Employees don’t let criminals waltz in, do they? With a little know how and finesse from the bad guy, yeah, they do. Here’s a few ways they do it, and how to make employees active participants in stopping them.
1. Carelessly Opening Email
Employees often spend the day checking their email — and hackers know it. This makes email a prime entry point for cyber criminals.
Employees must approach their email with care so they can identify signs of an attack and mitigate the risk.
Common signs of an attack include fake/forged email addresses (xxx@amaz0n.com), unprofessional subject lines, bad grammar/typos, and creating a sense of urgency to respond with personal information.
Employees should be able to identify a potential threat, and report to IT.
They should not click on links (include unsubscribe), submit information, open attachments, or respond to such an email.
You can put your employees to the test and identify high risk employees with a free simulated phishing attack.
2. Give password over the phone/Leak Passwords
“Hi, this is Bill, from IT. We noticed your certificate is about to expire, so I need your password to reset.”
How would your employees respond?
They should know that IT will never ask you for a password, or other sensitive information like a social security number, address, or common password reset question/answers.
Of course a password can be used to log directly into your system, but other information can be used to access a system/reset a password. This is called social engineering.
Another big one that I see everywhere is writing passwords on a notepad, or taping it to the computer. I was at a local store this week and noticed their password was taped to the keyboard so anyone can login.
3. Losing Mobile Phone
It’s easy to lose a device with sensitive information. I left a work phone in a cab one night, and had a work computer stolen out of my vehicle while it was parked in a downtown garage.
It’s so easy to lose stuff that it’s not a matter of if, it’s a matter of when.
So the question then is how do we mitigate the loss of information. The two most important steps for you to take are requiring that phones automatically lock and require a password to access, and make sure you have the ability to remotely wipe a device.
The employee plays an important role here too. Of course, they shouldn’t lose their device! But they need to be aware of the risks involved, and report immediately, even late on a Friday night. This allows your IT team to quickly wipe the device and prevent information loss.
Pro tip: Make sure employees know who to contact (direct manager, IT, etc) and let them know they will never be punished for losing a device and reporting it immediately. However, they could be at risk if they try to hide it.
4. Weak Passwords
I know…every list has passwords.
I’ll try to give some insight you may not have thought about yet.
Employees (or everyone) typically use the same password for their social sites, bank login, and work password. Is that bad? Yes!
What if their bank has a breach and leaks their passwords, or a hacker spoofs their favorite social site, the employee logins in, and the attacker now has their password?
Think the criminal wants access to your employees Facebook page to post a funny meme in their name? Doubt it. He’s logging into your database.
You should have a company policy that requires employees to use an unrelated password for all company logins, and enforce that these passwords are updated regularly.
5. Improper Disposal
Proper disposal of information is often overlooked.
It’s late on a Friday, an employee has a few minutes to spare, and they decide to clean their desk. The elephant on their desk is a stack of papers, mail, envelopes, sticky notes, and other junk that’s piled up since the last time they had a few minutes to spare.
They haven’t needed anything in the stack for 6 months, so it’s safe to say they won’t need it in the next six. Here comes the sweeper — they sweep the 10 pound stack of miscellaneous paper into a garbage can.
Done. Clean desk. Employee sighs of relief, pats himself on the back, and heads to happy hour to celebrate a good week.
But what was in that stack? What was on the flash drive they tossed in there?
Was it sensitive customer data, confidential company information, password, or just 10 pounds of recipes?
Work with your IT team to develop an information disposal policy. This should include wiping all read/writable media like hard drives and flash drives. CDs and DVDs should be shredded. Paper should be shredded, or placed in a special bin in which your IT team can properly dispose of them.
Make Employees Active Participants in Security
Even the strongest firewall won’t prevent a well meaning employee from clicking a malicious link, giving a password over the phone, or tossing a flash drive into the garbage can. Tom Johnson, CIO of Penn Highlands, talked about how he’s making employee active participants in information security.
Employee Awareness Platform
Employees can be trained to identify threats, and mitigate risky situations. Wuvavi provides a platform to train employees, simulate phishing attacks, and run an audit on employee behavior.