Employees Could Be a Portal to Cyber Attacks

When it comes to data breaches, employee negligence may lack the headline appeal of cyber threats, yet it remains a top concern for privacy and security professionals. Nearly 60 percent of respondents in the ID Experts 2015 Privacy and Security Survey feel that employee negligence is the biggest privacy and security threat. Less than 30 percent viewed cyber criminals as the primary threat.

It is employees that often open the door for cyber criminals to wreak havoc on an organization. “Executives are targets for their potential access to sensitive information,” Brian Contos, chief security strategist for Norse writes in a Dark Matters article. “Worker bees are similar targets for attackers to gain access into the network and elevate privileges so they can move laterally to find such information. They both represent access roads to the same destination.”

A recent article in Healthcare IT News by ID Experts’ own Rick Kam and Doug Pollack cites a laundry list of cyber-attacks and the data breaches these attacks caused, and then notes that while “cyber attackers exploited various methods—viruses, malware, etc.—to grab information from these organizations…a common thread running through major breaches is human error, whereby people are being fooled into giving thieves back door access into critical information systems.”

Employers Responsible for Employee Misdeeds

Cornell University Law School defines negligence as “a failure to behave with the level of care that someone of ordinary prudence would have exercised under the same circumstances.” Often, an employer may be liable for damages resulting from an employee’s misstep. It’s no wonder, since companies often exhibit their own “failure to behave.” Ted Kobus, who co-leads a 40-person privacy and data team at Baker & Hostetler LLP, told Claims Journal that although “employee negligence is discovered quickly…companies are still not putting into place procedures and policies to have the issue escalated to someone who manages data responses.”

Take a Bite Out of Employee Negligence

In the face of mounting cyber attacks, employee negligence is a greater concern more now than ever, and companies must act to shield their employees against these threats. Consider these four steps from the Healthcare IT News article:

Step 1: Practice basic hygiene. “Awareness programs should…promote basic security hygiene reinforced with ongoing information about new threats and the consequences of poor security practices,” the article notes. “At a minimum, every user needs to know that data theft and cyber-attacks are a daily concern, and that what they do in their personal lives can affect their privacy and financial well-being, as well as the organization's.”

Step 2: Don't go phishing. Kam and Pollack say that targeted phishing is usually the first step in a multi-stage cyber-attack. Tips from US-CERT can help cut down on this form of employee negligence:

• Don't open unsolicited emails, click on links, or open attachments in unsolicited emails.
• Be suspicious of claims that are too good to be true. Typical examples are weight loss claims, sexual enhancement claims, and people claiming to want to give you large sums of money.
• Be careful in responding to, or providing information in response to, unsolicited emails from banks, the IRS, or other organizations, and don't fall for scare tactics.

Step 3. Practice mobile safety. An employee’s personal mobile device faces the same threats as any other computer. IT departments need to conduct ongoing training and enforce mobile security best practices and habits among employees in order to keep their mobile devices secure:

• Always install OS and other updates with security patches promptly.
• If employees bring their own devices to work, run security software on them.
• Don’t download apps from non-trusted sources.
• Avoid storing business data on personal devices.
• Don’t share a device used at work with a friend or family member. Installing apps is easy, and kids don't think twice about downloading any app that looks appealing.

Step 4: Stop visual hacking. Visual hacking occurs when people steal information by looking at private information on a screen or on paper or by watching someone enter it on a computing device. To combat visual hacking, users need to be trained to be aware of their surroundings. They need to minimize exposure by:

• Working with their backs to the wall when in public areas.
• Using lock screens and securing work areas when leaving their desks.
• Reporting suspicious activity right away.

Human fallibility has been—and always will be—a threat to the privacy and security of sensitive information. But people can also be the strongest security protection you can find. As Kam and Pollack note, “If you can stem the tide of user mistakes and if you can build breach resilience into your workforce, your business partners, and your customers, you'll lose less information and less often.”