Before we explain how an employee can become at-risk, we want to clarify the different kinds of threats that might surface, so they can be easier to spot:
Now, most of the time employees aren’t intentionally trying to cause a cyberattack. As it turns out, more than two out of three insider threat incidents are caused by negligence. Furthermore, the average cost per incident due to employee negligence is about $307 and could increase based on what impacts occur to the business and the type of attack that occurs.
There are multiple reasons negligence occurs in the workplace. First and foremost is recognizing we are all human beings who make mistakes. Sometimes a person is caught off-guard, and doesn’t realize the damage they’ve caused until it’s already done. Then, there is the lack of reporting the attack. More than 40% of employees don’t report potential phishing out of fear of getting in trouble. No one wants to be the cause behind a virus infiltrating a system or breach, but it can happen, and it’s better to report it sooner, rather than later. By doing so, IT security staff can begin the process of uncovering the hacker and shutting down systems before the intruder can collect any valuable intel.
Another huge risk many employees might take a chance on is reusing or writing down passwords. Known as credential misuse, this is one of the fastest ways your company could experience a data breach. Unfortunately, even though 90% of participants in a password’s habits survey knew the risk of password reuse, 59% of them admitted to doing it anyways. Sometimes people need to learn lessons the hard way, but hopefully not at the risk of costing your small or midsized business hundreds of dollars.
The risks above keep in mind the employee’s intent is accidental. Unfortunately, there are disgruntled employees who can wreak havoc by giving a hacker clear access into your database. You can identify them by noticing if they’re taking data with them when they leave permanently, or if they’re selling their still-functional access credentials on the dark web after they’ve left the company. Stolen, legitimate network credentials can be sold on the dark web for anywhere from $3,000 up to $120,000 depending on the company and level of privilege on the account. This doesn’t have to be from a terminated employee, either. Third-party vendors can just as easily release passwords to hackers.
We’ve also mentioned zombie accounts that might still be accessible in your IT systems. Employees transitioning out of the company can pose the biggest security risk, as 45% of them usually download, save, or send work-related files before leaving the job. This means that your data is no longer contained, and you don’t know who is obtaining information from your database.
While there might be more potential risks your company could run into, we wanted to give a list of solutions that will help tighten security and provide peace of mind.
Let your staff know what you expect of them and educate them on how to avoid fall prey to phishing scams, which prevents hackers from entering in. People make mistakes, so it’s important to set an example of a company culture that doesn’t shame people, but one that is proactive and ready to go should there be a data breach. Remember to regularly enforce processes and procedures, giving your staff refreshers and updates as threats continue to evolve. Unfortunately, cyber-attacks aren’t a matter of “if,” they’re a matter of “when.”
You can even take it a step further by implementing an effective cyber security awareness training program. You can train and test your employees through phishing simulations, sensitive data left out in the open, and spotting cyber-attacks. This will not only provide structure to your communication, but it will also set employees on the same page when it comes to your expectations on data security.
At CoreTech, we use a variety of passwords and security systems to protect data, as well as backups, just in case. One of the programs we use is LastPass, which helps us manage our passwords and keep them secure.
Here are some other tips for keeping track of your passwords. First, don’t leave them out where people can see them, hence a password manager. It might feel easy to leave it on a sticky note, but a side-glance could be the undoing of your account and provide access for hackers to your network. Second, if you detect any kind of security breach, then it's time to create a new password for your logins. Third, use a variety of special characters by replacing “O” with “0” or “a” with “@.” For example: “password” could be changed to “p@$$w0rd.” Lastly, avoid using common passwords, such as password, 123456 or qwerty.
If an employee is leaving, make sure they don’t take any company data with them, and their logins are completely cleared from your system, or at minimum passwords are changed. This way if the employee decides to sell login information, the hacker can’t access your database. It’s also a good idea to check your IT systems regularly to make sure there aren’t any zombie accounts wandering around. This closes off any loopholes hackers might use as an entry point.
With insider risk up more than 40% in 2021, security experts are expecting these risks to continue increasing in the coming year, especially with more employees committing to working from home. There is no better time than now to find your weak points within your IT systems and patch them up. We understand the process can be overwhelming, which is why CoreTech is here to support and guide you through an IT security assessment. We want to set you up for success when it comes to your cyber security by eliminating all potential threats, both inside and outside your small to midsized organization.
We have a plethora of resources and blogs. You can check out our previous blogs for more tips and information about insider risk and password protection. Please reach out to us about an IT security assessment or security questions you may have for your business. Contact us today!