When it comes to cybersecurity, the first thing that comes to mind is a skilled hacker who is trying to access your systems through sophisticated techniques. However, in most cases, the greatest threat to your company’s cybersecurity is from the people who are sitting in cubicles inside your office. Statistics from the PWC 2014 Cybercrime Survey show that 28% of cybersecurity incidents come from insiders such as current and former employees.
This is an alarming percentage, particularly because most organizations are unaware of the risks poor security practices have. In this blog post, we look at the three most common practices that employees have that can get your business hacked.
1. Weak passwords
One of the most commonly used authentication protocols is passwords. When used correctly, passwords are a strong defense mechanism against a majority of cyber attacks. However, weak passwords that are either too simple, too short, or too common can be cracked in no less than an hour using modern hacking techniques.
Just to illustrate, 7-character passwords containing just lowercase letters can be cracked in just a fraction of a millisecond. According to Better Buys 2019, an increase the length to 12-characters and it will take up to 200 years to crack the password. As you keep making the password more complex by using a mix of lowercase and uppercase alphabets, numbers, and symbols, the estimated password cracking time increases significantly.
Now, keeping this in mind, consider how vulnerable your company’s most sensitive data can be if employees use passwords as simple as “abcdef” or “123456”. Surprisingly, “123456” is the most popular password that people use in 2019! Just the simplicity of the passwords is not the concern though, here are a few other password-related mistakes that most employees make:
- Disabling two-factor authentication, even when the option is available but not enforced by company policy.
- Using the same password for everything including their work email, personal email, and social media accounts.
- Writing down their username and passwords on post-it notes on their desk.
- Sharing passwords with friends and family.
To assess the vulnerability, take a look at how many employees you have in your company and how many passwords is each employee responsible for. Each of these passwords could be a potential entry point for hackers into your systems unless you enforce a strong password policy.
2. Poor access control policies
An effective access control policy can help you minimize the damage in the case of a security breach. We cannot emphasize enough on how important it is to ensure that each employee has access to only the systems and data that they need when they need them. As soon as the employees no longer need access, it should be revoked to avoid any unwanted security loopholes.
After an employee leaves your company, they will still be able to access your confidential files and even share them with others unless their access is revoked. This is the reason it is important to remove employee access as soon as they leave the company or take up a different job role.
Why is this important? Let us assume that you have a shared folder on a server that is full of confidential documents of your company. If an employee has access to this folder, then this becomes an entry point for the hacker to access this confidential information. Access control essentially limits the attack vectors that hackers have to gain access to your data through your employees.
Additionally, in the case that an employee does have malicious intent, a strong access control policy ensures that employees are never tempted or able to steal your confidential data from within.
Another common mistake that employees make is to make use of USB drives to store and carry company data. Plugging in a USB drive to a company workstation can provide an entry point for hackers to infect your computer with viruses and/or malware that can lead to loss of data. Second, this can lead to unintentional data leaks in the case that employees misplace the USB drive or plug it into a public and non-secure computer.
3. Phishing attacks
Two of the most common and effective types of cyber attacks are phishing and social engineering. The aim of both of these is to persuade and convince people into giving out confidential information to hackers. PhishMe, a cybersecurity company, reports that 91% of all cyber attacks begin through a spear phishing email.
Phishing emails (aka fake emails) are designed to look authentic and are even sourced from seemingly credit domains. For example, such an email would replicate a reputable entity such as Google by using an email address like firstname.lastname@example.org. In other cases, the email might even appear to be coming to you from within the organization (such as your boss) with a fake, but near authentic email header.
In some cases, phishing emails will ask employees to directly share their credentials such as their username and password. In other cases, these emails will ask employees to click on a link or download a file that will inject computers with ransomware, malware, or spyware. Either way, a phishing attack can be the first point of entry into your systems for most hackers.
On the other hand, a social engineer will dress themselves up as the maintenance person or an IT support person in order to fool your employees to share their credentials and even access to their workstations. Both remote and physical means of access can be used by social engineers in order to reach out to employees and gain access to your company data.
Employees can be the biggest threats to a business’ cybersecurity even without realizing it themselves. Remember that you hired your employees to help your company prosper, not the other way around. However, by enforcing adequate cybersecurity policies, you can protect your business not just from external threats but internal threats as well. One of the first steps to achieving this is to first conduct a risk assessment and develop a risk mitigation plan.
Apvera helps you identify, analyze, and respond to cybersecurity risks such as weak passwords and poor access policies within your organization. We help you understand and mitigate cybersecurity risks through our proven strategy that enables you to remain worry-free and risk-free.