Your security offering is only as effective as its weakest link, and often that link is your customer’s employees.
by Nathan Bradbury, Manager, Systems Engineering, Barracuda MSP
No matter how robust a cybersecurity system you put in place or how much you lock down a network or devices, the weakest link in a company’s security armor remains its employees. While some employees may be engaging in deliberate, malicious activity, most employees share sensitive company data accidentally. For instance, some employees share sensitive data after falling prey to a social engineering attack.
A couple of years ago, Dell surveyed professionals who handle confidential data at companies with 250 or more employees. They found that 72 percent of employees were willing to share “sensitive, confidential or regulated company information,” mainly to do their jobs more efficiently and effectively. Additionally, the survey found that 45 percent of employees admitted to engaging in unsafe behaviors during the workday, including connecting to public WiFi to access sensitive information, using personal email for work, or losing a company-issued phone or computer.
Cybercriminals are wasting no time exploiting these human weaknesses. Since the beginning of 2020, researchers at Barracuda have found 6,170 malicious accounts that use Gmail, AOL and other email services and were responsible for more than 100,000 business email compromise (BEC) attacks on nearly 6,600 organizations. In fact, since April 1, malicious accounts have been behind 45% of the BEC attacks detected.
Barracuda researchers also found that in many cases cybercriminals used the same email addresses to attack different organizations. The number of organizations attacked by each malicious account ranged from one to a mass scale attack that impacted 256 organizations.
While those numbers might be surprising, the reasons why employees fall for BEC attacks shouldn’t be. Not only do these attacks appear to be legitimate, but staff frequently skirt security protocols to complete a task more quickly, or because existing security practices or systems are seen as cumbersome or difficult to use or adhere to.
Asked why they were willing to share confidential information, employees often reveal the perception:
- they are being directed to do so by a manager
- they are sharing it with a person authorized to receive it
- there is a low risk and high benefit
- it will help them do their job more effectively
- it will help the recipient do their job more effectively.
Without proper context and education, security systems are often seen as an obstacle. Employees feel that IT security slows down their work, and they struggle to keep up with changing security guidelines and policies.
Employees Need Guidance
In fast-paced, understaffed work environments, employees often have to make judgment calls on sharing data independently. Training is essential, but it should be tailored to help empower employees and reduce the friction between getting their work done effectively while still securing data and minimizing the need for on-the-fly judgment calls. There are a few steps that companies can follow to improve both training and employee compliance.
Establish clear business procedures and policies. Many companies either don’t have written policies, or fail to update them regularly. These policies should define what confidential or sensitive material is and outline how that information can be accessed, sent, and stored.
Implement roles-based access to data. Accidental data sharing is much less likely to occur if users can’t access data that isn’t necessary for their jobs. If there’s a breach or a theft of credentials, this approach can also minimize the damage.
Give employees the necessary resources to comply. Make sure they’re using a secure corporate email system (not their personal email) to access and share information, as well as multi-factor authentication (MFA) when logging into their accounts. Your IT infrastructure should be built around secure access using verified identities, and you should have the technology in place to monitor email traffic, encrypt data, and identify potential breaches and employee non-compliance.
Reinforce policies and procedures. Where possible, implement a reward system for compliance and identifying potential vulnerabilities and set up disciplinary measures for any violations.
Make sure training includes showing employees how to spot sophisticated phishing and social engineering attacks, and how following company policies (such as verbal or in-person confirmation of a money transfer, for instance) can help reduce risk.
Engage employees in policymaking and IT solution decision-making. Make sure the IT team is engaged with employees to identify where productivity bottlenecks might occur as a result of the security tools or policies. If the solutions are too cumbersome, employees will find a way around them and create new vulnerabilities. Security must not suppress productivity.
Protect corporate data wherever it may reside. As more employees are working from home, an approach that focuses on the data center is outmoded. Security must encompass personal and company-issued devices, the cloud, and internal and external networks. Security rights and policies should follow the user to the network edge.
Training is critical, but it must be built on a foundation of sound policies, robust technology, and security solutions that are designed to help employees do their jobs.
Nathan Bradbury is Manager of Systems Engineering for Barracuda MSP, a provider of security and data protection solutions for managed services providers.