A couple of years ago, TechRepublic ran a story with the following headline: “Employees Are Almost As Dangerous To Business As Hackers And Cybercriminals.” From the perspective of the business, you might think that’s simply inaccurate. Your company strives to hire the best people it can find – people who are good at their jobs and would never dream of putting their own employer at risk of a cyber-attack.
Where does this weakness come from? It stems from several different things and varies from business to business, but a big chunk of it comes down to employee behavior.
We all make mistakes. Unfortunately, some mistakes can have serious consequences. Here’s an example: an employee receives an e-mail from their boss. The boss wants the employee to buy several gift cards and then send the gift card codes to them as soon as possible. The message may say, “I trust you with this,” and work to build urgency within the employee.
The problem is that it’s fake. A scammer is using an e-mail address similar to what the manager, supervisor, or other company leaders might use. It’s a phishing scam, and it works. While it doesn’t necessarily compromise your IT security internally, it showcases gaps in employee knowledge.
Another common example, also through e-mail, is for cybercriminals to send files or links that install malware on company computers. The criminals once again disguise the e-mail as a legitimate message from someone within the company, a vendor, a bank, or another company the employee may be familiar with.
It’s that familiarity that can trip up employees. All criminals have to do is add a sense of urgency, and the employee may click the link without giving more thought.
This happens when an employee clicks a link without thinking. It could be because the employee doesn’t have the training to identify fraudulent e-mails or the company might not have a comprehensive IT security policy in place.
Another form of carelessness is unsafe browsing habits. When employees browse the web, whether it’s for research or anything related to their job or for personal use, they should always do so in the safest way possible. Tell employees to avoid navigating to “bad” websites and do not click any link they can’t verify (such as ads).
Bad websites are fairly subjective, but one thing any web user should look for is “HTTPS” at the beginning of any web address. The “s” tells you the site is secure. If that “s” is not there, the website lacks proper security. If you input sensitive data into that website, such as your name, e-mail address, contact information, or financial information, you cannot verify the security of that information and it may end up in the hands of cybercriminals.
Another example of carelessness is poor password management. It’s common for people to use simple passwords and to use the same passwords across multiple websites. If your employees are doing this, it can put your business at a huge risk. If hackers get ahold of any of those passwords, who knows what they might be able to access. A strict password policy is a must for every business.
And yet, many employees do, and it’s almost always unintentional. Your employees aren’t thinking of ways to compromise your network or trying to put malware or ransomware on company computers, but it happens. One Kaspersky study found that 52% of businesses recognize that their employees are “their biggest weakness in IT security.”
Turn Weakness Into Strength
The best way to overcome the human weakness in your IT security is through education. An IT security policy is a good start, but it must be enforced and understood. Employees need to know what behaviors are unacceptable, but they also need to be aware of the threats that exist. They need resources they can count on as threats arise so they may be dealt with properly. Working with an MSP or IT services firm may be the answer – they can help you lay the foundation to turn this weakness into a strength.
Almost all cybersecurity breaches began with human error (someone clicking on a link in an e-mail, accidentally downloading a virus, or falling for a phishing scam). We strongly recommend you provide all employees cybersecurity awareness training that not only teaches them how to spot a scam but also conducts simulated phishing tests to see if what they’ve learned actually “sticks” and is being used.