Employees and cyber security

Employees may be your weakest link in cyber security

Employees and cyber security

No matter how good your cyber security system is, it’s only as good as your weakest link. More often than not, this is your employees.

No one is immune to making a mistake, and it only takes one forgotten step or a wrong click to bring down your entire network. Hackers are setting digital traps everywhere to profit from that one mistake, so the odds are often more in their favour than yours for successfully hacking your network rather than you successfully protecting it.

Just consider these sobering facts about cyber-attacks:

  • The Australian Crime Commission calculated that the total cost of cyber-crimes in one year in Australia is more than $1 billion dollars.
  • The Norton Cybercrime report also confirmed that Australia’s annual expenses from cyber crime is around $2 billion dollars.
  • In 2016, a ransom virus accidentally opened by an employee through their work email shut down the entire Royal Melbourne Hospital’s pathology department.
  • The ACC Foundation’s ‘State of Cyber Security Report’ found that most data breaches are either the result of staff errors or an inside job.
  • After a data theft, the American banking giant JPMorgan increased cyber security spending to protect their networks. Nevertheless, when the security team tested the staff with a fake phishing email just a few weeks after making changes, 20 percent of the bank’s employees  still opened it. Without making routine internal assessments like this, most businesses will have the same holes in their security.

The conclusion: all of us need better cyber security.

How can you increase awareness of cyber security within your company?

The fact is that every single employee who has access to your network must understand how to protect the network. Carelessness isn’t acceptable anymore with so much data at risk with online storage. Hackers are exceptionally good at targeting precisely the people who may use the network the least – or are likely to have the least amount of training in cyber security best practices. These people make the best targets; typically, they’re in human resources, the purchasing division or positions that involve less “tech work” and more hands-on activities.

Take these six steps to help protect your network:

  1. Increase awareness: Awareness of cyber security has to become part of your daily organisational culture. Send out regular reminders to everyone about when to change passwords. Discuss how to make better passwords and remember them in convenient ways. Help staff create backup plans for what to do if they lose one of their devices that they regularly use to access network files. Does everyone have extra backups saved of their important work? Do they use multi-factor authentication to log in?
  2. Ongoing assessments: Make cyber-risk assessments an ongoing process to keep your staff alert. Don’t just respond to specific events and call it a day. That means your IT team should routinely test the strength of your network’s infrastructure as well as the security of the email applications that your employees use daily. Managed security services can provide you with regular vulnerability assessments that look for your weakest areas of security and plan how to strengthen them.
  3. Always test new infrastructure: Evaluate the strength of your network’s security every time someone adds a router, replaces a server or implements new software. Along with these tests, develop incident-response plans so that everyone knows exactly what they need to do in case of a network breach or suspicious network activity.
  4. Educate employees: Educate employees about the latest “spear-phishing” attacks. These threats are highly personalised, making them look like innocent messages from people you know. They entice victims to click on a link or an attachment that launches malware, letting hackers access the user’s computer or the whole corporate network. They come from text messages, messages on social media or even flash drives. These attacks are particularly dangerous because they often bypass anti-virus software programs that treat them as normal messages from trusted sources.

People too easily fall prey to messages with familiar logos, brand names or common phrases like “Sent from my iPhone” that make people trust them. That’s why phishers will often include elements like these in their messages.

A common belief is that mobile operating systems are more secure than computer connections, but this is simply not true. Also untrue is the notion that a PDF file is safer to download than a Word document; hackers can easily infect both kinds of files with malware. Furthermore, Wi-Fi hotspots aren’t inherently safe, not even if they’re sponsored by Google. All of these common misconceptions require discussion during cyber security training.

  1. Allocate responsibilities: Put someone in charge of actively monitoring user accounts in your network, especially inactive user accounts. Inactive accounts are the easiest avenue for outsiders to access your network. Best practices to prevent this vulnerability include revoking account access from anyone as soon as their contract ends. You could even disable accounts if employees are taking an extended leave from work. You can also create systems to automatically log off users who remain inactive for some time and activate screen locks to protect their equipment.

Further measures, such as monitoring login times and noting when unusual activity occurs, can help a great deal. You can also track attempts to log in to a deactivated account to track hacker activity.

  1. Stay current: Finally, always stay up to date with the latest cyber security developments. Making education modules smaller and refreshing knowledge regularly will make it easier for your team to keep learning and stay sharp at work.

Just as we’ve been advising that cyber security needs to be not a one-off activity but a regular process, none of the steps above work in isolation from each other. What you need is a cyber security framework.

A cyber security framework is a way for you to assess the risks of breaches and problems in cyber security in the most cost-effective way. It analyses your activities, looks at your management of risk, and figures out your intended outcomes in each area of your work.

Stickman can provide you with the cyber security framework that you need, for organisations big and small. When your employees could be your biggest security risk, it’s important that they’re educated and managed through a cyber security framework that makes sure you’re winning, and not the hackers.

If you’d like to know more, just get in touch with us via our contact page. We’re always happy to help you.

Suhaas Madhyastha

Suhaas Madhyastha is Stickman's National Cyber Security Manager and assists clients to deploy our 'cyber security by design' methodology which incorporates the NIST Cyber security framework. More articles by Suhaas Madhyastha

Leave a Comment

Your email address will not be published. Required fields are marked *

Subscribe to Our Insights

This email address has already subscribed!