The 2018 Human Factor report by Proofpoint states that as many as 95% of web-based attacks now incorporate social engineering, or human error factor. So, with that simple fact, how can your organization prevent its employees from releasing confidential and critical information?
The reality is, people make mistakes all the time and, in addition, cybercriminal social engineering and social mining has upped the ante on poor security habits. Let's take a look at the five most common errors humans make to compromise highly sensitive data.
Utilizing simple and/or the same password on multiple websites creates risk for any end user.
- Risk: Even if a corporate network, including SaaS-based applications, requires strong passwords, the use of simple passwords on social sites, for example, could allow a criminal to spoof identities. In addition, if that same password has been used on multiple sites, it becomes that much simpler for cyber criminals to obtain access to even more sensitive data.
- Solution: Don’t use corporate IDs for any non-corporate websites or applications. Use a good password-safe application to auto-generate and store complex passwords for each personal and business website.
Using Free WiFi Hotspots for Sensitive Work
Free WiFi may be great for streaming music or movies, but be careful not to use it for online banking or unsecured connections to corporate applications.
- Risk: It’s very easy for a criminal to setup shop in a popular café, for example, and hijack WiFi connections, also known as a “Man-in-the-Middle” exploit. Once the criminal has access to a connection, he/she can capture sensitive data such as login credentials.
- Solution: First, limit online activity to basic browsing if there is no option to secure a connection. If using a cellular device, turn off WiFi and use the cellular connection (yes, this will impact data usage). Finally, subscribe to a VPN service to secure your connection, and if your company has a Mobile Device Management (MDM) solution, verify that it creates a secure connection when connecting to corporate websites or applications.
Everyone is now familiar with the concept of phishing emails but even so, on average, one in 10 users still fall prey to these.
- Risk: The original risk was that an end user would either click on a malicious link, or click on an attachment that would then install malware or ransomware on a PC. For example, there is a trend referred to as “CEO Fraud,” or Business Email Compromise (BEC) where the criminal sends a well-crafted email that appears to be from the CEO or other senior executive requesting some form of payment, or wire transfer, to be made on their behalf to an off-shore account.
- Solution: Security Awareness Training, coupled with regular simulated phishing emails, will ingrain the habit of always suspecting and questioning any email, especially those requesting you to provide sensitive information or payment. Additionally, to help guard against “CEO Fraud,” make sure your organization's executive and board member emails are not exposed on the internet. This can happen when organizations publish personal contact information on the corporate website. Cybercriminals can and will take advantage of this.
Social Media Exposure
While it is great that employees can promote businesses on their own Facebook, Twitter, LinkedIn, or other social sites, they need to be careful how much information they let out.
- Risk: Cybercriminals are patient and very persistent when they have a target in mind. As they scour the Internet for information that can provide them access to an organization, social media can enable then to craft very convincing emails to organizational colleagues who might let down their guard.
- Solution: Have a Social Media policy in place that outlines best practices in relation to social media website usage.
Also known as “drive-by” infections, these can occur when someone visits a perfectly legitimate website for news, sports, or shopping and without realizing it, clicks on a malicious advertisement which then installs malware on the PC.
- Risk: The impact of clicking on a malicious advertisement is very much the same as the outcome of clicking on a phishing email.
- Solution: Make sure your organization's systems are patched with the latest security updates. Drive-by exploits often use application vulnerabilities that have not been patched to download malware without detection.
To learn more about how to protect your organization's network from attack, sign up for a Systems Engineering Security Assessment today.