Pity the cybersecurity department. If people weren’t messing up their perfectly constructed systems, business data would stay safe and secure. However, without the people, there is no business. How do we resolve human behavior introducing risk into a business? Whether it’s taking a more relaxed view when it comes to opening emails or mixing the use of personal and business devices, applications and websites at home, people will naturally use workarounds and shortcuts simply to get the job done. If IT leaders do not develop robust partnerships with the entire workforce, providing solid cybersecurity solutions combined with regular cyber-education programs, then their business’ security posture will be in jeopardy.
Data Privacy Day is a tool which can be used to remind employees of cybersecurity best practices. The ultimate goal of cybersecurity departments must be to ensure that data remains protected and uncompromised. Here are three areas which cybersecurity leaders can explore to minimize, as much as possible, the risks of data breach.
Privileged User Access
A recent survey from Forcepoint and the Ponemon Institute highlights that more than a third of staff across the UK and US have access to sensitive data and locations they do not require for their roles.
Common causes for this are that organizations often fail to revoke particular rights when an employee’s role changes, or there is a blanket policy where everyone at a certain level is automatically granted access. Some IT professionals even indicated that the organization assigned them with privileged access for no apparent reason – a particularly worrying trend.
The risk caused by over privileged users is not new, nor is it going away, but it does make the work of the attacker a lot easier.
Properly managing privileged, administrator level accounts with, for example, appropriate controls such as two-factor authentication should be a high priority. It was reported in 2017 that Deloitte’s Azure-based email system was targeted by criminals who found an admin account which only required a single password to gain access. As a consequence of this action, the entire email system of up to 244,000 employees was compromised with significant reputational loss reported in the press.
Out of Office and Business Email Attacks
Business email compromise attacks are becoming more and more common, but organizations may not be aware of the threat that the simple out of office reply can pose.
Providing extra detail in out of office messages can seem like a way to help employees truly switch off, and avoid work-related requests whilst on leave. However, employees and managers should think twice about exactly what they are sharing in these notifications before they log off, as any names and phone numbers listed can prove useful intelligence for those planning phishing, impersonation or other social engineering attacks.
By knowing who reports to who, and potentially even receiving contact details that might not be publicly available, threat actors can get to work. With email addresses of senior leaders, attackers could use them to impersonate and send false requests for payment, access or more. Details might identify those responsible for making higher-level decisions, helping other kinds of entry into networks and access to sensitive data.
Once sensitive details are shared, these can be used in a larger sequence of events. If an attacker combines this information with a compromised business email system, such as a supplier, then it could be a very effective phishing attack.
Human Error
Finally, one of the biggest risks to an organization is human error. As the country continues to work remotely during a third lockdown with no end in sight, it is unsurprising that the stresses of working at home are opening businesses up to cybersecurity attacks due to human mistakes. Employers should be aware of – and understanding of – the challenges that people face.
This is particularly important as the lines between remote working and personal life begin to blur, with many employees now working longer hours and struggling to keep life and work separate. Remote working means that checking emails at all hours of the day or at weekends is very easy. A single mistake from a distracted employee, whether that is uncritically clicking a link, downloading an attachment or responding to a seemingly genuine request to share sensitive details, could be all it takes to open organizations up to an attack.
As employees deal with new ways of working, organizations should ensure that cybersecurity is as transparent to the users as possible. Furthermore, support in the form of coaching should be given to ensure that employees understand why they may be prevented from using tools that they would normally use on personal devices.
Combatting the Risks
To mitigate these risks, humans should first and foremost be viewed as the frontline of any cyber defense. Training will help employees understand cyber-criminals’ thinking around business email compromise attacks and create a procedure for them to raise the alarm when they receive requests for fund transfers or passing on confidential data. Businesses should also ensure staff take extra care in double checking what information they’re giving away automatically in out-of-office responses or in speculative emails.
Businesses should of course have web security and email security solutions in place to counter attacks before they have started. Multi-factor authentication on email accounts can stop hackers obtaining access to legitimate email accounts as it allows for dynamic policy changes and step-up authentication, significant controls in securing critical data.
Organizations can also consider adding behavior and user activity monitoring to their cybersecurity systems. These solutions can determine the context and intent of a particular user’s actions, protecting those who have had their accounts compromised, and shedding light on accidental breaches. In particular, organizations must do a better job of tracking users with privileged access and ensuring that once access is granted, IT teams have a continuous understanding of how users interact with data, in order to prevent and respond to data breaches.
User activity monitoring can spot any anomalous activity, flagging if a user attempts to access unauthorized files or suddenly starts behaving out of context, for example downloading large quantities of data, or logging on from multiple remote locations in a short period of time. When these programs are introduced, they must be done in partnership with the broader organization, including worker advocates, HR and legal departments: if the whole organization and each employee understands how and why these systems are in place, security will be strengthened across the business.
By creating an environment where privacy, culture and security act as one, businesses will be able to maintain a relationship of trust with their employees and safeguard their data, now and into the future.
While there is still a lot of uncertainty as to what we can expect in 2021, one thing is for sure. Data privacy is more important than ever. With the right education, controls and technology, organizations can keep cybersecurity front of mind, ensuring data remains protected and uncompromised.