Why Your Employees are a Bigger Threat than Hackers
Why? Because the biggest threat to your security is happening right now under your own nose.
Instead, it’s the simple day-to-day employee mistakes that often go unchecked – from putting documents onto unsecure cloud apps, to working from home on their personal devices, and even sharing passwords – that can come back to haunt you if not careful.
It’s not that employees “don’t care.” They do. But they often aren’t even aware of the potentially risky mistakes they’re making.
Here’s what’s at stake, and how you can better educate employees through a security-driven work culture.
Why Hackers Start by Targeting Employees Instead of Systems
Earlier this month, a Booz Allen Hamilton employee accidentally left “sensitive government passwords exposed online,” according to The Washington Post.
The worst part is that he didn’t even realize it. And neither did Booz Allen Hamilton.
It wasn’t until Chris Vickery, a cyber analyst at Upguard, accidentally stumbled upon them and wrote about it.
Booz Allen Hamilton isn’t some fly-by-night operation. They’re a big-time government contractor. And according the Post, it’s just the latest in a long line of recent “high-profile cases” where “top secret data was mishandled.”
This is unfortunately one example of how an honest, simple human error can thwart even the most sophisticated security lockdown. These passwords “were stored on an Amazon cloud server” setup to help team members collaborate more efficiently – similar to how you’d use Dropbox or Google Drive to share files and collaborate with your own colleagues. (Except, you know, the whole ‘top secret passwords for government agencies’ part.)
Cloud security expert Tim Prendergast elaborated on this risk to the Post:
“Hackers are constantly scanning the whole cloud environment … they do this repeatedly just to wait for someone to make a mistake like this. I think we’re going to see more of these over time as cloud computing continues to accelerate its growth.”
His opinion holds some merit when you consider the findings of a recent study by the Identity Management Institute: 90% of cyber attacks begin with stolen employee information. Multiply that by 60,000 daily hacks, and that’s a lot of stolen employee data!
But most of the time it’s the result of an honest mistake. Employees might not even realize what’s happened, but human error still results in the wrong information ending up in the wrong hands.
Here’s a few of the common pitfalls to watch out for.
5 Common yet Risky Employee Habits
Companies frequently underinvest in cybersecurity for a number of reasons. But in many cases, you’ll notice that many breaches aren’t the result of underfunding. Instead, they’re a combination of bad luck and simple mistakes.
Here are some of the most common, according to a Cisco whitepaper on enterprise data loss:
1. Unauthorized app use
The biggest culprit is also one of the most basic: Using outside programs to hold sensitive data. Incredibly, “70% of IT professionals believe the use of unauthorized programs resulted in as many as half of their companies’ data loss incidents.”
At the very top of that list is using your personal email. Next up is online banking, bill paying, shopping, and instant messaging. These seemingly harmless applications often fall outside corporate control and risk exposing employees to infections that can wreak havoc on the rest of your organization.
2. Misuse of company devices
The second most common issue is using corporate devices incorrectly. Often that means sharing them with other people, outside the organization. Or it could even mean just temporarily trying to get around IT settings in order to take care of routine tasks like paying a bill or emailing a large file. However, these habits can put sensitive data at risk in a number of ways, from using unsecure web apps to giving outsiders access to devices and systems.
3. Unauthorized network access
Third is employees accessing stuff they’re not supposed to access, or, at least, having the ability to access places they’re not supposed to (whether they realize it or not).
More often than not, employees aren’t knowingly trying to steal sensitive information. But if their access credentials fall in the wrong hands and your organization has been lax in its access rights, the malicious party often has unfettered access to your entire network.
4. Remote working security
But those benefits come at a cost. Specifically: Your security. Almost half of those employees surveyed admitted to moving files back-and-forth between work and personal devices.
The most obvious problem is that those personal computers won’t have the same safeguards as your own corporate ones. To combat this issue, many companies have set up secure networks so that employees still need to login to an intranet before proceeding.
However, these too come with their own challenges. Microsoft originally developed the PPTP VPN protocol in the ‘90s in order to help organizations with remote workers. But today, that same protocol still being used by many organizations can be cracked within an hour if someone knows what they’re doing. And even some free, shady VPN’s will commonly log and sell your data to third-parties.
So even when an employee thinks they’re “secure,” often they’re not.
5. Misuse of passwords
Last but not least, people are often simply careless with passwords.
It doesn’t matter how strong a password is or how many extra characters it has if someone simply writes it down to share it. Or copies and pastes it to send through an email. Or even a text message.
Digital Guardian’s recent survey on user password security found that only 28% of users stored passwords in secure password managers, with the other 72% of those surveyed relying on unsecure methods to recall passwords.
How to Prevent Employee Data Leakage
While you’ll never completely be able to rid your organization of human error, you also don’t want to become just another statistic because Larry’s password is on a sticky note next to his second monitor.
We all make mistakes. Daily. But there are still a few safeguards to employ. Here are a few strategies to help reduce your risk of data loss by insiders.
Create a digital paper trail
Start by knowing who does what, when.
That means a digital paper trail of what data is moving, when it’s being accessed, by whom, along with any updates or versioning records. This should extend to any sensitive information, which should have additional protection for when it goes outside of your own network (because as we’ve learned, it probably will at some point).
Treat data as sacred
Sacred data should be kept sacred. Sounds trite, but it means that you have different levels of protocol for how people can access devices, data from personal devices, and more. It means you have stricter standards on what people are allowed (or even able) to download, export to file sharing devices, or send via email.
Educate on the potential pitfalls of data leaks
Almost all of the common employee mistakes listed above were relatively harmless (in practice). These are everyday occurrences. Little shortcuts we take on a daily basis when we’re overwhelmed and trying to stay afloat.
For example, this blog’s article on the problems with common file sharing apps is a perfect place to start educating employees about the loopholes that exist on apps they use daily. Dropbox might seem harmless. But there could be consequences.
So create clear lines for employees and educate them on the reasons why those limits are in place. That way you can successfully monitor and enforce oversight accordingly.
Everyone within an organization needs to be crystal clear on the differences between “confidential” vs. “restricted” – and how to treat each. This also extends to recognizing potential vulnerabilities, risks, or threats (and how to counteract in order to prevent bigger issues down the road).
Employees aren’t careless. They’re not purposefully negligent. But they are, however, often stressed and on tight deadlines. Shortcuts are sometimes taken in order to keep things flowing smoothly.
So the objective isn’t to point fingers or treat them like children. Instead, it’s to get them on board with a security-driven work culture. Setup good processes to make their lives simpler. And then educate them so they know what’s at stake when they someone ventures outside the lines.
John Mason is a Cyber Security/Privacy enthusiast working as an analyst for TheBestVPN.com.