Cybersecurity in the Workplace: Transforming Employee Error into Empowerment
By Rob Cataldo, VP of Enterprise Sales, Kaspersky Lab
As cyberattacks become more sophisticated in nature, the hackers behind these threats continue to leverage a simple, effective attack method to infiltrate computer networks–the evergreen human factor. A recent study found that uninformed or careless employees are one of the most likely causes of a cybersecurity issue (only second to malware), causing nearly half of IT security incidents each year.
Making matters worse, cybersecurity risks loom within the most common workspaces–from the desk, to the printer and even the parking lot–as cybercriminals seek various entry points to gain access into corporate networks.
"Only by making cybersecurity an inherent part of a company’s culture will companies see real, positive changes"
One of the most common ways employees fall victim to cyberattacks is through phishing or, even more effective, spear phishing. In 2016, every third (28 percent) targeted attack on businesses had phishing or social engineering at its source. Although businesses may be aware of the strategies cybercriminals use to gain access to their networks – such as phishing–they need to be more aware of the internal teams at risk, and why.
Departmental Dangers–Who is the Highest Risk?
Within an organization, some employees are unwittingly more attractive to cybercriminals than others, with the end motive being the same. Based on years of conducting cybersecurity audits and penetration testing, some of the internal teams most vulnerable to cyberattacks include:
• IT: While the department may seem invincible to others within the company, research into IT security habits shows these teams tend to cut corners because they know how to or have the authority to do it. For instance, IT members may enable “password never expire” features, which goes against the recommended corporate security policy of regularly changing passwords.
• Human Resources: HR has access to a wealth of important information about the company and its employees, such as personally identifiable information (PII). This data may include employees’ social security numbers, direct deposit information and health insurance details. In addition, HR managers receive several emails from external parties (such as job candidates or former employees), and the innocent act of opening an attached resume could lead to a malicious file crippling the company’s entire infrastructure.
• Finance: The finance department is the door to the company’s transactions and account details. Most employees (46 percent) agree that finance is the biggest cyberthreat within a company, as this team tends to be the most common target of fraudulent emails asking for account details, PII or being sent email attachment invoices.
• C-Level Managers: Those in a position of authority may think the company’s IT security policies don’t apply to them; however, due to this mindset, cybercriminals will actively seek out those in higher positions through professional social sites such as LinkedIn. Malicious communications include drive-by downloads or fake scams, where an infected link is sent via social media or email, under the pretense of being from the tax office, for example.
How Can You Empower Employees to be One of the Company’s Best Security Assets?
Regardless of the job role, all employees are human beings, and no matter if someone is an intern or the CEO, each employee is just as susceptible to becoming the victim of a cyberattack. Within a corporate environment, it’s common for some individuals to think cybersecurity isn’t their responsibility, or they might also mistakenly believe that the people around them will “pick up the pieces,” if an incident occurs. Better protection begins with the right mindset and following security best practices including:
• Regularly training and testingemployees several times per year: One of the most critical lessons for employees to learn is how their role can affect the security of the entire business. Individuals need to understand how to keep company data and their own personal information secure through clear policies so they are more likely to alert the proper teams if the worst should happen. Additionally, security teams should gauge employee feedback and results after each cybersecurity training, or the IT team may even put a test in place and have an open conversation about human error as well as the types of cybercriminal techniques to avoid.
• Motivating employees through gamification: Employees often need to feel motivated to help raise security awareness levels within the company. Making cybersecurity fun and relevant will help prioritize protection during day-to-day operations. It’s a good idea to put in place a scoring system related to recommended security practices, with points and prizes as a motivator. A gift card or a weekend away is more likely to entice best practices, than a policy gathering dust in the desk drawer.
• Establishing the right culture: Many employees may be afraid or embarrassed to report that they have been the victim of a scam, as research indicates that 40 percent of businesses know their employees hide security incidents. Only by making cybersecurity an inherent part of a company’s culture will employees take responsibility for their own actions, and companies see real, positive changes. A cultural shift must occur–beginning with the leadership team–in order for current and new employees to learn from those around them.
It doesn’t take a highly sophisticated targeted attack to cause devastating damage and bring down an enterprise network. Set your business up for success by encouraging employees to report any cybersecurity incidents experienced, implementing proper trainings and having an open, regular dialogue with employees about risks and what to look for every day. In the end, these simple measures will strengthen your company’s ability to remain protected from the ever-evolving cyber threat landscape.