Minimizing the Threats From Within: How All Employees Contribute to Security
Tuesday September 25, 2018
Security experts can only do so much. Imagine the sophisticated systems at global banks, research facilities, and Las Vegas casinos (“Ocean’s Eleven,” anyone?) — an excess of cameras, guards, motion detectors, weight sensors, lasers, and failsafes.
But what happens if someone leaves the vault door open?
Similarly, server and network security measures can only go so far. Attackers don’t need to engineer a complex and highly technical method to infiltrate your business’s infrastructure: They just need to entice a somewhat gullible or distracted employee into clicking on a link or opening an attachment.
Whether an employee is acting intentionally or is unaware and careless, 60% of all attacks come from within. A vulnerability can be exposed by an accountant, a systems administrator, or a C-level executive, and the results can cost a company millions in downtime, lost sales, and damaged brand reputation.
IT teams can take all the modern precautions to shore up any potential vulnerabilities by following industry best practices with onsite hardware, applications, and websites. Employing a trusted hosting provider like GigeNET adds even stronger protections in the form of high-touch, individualized managed services and state-of-the-art DDoS protection.
But that may not be enough to protect your organization from well-meaning employees who fall for intricate phishing schemes or ransomware attacks. So, in the spirit of Cyber Security Month at GigeNET, here are a handful of ways businesses can turn their weak links into a strong line of defense.
Enforce Strong Passwords
This one seems like it’d be an obvious one — and relatively easy to control. But even in 2016, nearly two-thirds of data breaches involved exploiting weak, stolen, or default passwords. As the first line of defense against attacks, ensuring your employees follow stringent authentication practices is key to protecting your company’s sensitive data.
Educate employees on what constitutes a strong password and enforce the standards you implement. Passwords should be unique and lengthy combinations of upper- and lower-case letters, numbers, and symbols, and you can ban users from using easily guessed information like their first or last name, the company’s name, or even careless passwords such as ‘password’ or ‘1234.’
Once stronger password rules are in effect, require employees to update and change critical passwords periodically. You can encourage users to employ a password manager program to help them stay on top of their access rights.
Password management gets a little more complicated when there are different levels of employees who require various levels of access to certain applications and software. Regularly evaluate user permissions and make sure access is granted only to those who truly need it. Of course, proactively manage login permissions and shared passwords when employees leave the company — even if the parting is on good terms.
Educate and Test Employees on Phishing
We’re long past the days of the unjustly exiled Nigerian prince offering his family fortune to those willing to front him a little money for his escape. Email phishing is the attempt to obtain sensitive information — think usernames, passwords, credit card numbers, and other types of personal data — by sending fraudulent emails and typically impersonating reputable companies or people the intended victim knows.
Through the years, phishing attacks have become more subtle and harder to detect, even for the filters and safeguards employed by Office 365 and G Suite. Attackers will customize messages to exploit specific weaknesses in email clients and popular online platforms. Email phishing has scored some high-profile victories in recent years, enabling leaked emails from Sony Pictures and Hillary Clinton’s 2016 presidential campaign. In fact, the latter attempt even fooled the campaign’s computer help desk.
Attackers are more frequently targeting businesses and organizations instead of random individuals and often use the infiltration to start a ransomware attack. Personalized emails, shortened links, and fake login forms all serve to trick users into sharing sensitive login information or network access.
Train employees on modern phishing scams and how to spot them. Implement processes that enable employees to report possibly harmful messages, and consider deploying a service that runs phishing simulations or uses artificial intelligence or machine learning to detect spoofed senders, malicious code, or strange character sets.
Protect Against Human Error
Of course, no one is perfect. Mistakes happen, and there often isn’t a shred of malice behind and insider’s misstep. Given employees’ access to sensitive data, however, the slightest error can have disastrous results.
The threat of simple, bone-headed errors plagues businesses large and small. Even Amazon blamed an employee for inadvertently causing a major outage to Amazon Web Services in 2017. Several years earlier, an Apple software engineer mistakenly left a prototype of the highly anticipated iPhone 4 at a bar.
Whether your employees are handling important data or devices, training and awareness are critical to promoting stable and secure operations. An organization is only as strong as its weakest link, and one simple slip up can have major consequences.
Protect your organization by implementing rigorous coding standards, quality assurance checks, and backups. Take a critical look at user permissions and access to prevent employees from inadvertently making system changes or accidentally downloading or installing unauthorized software. Consider how company devices and sensitive data are handled across the organization, and prepare for worst-case scenarios.
Stay Vigilant and Rely on the Experts
Although a rare weak password or unused admin account may not pose an immediate threat to your company, any security oversight can lead to disastrous results at a moment’s notice. Act holistically when it comes to protecting your business infrastructure, devices, and data — inside and out.
GigeNET will gladly secure and monitor your systems to proactively diagnose and patch vulnerabilities before they become exploits, but comprehensive security extends beyond our server hardening, managed backups, and scalable DDoS protection service. Security is a team sport, so huddle up and let us draw up your organization’s security game plan.