Are your organization’s employees a threat to its cybersecurity?
CISOs and other IT leaders have long known that their organization’s own employees pose some of the biggest cybersecurity risks you face. Consider these findings from a survey of IT leaders conducted earlier this summer:
- 56 percent believe employees have picked up poor cybersecurity behaviors since the adoption of remote working practices;
- 54 percent worry that remote workers will bring infected mobile devices into the work environment;
- 67 percent predict a rise in phishing emails targeting employees; and
- 69 percent think that in the new hybrid workplace, ransomware attacks are a huge threat.
Well, IT leaders believe that because employees are a significant cybersecurity threat. They make your organization vulnerable from within — particularly in the post-COVID world.
Even before the pandemic, however, people were considered the weakest link in enterprise cybersecurity. Experts like Bruce Schneier baldly stated: “People are chronically responsible for the failure of security systems.”
In this article, we explore some common cybersecurity risks from employees and strategies to mitigate them.
Common Cybersecurity Risks from Employees
In the digital world, employees and human error are common reasons for cyber-attacks.
When employees use personal devices for work, expand their digital footprint, or handle sensitive data in a remote work environment, they endanger the organization’s information security and increase the risk of data breaches and cyber-attacks.
The most common enterprise cybersecurity risks from employees, particularly in the post-pandemic digital economy, include:
Phishing Attacks
Since 2019, phishing has evolved into one of the most widespread types of data breaches. Following COVID-19, the sudden influx of pandemic-related phishing emails means that this attack vector now causes 36 percent of all breaches, compared to 25 percent in 2020.
Cyber-attackers leverage phishing emails to take advantage of the fear and panic generated by the pandemic. These emails can be challenging to identify because they appear to come from legitimate sources. They usually manipulate employees to:
- Open malware-infected attachments
- Click on compromised links
- Divulge sensitive information or confidential company data
- Share passwords that give threat actors access to company assets
Business email compromise (BEC) is an example of a phishing scam. The threat actors pretend to be co-workers or senior managers requesting information, to trick employees into clicking on links or sharing company data.
Weak Passwords
Despite firewalls, antivirus software, and other IT security tools, weak passwords can — and do — compromise enterprise security.
When passwords are weak, repeated across various accounts, or shared among multiple users, the risk increases that cybercriminals will leverage them to:
- Launch brute force attacks. They try multiple passwords to access enterprise networks
- Attempt credential stuffing. A large number of credentials are automatically entered to access user accounts
- Install keylogger software. Malicious software that tracks user activities to access systems or steal data
- Launch Account Takeover (ATO) attacks. These attacks try to steal enterprise data or user identities
Remote Access
Many organizations have implemented remote work policies to maintain operational continuity in the pandemic-induced era of social distancing.
Remote work might get the work done, but it also exposes a business to new cybersecurity risks. Employees often handle sensitive data over insecure Wi-Fi networks and inadequately secured personal devices. If a bad actor intercepts this information, that can result in identity theft, cyber-extortion, or ransomware attacks.
Use of Teleconferencing Apps
Many remote workers use teleconferencing and other cloud-based apps for collaboration, communication, document-sharing, project management, and more.
Many such tools raise cybersecurity and privacy concerns, since they may share data with third-party advertisers or use video content for targeted ad campaigns. These issues can be particularly concerning for organizations operating in regulated industries like healthcare or financial services.
Strategies to Mitigate Cybersecurity Risks from Employees
Invest in Employee Education
It’s vital to educate your employees about various security risks. Cybersecurity training should touch on phishing, social engineering, BECs, and ransomware. Train employees on how to detect phishing emails, recognize social engineering attempts, and what to do when they suspect a ransomware attack.
Besides focusing on why cybersecurity awareness is important, also encourage employees to develop good cyber-hygiene practices.
Install and Update Security Software
Firewalls, anti-malware, and antivirus software can protect the organization from bad actors. After installation, make sure you regularly patch (update) those applications to assure that new cybersecurity threats can continue to be mitigated before they cause too much harm.
Employees should also be required to update the software on their home routers and personal devices. Make this a part of your security policies and implement a system to find and correct any laggards.
Implement Strong Security Policies
Robust security policies for password creation, use of personal devices, remote access over home Wi-Fi, use of social media during work hours, and so forth can help strengthen enterprise cybersecurity.
When employees know what they can and can’t do, they can improve cybersecurity hygiene and avoid putting the organization at unnecessary risk. Policies also foster a strong cybersecurity culture with enhanced transparency and accountability.
Implement Multi-Factor Authentication
Since passwords are prone to theft and manipulation, consider implementing multi-factor authentication (MFA). MFA adds an extra layer of security by using two or more authentication factors. If your organization has adopted a remote working model, that is especially vulnerable to remote attacks and attacks on vulnerable endpoints. In this scenario, MFA is vital.
Encrypt Data
All company data should be encrypted, especially if it will be accessed, shared, modified, or stored by remote workers. Consider all of the following data types, whether at rest or in transit: emails, financial information, customer information, voicemails, and intellectual property.
Protect Your Business From Cybersecurity Threats with ZenGRC
Reciprocity’s ZenGRC platform helps organizations, including small businesses and large enterprises, identify and address cybersecurity risks from employees and elsewhere.
With a single platform, your IT department can understand risks and evolving threats, view control environments, and monitor and maintain a strong compliance posture. Protect enterprise privacy, minimize third-party risk, and quickly respond to incidents through ZenGRC.
To learn more and schedule your free, no-obligation demo, click here.