Why employees are your biggest cyber security risk

Businesses seem to be constantly at risk, whether it’s from website data breaches, cyber attacks or malicious emails and employees could be the biggest cyber security risk. Why and what are the most common security threats?

Lack of awareness

One of the biggest reasons for employees being a security risk is that they are unaware of what they should and shouldn’t be doing. They may be unaware of devices being connected to an insecure Wi-Fi network or that they shouldn’t be storing customer details on a USB.

As a business, you should review your internal processes and training. Something the GDPR set out to do — to protect personal information. When you’re unsure of where to start, having an external company review your processes can be a great step in protecting your business.

This could be reviewing your processes thoroughly, through to becoming ISO accredited to boost your security, employee knowledge and business credentials with potential clients.

Cyber crime cost companies in the UK £1,079,447,765 in 2016 — a lack of cyber security knowledge is an expensive mistake to make.

Phishing emails

Symantec found that 71% of all targeted attacks started with phishing scams. These are emails sent by criminals that look to have been sent by a legitimate company and ask for sensitive information.

Often, these contain a link within the email which takes you to a very believable, fake website with a form for you to input your details. This information is then sent to straight to the crooks who created the website, ready for them to sell or use your data. They may ask for passwords, credit card details or usernames, anything they can use to sell or use illegally.

Telltale signs of a phishing email:

● Not addressing you by name (referring to you as “Customer”)
● Typos or spelling mistakes
● The ‘From’ email address doesn’t appear to be who it says it’s from
● Requesting you to open links or attachments. If it doesn’t seem legitimate, don’t click any attachments or links
● If in doubt, call the sender

Using unsecured networks

Your employees may not be aware of the risks of using any device, work or personal, on an unsecured network. This could be the free Wi-Fi in the local café or on the train to a business meeting.

These types of connections may not encrypt your data, meaning it could be intercepted and fall into the wrong hands. Where data is sent in an unencrypted format, such as plain text, you are allowing crooks access to potentially sensitive and valuable information.

Accessing emails and social media is a risk on an unsecured network as you could unintentionally leak passwords or other sensitive information. While accessing a banking app could open up your bank accounts to criminals hacking the network.

It is also easy for viruses and malicious software to be distributed across multiple devices, laying the groundwork for staging DoS or DDoS attacks on websites or networks. More recently, cyber security software provider, Symantec, has seen an 8500%  increase in coin miner malware and an unsecured network is one way in.

Top tip: Use a VPN (Virtual Private Network) to protect yourself from unsecured networks when working on the move. This provides encryption on data moving between you and your end user.

Storing sensitive data

Staff should never store personal or business sensitive information on external hard drives, USBs or even printing it out to take out of the office. GDPR legislation has been put in place to ensure all personal data is well protected but having it on a portable device or printed puts it at risk.

It’s easy for it to fall into the wrong hands. Take Heathrow Airport for example, which was fined £120,000 for a data breach for losing a USB containing sensitive information. Luckily, it didn’t fall into the wrong hands. But this is a prime example of how easy it is to lose data, when it is easily preventable.

Top tip: Train staff on exactly what personal data they should have access to, how they should store it and how they should destroy or delete it. Having strong passwords is vital for not just documents containing personal data, but your logins for tools and devices.

Installing illegitimate apps and programmes

Whether on a mobile device, a browser extension or a new programme, there are thousands of apps uploaded every day that are riddled with malware. Apps and extensions from legitimate sources (e.g. the Apple Store) are constantly being checked to ensure they aren’t malicious but some do slip through the net.

These apps can be doing a range of things in the background of your device, from stealing data and leaking mobile numbers, to infecting other devices on the same network.

Top tips: check the reviews for any app before downloading and research it before installing on your device. Download apps from official stores only as some malicious apps disguise themselves as a genuine app.

Not updating software

This is a common cause for leaving your networks and devices open to hackers. System updates and upgrades tend to be done to not just modify the usability or design of the programme, but also add new security features to protect it from potential hacks.

Employees may not be aware that by not keeping on top of system updates, they are unknowingly leaving themselves open to attacks. Carry out regular updates of any software you’re using to increase company protection. It can be very costly and tricky to get out of this situation.

Internet of Things

You also need to consider the ever-changing Internet of Things (IoT), which according to Symantec, had 600% more attacks in 2017 than the previous year. Many companies have multiple devices, all connected to the same network, most of which will be carrying out business critical processes.

For example, a factory may have labelling, cleaning and capping machines all connected to the Wi-Fi. An employee could unknowingly connect their mobile device to the same network and download an app contaminated with a virus. This then has the potential to carry out a DDoS attack on not only the mobile device, but also every connection to that network, halting production, costing time and money.

For this reason, training on which Wi-Fi networks are suitable for downloading apps, and having a private network for your IoT is highly recommended.

Top tips: ensure your IoT devices have secure passwords to access them. Disconnect devices from the internet if they don’t need to be connected. Deploy a strong firewall and firmware protection.

While your employees may pose a security risk, with the right training you can reduce the risk of falling victim to cyber crime. The important thing is to assess your business, uncover any weak points and communicate the best processes to all staff.