With some creative tips to help engage and educate your employees on cybersecurity
Each year, incidences of cyberattacks on companies are increasing with the intent to steal sensitive information. There are cybersecurity tools made to protect organizations, but many of these tools focus on external attacks, not internal weaknesses. Many security systems do not focus on the possibility of employees unknowingly becoming a security threat and do nothing to mitigate accidental internal threats. Employee cybersecurity is an important issue.
The 2018 Insider Threat Report asserted that 90% of organizations are likely to be attacked or exposed to attacks through an insider, and more than 50% experienced an attack through an insider. Furthermore, about 44% of top companies are exposed to potential threats as a result of exposure of passwords on the internet by their employees or theft of login details.
According to a recent report by Shred-it, an information security company, employee negligence is the primary source of data breaches. According to that report, 47% of business leaders blamed human error (i.e., accidental loss of a device or document by an employee) for a data breach within their organization.
The Threat of a Negligent Employee
A negligent employee does not have the intention of exposing a company to threats but does so unknowingly in several ways that could have grave implications. It is simply negligence. Here are some of the most common unintentional insider threats and some creative ways organizations can educate their employees about them.
1) Phishing and various iterations of it, like spear phishing.
Phishing is one of the ways a careless employee can expose sensitive information. Phishing is the luring of an internet user to reveal sensitive details on a counterfeit web page or email that is made to look like it is legitimate.
A creative way to educate your employees: Create a presentation for employees on spotting a phishing email and share it. Then test them with your own fake phishing emails. If they fall for it and click through, bring them to a site that has a list of your organization’s “heroes”—the people that did not click through, but instead sent the email to your security team since they suspected it was phishing.
2) Using unsecured networks.
Using personal devices and company devices on unknown networks is very risky. The risk is much higher with a network provided by or offered in public places, like a café or an airport. Data may not be encrypted in these networks and could easily be intercepted, then stolen. Login details can be exposed when there is an attempt to access emails or social media on a public network. Viruses and malware are also frequently distributed over a public network.
A creative way to educate your employees: Provide video training for employees on insecure networks and then set up a spoofing one in your office. The people that connect to the spoofing network get a pop-up window with a 3-minute video on unsecured networks then prompts them to connect to the real network.
3) Using the same password on multiple sites.
Unfortunately, most employees use the same or similar passwords for work and personal devices. By using the same password on personal accounts, which are often also less-secure, they risk having their password “pwned” exposing their employer to threats. Password reuse means an attacker can obtain credentials from one website and then use it to gain access to that user’s account on another website. Some employees will even use their company email accounts to join personal-related forums. Many online forums are free and someone’s side hobby. Because they are not a paid service, they are not patched for security flaws frequently. Additionally, they often do not have adequate security to protect their login credentials, so this is yet another threat to the employer.
A creative way to educate your employees: Train your employees on the dangers of password reuse, especially between corporate and personal accounts. Install a compromised credential screening tool if you host any online customer or user accounts. Use an Active Directory password screening tool that prevents your employees from reusing compromised passwords.
4) Not performing system updates and upgrades.
It is necessary to keep personal and work devices up to date as this provides security patches that will block cyber attackers from exploiting vulnerabilities in the device. Many employees do not keep up with updates and do not understand the importance of them.
A creative way to educate your employees: Give each department lists of companies that have been breached because of unpatched systems by department and by tool. Many of these lists are available online, and it is eye-opening for employees to see that other companies have been vulnerable to a breach because of an un-patched tool that they are using. You will see a bunch of updates happen soon after that.
5) Accidental installation of malicious apps.
Employees might get tricked into downloading and installing an application or extension with the sole aim of using their productive features for free, but may contain malware which is capable of exposing information on the device to threats.
A creative way to educate your employees: Make a video showing your employees a real-life example of installing a malicious app and what the experience is afterward. Once you see what happens to someone else’s device, you will be more cautious.
6) Using unsecured data storage.
Sensitive data should not be stored on devices or within unsecured storage sites. Depending on the data, it could be a significant threat if it falls into the wrong hands. An employee may lose possession of an external device that contains sensitive company data. London’s Heathrow airport, for example, was fined £120,000 for losing a USB drive, which contained confidential information that should have never have been stored on a USB drive in the first place.
A creative way to educate your employees: There are a plethora of real-life examples of unsecured data storage breaches in the news. However, it is not just unsecured S3 buckets or plain text PII storage. It can be sensitive data on spreadsheets on an unsecured laptop, improper usage of USBs, etc. Test your employees and publish the results. Leave some USBs sitting in a conference room and monitor how many people use them or alert security. Upload a PPT on the USB that outlines why data storage is so important and to stop putting random USBs into their computers.
7) Leaving information and devices laying around.
Some habits are still seen as trivial by employees, such as leaving a work computer unlocked and unattended. Leaving unsecured devices unattended is a common habit, and over 25% of workers admit they do this often. Unlocked and unattended computers and devices are a natural entry point for a cybercriminal. Leaving out documents and other written communications can have the same issue.
A creative way to educate your employees: You can train your employees by leaving dollars out around the office in unattended locations. Put sticky-notes on the back that explains that leaving your devices laying around is like leaving money sitting out on a table. Someone is going to take it. Another creative security training team we work with even “stole” all the devices and paperwork that was left unattended in an office and held it hostage. Then they required a quick and comical 3-minute online security training video for the employee to get it back.
8) Lax Bring Your Own Device (BYOD) habits.
With the advent of new technologies, employees can take work home on their mobile devices and tablets. Not setting a passcode or biometrics lock on a mobile phone or tablet is a substantial risk. Because so many employees access company data on their phones, this also puts the organization at risk. Mobile technology has increased the productivity of employees with the consent of the company; however, it poses some of the following risks:
- Data leakage: employees can take work to places that do not have adequate security and can pose a threat to data. There are countless stories about information stolen by fellow passengers on a plane.
- Device loss: employees can lose their device, which may improperly contain sensitive information that someone can take.
- Hacking and Malware: Personal devices may be vulnerable to hacking and malware, part of which was outlined above.
A creative way to educate your employees: Train your employees on security for different devices because most people are still very lax when it comes to mobile phone security. If they access any company data or applications for their mobile devices, deploy a mandatory MDM security solution. Set a requirement for passcode or biometric locks. There are a lot of great videos on YouTube showing how mobile phones can be hacked and just because it is BYOD, that doesn’t mean it needs to be less secure.
9) Weak employee cybersecurity when remote.
Many US-based organizations allow employees to work remotely from home. While working from home is considered the future of work, it poses similar risks as a BYOD policy. Many people do not have robust home wi-fi security, and they do not always run their corporate VPN when online at home.
Creative ways to educate your employees: Train your employees on home-based security and VPNs if they work remotely. Remind them that IoT devices and guests need to be on separate networks. Many family members and friends may have viruses and malware on their laptops, so it is essential for them to use a distinct guest network that is not associated with any network you apply for work purposes. One company we work with has a lot of distributed employees and small offices around the world. Just like the office safety volunteers that help employees in the case of a fire, they have a designated cybersecurity volunteer in each office to support the local employees to understand cybersecurity. For the remote employees, they had virtual cybersecurity volunteers that would reach out to remote employees on a quarterly basis and host informal remote cybersecurity training.
10) Using default admin passwords.
Default passwords are an easy target for bad actors because worms have been built to seek out systems that leverage the default credentials. There is a whole dark web exchange for default passwords. Make it a corporate policy to change default passwords immediately.
A creative way to educate your employees: This is another area where testing is hard, so videotape some examples of how a bad actor can penetrate other sensitive systems through gaining access through an IoT device. Alternatively, share some of the articles on default password attacks, such as the attack on an HVAC system or one of the numerous attacks on printers.
11) Using weak passwords, especially admin passwords.
44% of employees admit to having insecure passwords at work, which makes it easy for an intended attacker to break such a password. Use an Active Directory password screening tool that prevents your employees from using compromised passwords or bad passwords that are commonly found in cracking dictionaries or password blacklists. It will protect your employee accounts and password from being “pwned.”
A creative way to educate your employees: Most people think their password is strong and secure. There are plenty of online tools that you can use to demonstrate good or bad passwords. These tools use secure APIs to access a backend password database and password blacklist but we recommend that people not use their real passwords. One customer of Enzoic ran a contest at a set time for a week for employees to make up passwords that they think would be secure. Each day there was a new guideline on character length and special characters. The week built up to the final day and what would be most secure- a long passphrase. But the employees also got to use the link above to test out what would be secure. Employees who submitted a secure password first won a prize and it was a good demonstration to everyone about strong and weak passwords and passphrases.
These are all significant threats to employers, and these are just some simple examples of how to educate employees. These examples may not be appropriate for every environment. We have heard creative things from our customers on how they are trying to reduce insider threats and wanted to share some of them.
Our key point is that organizations need to educate their employees on information security, and one effective way to do that is to make it interactive and give real-life examples. Give them real-life experiences of how some of these threats work and what the fallout can be for them. Make videos with other real employees to help them relate. Most employees care about their job and don’t want to create issues for their employers but are unaware of the threat they unknowingly bring into the business. It is important to take employee cybersecurity and active directory security seriously so your users and employee accounts are not “pwned.”