According to a Fortinet report, some 90% of UK cybersecurity breaches were caused by human error. Around the world, similar statistics show that human mistakes or oversights still lead to the majority of breaches. Even with the best technology and security applications that the cloud has to offer, this research shows that people remain the weakest point in the chain and need to be trained in best practices to ensure they aren’t the cause of your next leak.
Once a cloud service misconfiguration is known to hackers, they will pummel endless applications or services to try and break-in, regardless of the business, its size or area operations. Similarly, easy-to-guess passwords are tried endless against email accounts, Google Docs or Microsoft Office log-ins and other apps in massive numbers, with the human element again the source of that weakness.
In short, people create more risk than the spectre of some notorious foreign hacking ring. Yes, hackers will take advantage of any weaknesses, but if your workers are aware of common mistakes and issues, your business will be more secure and your people better prepared against common threats.
Using strong passwords, passphrases and MFA
A username and password might have been a good idea at the start of the business computing era, but in the 21st century they’re terrible concepts. Most firms adopt the email address as an ID which people immediately distribute far and wide for valid reasons. These rapidly end up on scammer or hacker lists and, when combined with a weak choice of password, are easy ways for breaches to occur. Using a non-email address ID is an improvement, but many cloud systems rely on them. Strong passwords are an improvement, but not if people use them for various sites and services.
Increasingly, longer passphrases are a better choice at defeating hackers’ automated attempts, and are often more memorable. Bolstering these with multi-factor authentication (MFA) is even better, requiring a mobile device to authenticate the user’s identity.
The endless phishing war
With the widespread collection of business emails, phishing is a more targeted effort by hackers, looking to lure the unprepared, distracted or tired worker into an easy mistake. Over three billion are sent daily, with most ending up in a spam folder or are trapped by business filters. But cleverly targeted and personalised ones are just as convincing as a real work email.
They might make a specific request, demand a common action or seem like they come from a senior leader or boss. Falling for these types of scams can take just a second to open a malware-laden file or send money to a dodgy account. Training workers about what to look out for and when to take a breath and a more detailed inspection of an urgent-sounding message should be part of any onboarding for new hires.
Firms can also regularly test users with fake phishing emails to check they’re following guidelines. Many email providers also provide a phishing alert button to alert IT to any suspicious messages. These simple steps raise awareness and reduce the risk to the business at minimal cost.
Using unofficial or insecure services
Your employees want to use the best or least intrusive tools to get their job done. Many companies find workers using apps unofficially, as so-called “shadow IT.” Firms need to keep a check on what applications people are using, from unofficial freeware tools or mobile apps to cloud services.
That’s especially true of very niche or foreign-based cloud apps that could see business data stored on servers in countries with weak security standards. There are whole fake or clone app markets for business applications in the cloud or on mobile devices that workers can easily stumble across as a solution to whatever business problem they have, leading them and your business into a world of trouble.
It’s therefore important to teach all workers that they should go through proper channels to acquire access to a service, no matter how trivial in the big scheme of day-to-day business. Supporting this effort, corporate policies must be built into the IT security infrastructure (for example, email filters, firewall rules, traffic segmentation, or sandboxing suspicious files) to protect employees.
Keeping data secure and using secure connections
As well as risking data being stored beyond official sources, workers are also likely to use unofficial storage for business purposes. This can be personal cloud storage like Box or Google Drive, personal bring-your-own-device (BYOD) storage as well as sending data to personal emails or other places.
Each time this happens, it creates an element of risk for the business. People need to be trained not to do this, and IT systems are in place to limit files being sent to unofficial locations. Every small step helps protect businesses, as it only takes one BYOD device to have the wrong sort of malware installed for that data to end up somewhere it could cause practical or reputational damage to the business.
COVID-19 brought remote work to many companies that are new to the concept. That means business services connected to home routers, coffee shop or airport wireless networks and mobile hotspots.
Again, it only takes one of these to be compromised for business data to end up places it shouldn’t. An official route to business connections, using virtual private networks (VPNs), encryption services to protect data travelling over the public internet and other efforts should be installed across the business, on every device, to protect data and prevent users from making expensive device connections and data mistakes.
There’s a daily battle to make businesses more resilient to the threats out there, and teaching people is a key part of that fight beyond relying on technology. Assuming your firm isn’t important to hackers or that your people are all smart enough isn’t a logical or sensible approach, and every firm should be taking the time to improve everybody’s understanding of the threats lined up against all firms.
Further reading:
Access the latest business knowledge in IT
Get Access
Comments
Join the conversation...