Cyber Security Tips - Weeks 2: Employees ‘Must Buy into’ the Cyber Security Strategy
It’s been proven time and time again that your own employees are the major source of cyber invasion. They unwittingly open a tainted email, or log-onto a corrupted website, or plug-in a contaminated flash-drive, and unknowingly invite an invader into their computer and then into your network. With more and more employees working remotely, they may simply be performing these erroneous tasks at their remote locations, only to log-in later across to transmit work and in so doing send along embedded malware deep within their work product. This is why it is essential that employees, regardless of their work responsibilities, or work locations, all participate in regular cyber security awareness education designed to keep them abreast of the ever changing forms and traps associated with malware threats.
While businesses put a lot of time and resources into creating a system to protect and secure their data, they neglect the most obvious weak link: 'the human factor.' This one all too common overlooked factor can simply blow all the rest of your data security efforts out of the water. It's critical that any cyber security strategy not only include a plan for education employees in the best practices to keep data safe, but that steps are taken to insure that employees follow through with those steps.
As part of this education employees need to be made aware of the principal risks related to the most common malware, and how 'risky human behavior' is relied upon by cyber criminals who use 'social engineering schemes' to trick employees into failing to follow proper procedures by substituting improper behaviors related to data security, even if they do not realize they are doing so.
Let's look at one example of how cyber criminals use such social engineering to target employees into doing the wrong things.
Through highly targeted data mining, an attacker gains key facts on a company employee who has an important role. The attacker then sends that employee a well-crafted, message in an attempt to trick the employee into clicking on a link containing a malicious payload. Once the payload in this email attachment is delivered, the adversary can cause harm by encrypting key databases until the business pays a ransom (ransomware).
Ransomware_attack_example_01
Now ask yourself, what are the odds that you or one or your 'Accounts Payable' employees would click on the 'green' link if they got an email like address to them at your place of business appearing to come from one of your regular vendor with whom you do business?
But not all 'employee' related cyber issues are a result of mistaken activities by your personnel; unfortunately, some cyber issues result from intentional employee misconduct. In other cases the same forms of 'unauthorized data distribution' may actually be the result of unintentional actions, but still the same produce the same end result in terms of confidential data being released and your business being exposed in terms of liability as a result of that data breach.
When it comes to employee misconduct regarding data breach here are some of the things you need to be aware of:
- An employee accesses databases according to the company operating procedures, but they copy data and transmit it outside of the company.
- An employee is making use of a USB device more significantly than other employees.
- An employee sends more or larger emails than their fellow employees?
- An employee switches their computer on and off the VPN frequently, or brings their own computer to work and use it at various times?
- An employee accesses different records of the company substantially faster than other employees, or records that most employees have little need to access at all.
So ask yourself, do you have an employee who 'fits the bill' of someone who may be accessing and potentially distributing your confidential information, including the confidential information of your other employees, your customers, or your business processes for monetary gain?
It's critical that your employees 'buy into' the cyber security you are attempting to put into place to protect your company. Without their involvement and support your company is operating on 'thin ice' at best when it comes to the threats that exist in today's cyber space both from without and within. The key is to get all your personnel to understand that cyber security is everybody's responsibility, not just the IT staff, not just the Cyber Security consultant, not just Management, but everybody that touches a computer and comes in contact with a single 'bit of data.' The 'human firewall' is just as important as the 'software and hardware firewalls' put in place to protect against today's cyber threats. And, just like the software and hardware firewalls, the human firewall must be updated and tested from time-to-time to insure that it is ready when it is exposed to a real threat.
Keep on the look out for my upcoming Cyber Security Tips.