There’s no doubt that IT security is a critical issue for many businesses. High profile examples of data breaches involving the likes of Facebook, British Airways, Heathrow Airport, Google+ and the U.S. State Department, merely serve to reinforce our fears and anxieties around cybersecurity. But what many of us don’t recognize is that much of the noise generated around these very public breaches tends to drown out a relatively under-reported fact: that many security breaches are caused by employees within an organization and not by outside forces.
That’s not to say that malicious actors, such as hackers, are not writing code and software that aims to facilitate and exploit a data breach. It merely means that their efforts are centered, not just on outright attacks, but on inducing employees to help them circumvent an organization’s defenses against an external assault.
Security is personal
The most common methods of achieving this are phishing scams and malicious communications that seek to gain information and entrance into a business or organization via its employees. We’re all well aware of the temporarily cash-strapped former Nigerian bank chairman/prince/general prepared to pay the recipient of an email a hefty sum to help him transfer funds held in an offshore account. But phishing attacks nowadays tend to be more advanced and sophisticated.
Emails from Apple about problems with iTunes or a specific app that require a person to click on a link and input their Apple ID information are very common. As are communications from the tax man, possibly offering a tax refund, or from a bank, perhaps warning of a potential breach. These types of scams should be reasonably easy to spot as they typically contain misspellings or poor grammar and, if the person on the receiving end hovers the mouse over the address or link, they will often find they’re not what they purport to be. But that doesn’t stop people from falling victim to them.
Websites also have the potential to mislead people into enabling cybercriminals to gain access to their personal information and to propagate malicious code and malware. Gambling, fantasy football, illegal sports streaming and pornographic sites all have the potential to be misused for nefarious purposes.
Social media has added another dimension to cybersecurity. The huge scandal surrounding Facebook and the role of Cambridge Analytica in the 2016 US presidential election and the EU referendum in the UK, highlight just how dangerous social media platforms can be as a means for mining personal information and enabling unseen actors to manipulate that information to target misleading messaging. Many people can be sucked into participating in quizzes that mine their personal info or perhaps into clicking on and propagating malicious code and malware via posts and messages from friends in their feed.
Minding your own business
But whatever the personal consequence people may face for falling victim to these types of scams and however painfully it might be felt, that pales into insignificance when set against the damage that can be inflicted on their places of work when their personal use overlaps with their business activities.
The increasing phenomenon of people using computers and devices in their professional and personal capacities means their vulnerabilities at a personal level can be exploited to target the business or organization where they work. Cybercriminals are well aware that someone accessing personal emails or a website via a work computer could help them to unleash a malicious attack on the business. The messages, emails and social media posts that they craft to deliver attacks on the individual can serve a dual purpose of compromising the employee and the employer.
So what can be done to reduce the threat and exposure of businesses and organizations from their unwitting employees?
One of the simplest mitigation techniques to negate many of these problems is to separate activities across a number of browsers. This means that organizations should set one browser for employees to look at company internal documents and let them use something else for their personal activities. Many vulnerabilities require the victim to be logged into the browser, but to exploit that vulnerability, they require the target to click a link and login. If the company has established a default browser for internal information, the user won’t have the privileges to arm that attack.
Cause and effect
Perhaps the best advice for employees is to avoid doing personal things at work. That may not be easy, but it’s probably the only way to guarantee that they won’t unwittingly expose their workplace to cyberthreats. That may be an unrealistic expectation, so businesses should look at endeavoring to ensure that all the computers and devices they use are secure. This can be difficult if employees are using them for business and personal activities.
Perhaps the best approach is to educate employees on the potential threats, make them aware of the methods used to deliver the payload for those threats and to exercise extreme caution when confronted with them. Additionally, they should be made aware of just how common it is for data breaches to be initiated internally (accidentally or deliberately) by employees and be educated about how drastic the consequences for the business could be if their actions cause a breach at the organization.
According to the famous saying, popularized by President Harry Truman, when it comes to taking responsibility (and the blame), the buck stops here. For many employees in today’s workplaces, they should be trying their hardest to ensure “the breach stops here” because otherwise, there will continue to be far too many instances where, sadly, “the breach starts here.”