As employees, many of us go about our daily tasks without realising the impact our actions could have on our organisation’s security. Simple things like writing a password on a piece of paper or clicking on an unknown link on an email could expose the organisation to a wide range of financial or reputational risks. Here are five seemingly innocent behaviours that could allow hackers to damage an organisation and some golden rules to strengthen cyber secure behaviours in the workplace.
1. Tweeting from the wrong account
Social media is a great way to connect with family, friends and colleagues. It is also a useful way for businesses to connect with customers. However, company social media accounts and passwords need to be protected to prevent misuse. For example, when Syrian hackers took control of the Associated Press’ Twitter account in 2013, and announced to the company’s two million followers that Barack Obama had been injured in an explosion at the White House, the Dow Jones lost $136 billion within just three minutes. While this might be an extreme example, it does illustrate just how serious the effects of unauthorised messages can be.
Despite our best intentions, people are imperfect beings, so it’s important to establish appropriate security controls to reduce the risk of social media misuse. For example, two-factor authentication could be enabled on social accounts so that posts need to be verified by another member of the team before distribution.
2. Sending an email to the wrong person
A simple email mistake could have catastrophic consequences. When employees deal with multiple clients, there is always the possibility that the wrong information could accidentally be sent to the wrong client. The results of this could be very serious, impacting both a company’s brand and finances: sensitive company or customer data exposed to a competitor, a client losing trust in a company’s ability to protect its customers’ data, or even the cancellation of a business contract.
One solution to this problem could be to set up a hold on email messages before they are sent out. That way, if you realise you’ve made a mistake, you can take steps to correct the issue before it’s too late, by editing, postponing or even cancelling the original email. Additionally, if you regularly send out sensitive data, then adding password protection or encryption could help to protect the data, making it unreadable to all those except the intended recipient.
3. Sharing pictures from the office party
An innocent picture taken at a social gathering could end up compromising the company you work for. This may sound like a film plot, but if a security badge or ID card with sensitive information is captured in a photo that’s made public, a hacker could steal the information to try and gain access to the premises or carry out social engineering attacks.
It is therefore essential that all images are vetted before they are posted online. If an ID number or any other kind of sensitive data is visible, then those identifiers should be removed before an image is made public.
4. Leaving documents on a printer
Modern multi-story office buildings can house many companies, with hundreds of employees using the same photocopiers, scanners, and fax machines. In this environment, it’s easy to accidentally leave documents in a printer or scanner, opening up the possibility of sensitive data being lost or stolen. Even writing information on post-it notes or leaving documents on your desk overnight could let sensitive information fall into the wrong hands. To avoid these risks, employees should be aware of the potential security risks of working in shared spaces and ensure that their computers and files are locked when not in use.
In a digital context, the use of unauthorised USB sticks, personal hard drives or external software could all present problems for your organisation. It was recently reported that USB sticks containing malware had been left outside corporate car parks in the hope that unsuspecting victims would connect them to the corporate network, providing attackers with a point of entry. As a good rule of thumb, it is always more secure to use what the company provides and avoid using personal devices or third-party software.
5. Following instructions from your CEO
Phishing emails can have a variety of goals: to encourage you to hand over valuable data, transfer money to a sketchy account, or download something that infects your computer. They usually include official-sounding imperatives that ask you to act on the email’s instructions immediately. While most of us would probably recognise that an email from a Russian model declaring their undying love for us is likely bogus, it can be more difficult to identify a false email from your CEO that demands your immediate action. Even high-level executives are being coerced by attackers leveraging a technique known as Business Email Compromise (BEC) into wiring funds or sharing sensitive information with third party accounts owned by cybercriminals.
Organisations and boardroom executives alike must arm their workforce with the tools, knowledge and training needed to approach every email with caution and identify malicious attacks. If an email request looks suspicious, you should always seek a second opinion or check with the IT department before acting on anything.
Hackers often target employees because they believe humans are the weakest link in an organisation’s cyber security. However, with the right attitude and enablement, they can also become an organisation’s strongest asset. If the entire workforce takes it upon themselves to make cyber security their own responsibility, then the number of successful cyber attacks targeting an organisation can be reduced significantly.
Javvad Malik, security advocate at AlienVault
Image Credit: Coffee / Pixabay