devices is the “always on” culture we’ve developed since the emergence of smartphones and the increase in remote workers since the COVID-19 pandemic. Always-on and remote work mean that employees might be using multiple devices for work. This leads to three major problems:
Shadow IT occurs when non-IT personnel start installing software and managing devices instead of the IT department. It prevents IT from having an overview of that device, managing it properly, and being able to identify and close any security holes. Shadow IT results in wild variables that organizations have no control over, and it can easily lead to account compromises and data breaches.
Personal devices lack the security settings and configurations that are possible with work devices. A personal device’s security mostly consists of:
That’s dismally poor compared to a work device. For one thing, work devices can be connected to a mobile device management (MDM) system, which allows device admins to enforce device security policies. These policies can include:
Even if an employee is vigilant, the sheer lack of support for security on a personal device means they’ll always be far less protected—thus potentially endangering your company data.
The lack of extensive security features listed above means that personal devices are far more susceptible to man-in-the-middle (MITM) or other interception attacks that could lead to data exfiltration and sensitive info being leaked. Although these attacks are quite sophisticated, they’re far easier to carry out on a personal device that doesn’t enforce data encryption.
Almost any device compromise—malware, phishing websites, or ransomware—will lead to data exposure and they’re far more likely to occur on a personal device than on a work device.
Security Magazine reports that 78% of people use the same password across multiple accounts. Another report reveals that 64% of people have re-used a password that’s already been exposed in a data breach.
When cybercriminals obtain credentials in a data breach, they try these username and password combinations across different websites. That’s why cybersecurity professionals strongly urge people never to use the same password on multiple websites.
Recently, Ticketmaster suffered a massive data breach caused by hackers using passwords obtained from other data breaches.
Unfortunately, no one can force employees to use a different password on each of their personal accounts. However, your company can enforce that their business password is unique so that you don’t risk your business data if one of their personal accounts is hacked.
Other, secure, “passwordless” methods of logging in have also been developed to improve overall account security.
It’s not difficult for hackers to find a company email address. These are often publicly disclosed or follow similar patterns, such as:
If hackers obtain only a password, they’ll try various email combinations with that password on popular websites such as Dropbox, Slack, and Teams.
Without the right security in place, criminals can obtain access to multiple company accounts and look for data that then enables them to penetrate more deeply into the company.
Implementing multi-factor authentication (MFA) can go a long way toward minimizing the risk of stolen credentials. The massive hack of health tech giant Change Healthcare, which resulted in the “huge theft” of Americans’ healthcare data, occurred because of a lack of MFA. The Ticketmaster hack mentioned above also targeted accounts without MFA in place.
Various solutions exist for blocking specific apps and websites on business devices, such as Microsoft Intune and VM Workspace ONE. However, totally blocking access to personal apps such as social media and email can also potentially restrict the user from doing their work. Apps and services are highly interconnected these days, with the boundaries between personal and business use becoming more blurred.
Still, some control must be exerted because of the excessive risk certain sites and services pose to organizations.
For example:
There’s no one-policy-fits-all here. Organizations should assess their level of risk and levy their policies, blocking, and monitoring accordingly. High-risk industries such as finance need to lean on the side of being overly protective while eCommerce companies have to allow social media access as part of their marketing.
“Phishing” occurs when threat actors attempt to trick people into divulging sensitive information (such as login credentials), by sending emails or creating websites that impersonate a legitimate business. Most spam emails are phishing emails and they’re sent out by the millions in an attempt to fool people on a large scale.
Spearphishing works along the same method, but the emails are highly targeted and often aimed at a specific organization or individual Since the hackers try to infiltrate both company and personal accounts, this typically involves far more sophisticated social engineering methods, thorough research, and a deep understanding of the target in an attempt to extract a high-value payload.
Executives are common targets for spearphishing because they can lead to more financial gain. Here’s where a spearphishing campaign can transform into a BEC (business email compromise) attack, which happens when criminals impersonate an executive. Through these targeted methods, a hacker can obtain access to an executive’s email account, impersonate that executive, and send emails to employees to demand payment, falsify invoices, or unauthorized wire transfers.
Spearphishing can also target low-level employees who might be more susceptible and willing to give up access and information. This also occurs when threat actors target a third-party vendor or supplier in hopes of compromising a high-value target. That method is how Uber was hacked in 2022 – threat actors targeted a third-party contractor, stole their credentials, and even had them accept a 2FA prompt that allowed the hackers into Uber’s systems.
Companies require a comprehensive approach to these risks, encompassing a mix of policies, processes, and training.
Device and other company-wide policies can minimize risky activities on devices. These policies can include account security requirements such as the use of strong, unique passwords, MFA, banning personal devices from accessing digital workspaces, and whitelist implementation for managed devices.
Employee training is a must. Employees have to recognize what threats they’re exposed to, which helps them understand what activities are risky. Training also makes it easier for employees to spot targeted attacks, which is the first line of defense against spearphishing. This training should be ongoing and updated regularly to ensure employees have the most current knowledge to identify, prevent, and swiftly respond in case of an attack.
Lastly, it’s important to instill a culture of security throughout the entire organization. By having department heads support and help communicate the importance of security, your company will have a workforce that is aware and incentivized to minimize their risky activity rather than see cybersecurity as a department that just places limits on employees.
SolCyber has extensive experience in implementing security measures and in advising companies on how best to tackle the issue of employee cybersecurity risks. We’d love to help you minimize those risks.
To learn more about how SolCyber can help you implement a strong culture of security in your company, feel free to reach out to us.