Poorly instructed employees are dangerous for the company. This is true for any industry and position. This applies to the full in the sphere of information security: clicking on an attachment or brining an infected USB flash drive from home – and you are done, that is all. A dangerous ransom ware virus now entered the company’s network, all files are locked, the work is paralyzed, the IT department looks for up-to-date backups to restore disks, and management calculates losses from downtime.
In fact, almost any security system is useless if employees do not understand the basics of information security. Such employees become the main vulnerabilities in your company’s computer system.
Understanding this state of affairs perfectly, cybercriminals increasingly use their victims’ employees as the main point for launching attacks. Taking advantage of a person’s illiteracy is much easier than finding vulnerability in the corporate network.
Below I am going to talk about several types of attacks that employees are exposed to:
Using your gadgets and laptops (Bring Your Own Device, BYOD) is a fashion trend that is especially popular among startups. It seems that such an organization of the process represents the perfect Win-Win principle. If he wants to work at home, he will not have to copy work files, access to corporate systems is also already set up. From the point of view of information security, the use of one device for solving work and home tasks is a source of serious risks, especially if the employee is not too diligent in learning the basics of information security.
Many faces of phishing
The traditional way of organizing the workflow in the form of desktop computers partially removes the risks associated with BYOD, but even in this case, an insufficient level of information security skills can be fatal for the organization. All employees use email, which means they are potential victims of phishing – fraudulent emails disguised as messages from delivery services, contractors, technical support or management.
Using phishing, cybercriminals can force the victim to launch malicious software attached to the letter, enter their network credentials, or even make payments using the fraudsters detail instead of the real counterparty.
What to do with it?
Despite the abundance of software and hardware protection tools available in the market, it is worthwhile to devote part of the budget to counter attacks that target employees. Here are the most important recommendations:
All employees should understand that ignorance of the principles of information security is not an excuse, and therefore, be interested in raising their awareness in this matter. On the company’s side, the costs of organizing and conducting training seminars on firewall management. And firewall management services should be considered as an investment in reducing risks and preventing damage.
Theoretical knowledge gets quickly removed from the memory by more important information. Practicing skills will help to strengthen the knowledge.
When confronted with cyber threats, an employee may keep silence, fearing dismissal or trying to eliminate it on his own. Meanwhile, timely notification of the incident prevents the spread of malware throughout the corporate network. It is important to build up regulations in such a way that the employee who reports the attack receives rewards.