Do Employees Make Your Network Vulnerable?

Employees, most of the time innocently, can be the weakest part of a company cyber-security plan. Education is the key to strengthening that plan.

By Dennis Egen, Engine Room

Some of the largest and most damaging security breaches in history occurred in 2015. According to a May 2015 Ponemon Institute, Traverse City, MI, study, commissioned by IBM, the average total cost of a single corporate data breach was $3.79 million, an increase of 23% from 2013.

The breaches that received the most attention in recent years were those affecting millions, sometimes tens of millions, of consumers and their personal information: Ebay, , Target, Anthem, Premera Blue Cross, and the Federal Office of Personnel Management, to name a few.

But the manufacturing environment isn’t immune. In 2013, Symantec, a global cyber-security company, reported that manufacturing was the most targeted sector for cyber attacks, accounting for 24% of all targeted attacks. Theft of personal data isn’t the objective of the cyber attacks on manufacturers. Instead, the main security concerns in the manufacturing environment are intellectual property theft, data alteration, and outside interference in manufacturing processes.

Despite these threats, American manufacturers have not taken the most basic steps to secure their data from the single biggest threat to information security—their own employees.

It has been estimated that 60% of data compromises are caused by employees or insiders (freelancers, contractors, consultants). The vast majority of these breaches are unintentional.

Rogue employees

So what should be done to address this internal threat? First, recognize that, while most employee-caused data breaches are due to negligence or lack of proper data-security education, the potential actions of disgruntled employees must also be considered. Rogue employees, especially members of the IT team with access to network, data center, and administrative accounts, can severely compromise a manufacturer’s important data. Corporate vigilance can go a long way toward curbing this kind of activity. Notice telltale changes in employee behavior:

• Is a usually reliable employee’s performance dropping?
• Is an employee acting differently with colleagues?
• Is a normally prompt employee now habitually arriving late to work?

Such vigilance may help identify potential harmful activity in action. But being proactive will, in the end, provide greater information security:

• Perform an annual information security audit.
• Identify all privileged accounts and credentials. Which users have access to what data?
• Create attack models to identify exposure to insider threats and perform a damage assessment of these threats.
• Closely monitor, control, and manage privileged credentials to prevent exploitation.
• Control flow of inbound delivery methods.
• Filter executable mail and web links.
• Monitor and look for irregularities in outbound traffic.
• Implement necessary protocols and infrastructure to track, log, and record privileged account activity.

Negligent or careless employees

Interestingly, one of the main factors in employee-caused data breaches is that potential outside hackers have changed the focus of their attacks. As companies have become more aware of external threats, they are improving their security procedures, implementing the latest security technologies, creating effective policies and employing greater vigilance. So, some outside attackers are shifting their focus and attacking enterprises through their employees by targeting less-secure home systems to gain access to manufacturer networks.

Aside from this possible shift in focus by some outside attackers, what’s behind the problem of negligent, careless employees? Workplace stress, multitasking, and long hours are contributors. But lack of education about information security and work policies are the main culprits. Most employees aren’t aware that several of their common work habits can easily put company data at risk.

Of course, there are accidental situations that can occur, such as leaving one’s laptop on the train or at a restaurant and mistakenly sending an email containing confidential information to the wrong person. But other potentially damaging practices can and should be prevented.

According to one provider of identity protection and fraud detection solutions, about 60% of users who have access to a company network use the same login credentials as on other non-company sites such as Facebook, Twitter, and LinkedIn. Since many targeted breaches begin with a phishing effort to grab users’ social media passwords, many inadvertently put confidential company login information right out for anyone to see.

Employees who want to finish some work at home may be putting sensitive files on a cloud-storage application such as Dropbox, which can lead to mixing and sharing of personal and corporate data.

Other common contributors to employee-caused security breaches include:

• using weak passwords (containing fewer than eight characters; not employing upper and lower case letters; containing personal information such as birthdates, phone numbers, or addresses; using word or number patterns such as abcd or 12345)
• not changing passwords frequently
• visiting unauthorized websites
• clicking on links from people they don’t know
• failing to protect their laptop screens from prying eyes when working outside the office
• using generic USB drives that are not encrypted or safeguarded by other means.

BYOD: a major culprit

Employees used to leave their work data at work. Now, mobile devices give employees access to corporate data anywhere, anytime. BYOD (bring your own device) has become a major risk for company data security. BYOD allows hackers to exploit poor employee security habits and weak passwords with the use of fake free Wi-Fi networks, fake login pages for popular sites, and phishing emails. A recent survey showed that 60% of employees either have no security or have stuck to the default settings for their mobile devices.

Here’s how the BYOD trend can have an impact on business:

Mobile phishing: Phishing can be used to attack mobile users as well as computers. Hackers can engineer an email to trick a user to open a malicious attachment or click on a link. The attacker can use the information gained from this phishing expedition to connect to the corporate IT network to steal data.

Being compromised by corporate-network attacks: Many outsider attacks take advantage of the fact that current network security solutions lack the visibility required to protect mobile devices once they leave the corporate network. Therefore they focus on mobile devices traversing public and private networks.

One of the basic ways to keep mobile devices safe and secure is to ensure that devices remain updated to the latest operating system version with full security protection. However, a more comprehensive approach is required. Here are some suggestions:

• Employees will take information security seriously when they know it is an important focus of their company’s management. Make security a part of performance appraisals. Let employees know that IT security also means job security.
• Create a written information security plan and share it with employees.
• Educate employees about the need to change their work behavior in an age of increased BYOD. They should know about phishing, shoulder-surfing (an individual peering over the shoulder of an electronic-device user to acquire personal-access information), password protection, physical hardware security, and basic encryption.
• Use software to manage mobile devices. This could be as simple as settings on the company exchange server, or more advanced use of mobile-device-management software such as Good or AirWatch.

There are a few don’ts:

• Don’t use public Wi-Fi when performing client or sensitive corporate work.
• Don’t click on any link in an email if you are not 100% sure of its source.
• Don’t use work login information for social media.

Having programs and processes in place that include a mixture of training, policy, and technology are vital to addressing insider threats before they become a major issue. MT

Dennis Egen is president and founder of Engine Room (engineroomtech.com), a technology and security firm based in Philadelphia.

If You Build It, Secure It: Think Like a Hacker

Engine Room, Philadelphia, helps clients mitigate risks by identifying and addressing vulnerabilities before they can be exploited.