In the End, Employees Are the Linchpin of Enterprise Cybersecurity

Posted on by Robert Ackerman

Rightly or wrongly, the mass media is not infrequently accused of playing up negative or scandalous news without proper context, and this includes news about high-profile cyberattacks. Breaches at the likes of giant corporations such as Equifax, Sony Entertainment and Target are disquieting and appear to be must-reading, but are they typical or are they outliers?

By and large, they are outliers, dwarfed by much smaller but more common and more dangerous ransomware attacks at hospitals or bone-chilling breaches at the National Security Agency and other government institutions. These incidents also make the news, but barely.

Big headlines sell news. So in the eyes of the media, the bigger and more prominent the breach, the better.

The problem with this is that it distorts the big picture. High-profile cyber-breaches often miss the forest for the trees. Security technology was violated, news reports say, as if this and this alone explains the breach.

Fact is, it does not. 

Too often, what is scarcely mentioned was the accompanying breakdown in cybersafety, i.e., the adoption by employees of safe practices when using the Internet to prevent attacks. Typically, this breakdown is as responsible as anything else for the breach.

According to Security Intelligence,  nearly 75% of cyber-breaches in the US are due to employee negligence, mostly unintentional.  A separate study by the University of Alabama found that the same percentage of employees also uploaded classified work files to personal cloud accounts.  And IBM also unearthed  huge internal problems when its X-Force Threat Intelligence Index last year found that human error in the form of basic judgments accounted for more than two-thirds of all compromised online records in 2017.

Errors included storing intellectual property on an insecure personal device, falling for phishing emails or misconfiguring cloud servers.

Most major corporations and many smaller ones provide cybersecurity training to their rank-and-file employees, but making them regard this as a top priority is easier said than done. After all, they have many items to attend to on their to-do lists and no shortage of deadlines to meet.

Companies must make a point of creating an official cybersecurity training plan if one doesn’t already exist. Also crucial is starting awareness training during onboarding. This is when most new employees are gaining access to accounts, creating their passwords and learning about processes. This, in short, is when they really listen.

Also important are regular updates on threats, new scams and viruses, software updates and other important cybersecurity information. And it’s smart policy to show employees the value of what they are being asked to do as it pertains to their personal safety and security, not just the company’s interests.

Perhaps most helpful of all would be the addition of cybersecurity provisions to the Health and Safety at Work Act of 1974. This law has had a dramatic impact on reducing accidents in the workplace, particularly within industrial settings. Today, it controls the safety of much manufacturing equipment, how much time professional drivers can spend behind the wheel and even how long an employee can stare at a computer screen.

Cybersecurity provisions should be added to the law because successful attacks on critical infrastructure, such as the energy grid, aren’t limited to the loss of consumer data and damage to reputations. They can also jeopardize individual safety.

Alas, new legal requirements will not become law anytime soon. So, for now, the burden of compliance is on company employees, and likely will remain so. They are the gate keepers of enterprise security, whether working in the office or at home on personal systems that may be used to access enterprise networks. Adversaries typically deem humans the weakest security link.

With this in mind, here is a list of reminders of key steps all employees should take to enhance their security protection, both in the office, and if and when they travel abroad.

+ Realize that you are an attractive target to hackers. Don’t ever say, “It won’t happen to me.”

+ Practice good password management. Use a strong mix of characters, and don’t use the same password for multiple sites. Don’t share your password with others and don’t write it down.

+ Never leave your devices unattended. If you need to leave your computer, phone or tablet for any length of time, lock it up so no one can use it while you’re gone. If you keep sensitive information on a flash drive or external hard drive, also make sure to lock it up.

+ Always be careful when clicking on attachments or links in an email. If it’s unexpected or suspicious for any reason, don’t click on it.

+ Make sure your anti-virus software is always up to date.

+ Be careful of what you plug into your computer. Malware can be spread through infected flash drives, external hard drives and even smartphones.

+ Watch what you’re sharing on social networks. Criminals can befriend you and easily gain access to a stunning amount of information—where you go to school, where you work and when you’re on vacation, all helping them gain access to more valuable data.

+ Offline, be wary of social engineering, where someone attempts to gain information from you through manipulation. If someone calls or emails you asking for sensitive information, say no. You can always call the company directly to verify credentials before giving out any information.

+ Be sure to monitor your accounts for any suspicious activity. If you see something unfamiliar, it could be a sign that you’ve been compromised.

+ When abroad, avoid unencrypted Wi-Fi networks by asking your hotel about its security protocol before connecting to the web. Be extra cautious using Internet cafes and free Wi-Fi hotspots. If you must use them, avoid accessing personal accounts or sensitive data while connected to that network.

+ Also disable auto connect when traveling abroad. Change this setting so that your smartphone and laptop must be manually connected each time you want access to the web.

+ Minimize location sharing as well. It creates a security threat at home base, signaling you are neither in your hotel room nor your home and thus vulnerable to physical intrusion.

Robert Ackerman

Founder/Managing Director, AllegisCyber, AllegisCyber Capital

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs