Even though cybersecurity solutions are becoming increasingly sophisticated, hackers are still managing to keep up even with the most advanced technologies. Furthermore, companies get so caught up in trying to adopt new technologies in their endless search for 100% protection that they forget to keep an eye on the basics.
According to Kaspersky, more than 80% of all cyber-incidents are caused by human error. This shows that no matter how much you invest in your organization’s security, in the end it still comes down to educating your employees and having some basic provisions in place. Not only should you educate your employees on what they’re supposed to (not) do, but you should also make sure they have no way of accessing controls that could compromise your organization’s network.
Default or Weak Passwords
According to InfoSec Institute, this issue has been around ever since computers were invented and is still responsible for the majority of cyberattacks in the world. I think most of us used something like ‘password123’ for a throwaway email, but when it comes to corporate accounts, there’s much more at stake than a Pinterest board or an inbox filled with spam. When a password is that predictable, the hacker doesn’t even need programming knowledge to get into your network – they just have to guess. Another mistake employees make is leaving the default passwords for certain application suites, development software, and enterprise solutions. These default passwords are easy to find out and generally lack the complexity required for solid protection.
The solution? Educating your employees on proper password etiquette and showing them the severe consequences of cyber breaches can open their eyes to the risks of weak passwords. It’s not a foolproof solution, but don’t underestimate the impact of direct contact and communication. You could also set custom password requirements (password must contain a number, a symbol etc.) where possible, which is a common technique organizations use to force users into creating more complex passwords.
Phishing
Phishing is one of the most basic means of attacking an organization. The attacker tricks their victim by deceiving them into clicking a malicious link concealed in an email, a private message, or even a legitimate-looking ad. From there, the victim is led to a web page that’s also designed to look as close to the real thing as possible and prompted to enter confidential information, which can vary from credentials for various services, credit card numbers, Social Security numbers and other sensitive data.
You might think that you have to be naïve to fall for such a trick, but recent statistics say otherwise. A Verizon report revealed that about one in 14 people still click on phishing emails, regardless of awareness training. Furthermore, as of September 2017 Kaspersky Labs products blocked 51 million attempts to open a phishing page that year, while mobile ransomware attacks were up 250 percent since January 2017. IronScales’ own research estimates that 95 percent of all successful cyber-attacks start with phishing – and it’s no surprise. Hackers have started emulating login pages of popular services such as iTunes and sending security alerts to mobile users, prompting them to change their passwords. These attacks are also sent from addresses that are meant to closely resemble a legitimate source.
The best way to counteract phishing at an enterprise level? Train your employees to be skeptical about everything that lands in their inbox. Tell them to make sure they check the sender every time they get an unprompted link. You can also hire security experts to carry out sting operations to figure out how many employees actually fall for an experimental phishing attack.
Unauthorized Application Installation/Usage
Most organizations don’t give their employees administrator privileges on their work computers – this is one of the reasons. When a user installs a third-party application, they give that app permission to run potentially malicious code – and while it should be easy to verify the authenticity of a third-party application, many people just don’t. This is a huge error, given that even a small application can wreak havoc on a device. It just takes the execution of one small script, once administrative privileges have been granted, for any program to take control of the whole computer.
The easy fix? Make sure you’re not granting your employees administrator privileges, unless they’re essential to their day-to-day work. As for the cases where administrator access can’t be revoked, make sure you teach your employees to establish the credibility and authenticity of an application.
Lack of Remote Security
There are plenty solutions out there that will protect your employees’ work computers. But what if they need to work from home, on their personal devices? There’s no way for you to control how your workers secure their own devices, and chances are their security isn’t up to enterprise standards.
What happens when sensitive company data ends up on an unsecured computer? If you’re lucky – nothing. Otherwise, that data is easily recoverable by hackers even if your employee deletes it. Furthermore, a keylogger can record your employee’s account credentials, giving malicious actors access to private emails, confidential documents, or even highly sensitive project-related files.
One potential fix is to prohibit the transfer of data from corporate devices to personal ones. You could also look into solutions you can adopt to secure BYOD, such as antivirus protection and data loss prevention, full-disk encryption for disk, removable media and cloud storage, mobile device management to wipe sensitive data when devices are lost or stolen and application control.
In the end…
What’s important is that you don’t lose sight of any potential breach methods, even if they may seem hard to fall for. Chances are that not all of your employees are as tech-savvy as you think, not to mention that attackers are also getting smarter and creating increasingly convincing scams. Don’t underestimate how successful even the most rudimentary breach attempts can be. After all, human errors will never be eliminated from any business – but you still need to keep an eye out and prevent them.
