Employees May Be a Company's Greatest Cybersecurity Vulnerability
Apple Inc, disclosed a cyber attack Tuesday, which started when employees visited a website for software developers and inadvertently picked up malicious software that infected their computers. Similarly, Facebook announced last week that malware got onto employee laptops after some employees visited a compromised developer website. And in a recent report about hackers infiltrating systems at The New York Times, investigators came to suspect that employees opened malicious links or attachments contained in emails.
In these and other cyber attacks on corporations and government agencies, employees often serve as gateways for intrudersunderscoring the need for better employee education about digital security, according to a new report by the data security solutions firm Trustwave.
[A]ll the security controls in the world are useless if an attacker can manipulate an employee with system access, according to the findings, which include an analysis of more than 450 data breach investigations in 2012.
Whether thieves are after customer data or a companys intellectual property portfolio, employee email, mobile devices, network passwords, and social media can all open the door for an attack.
Concern over targeted attacks is increasing, the report finds. In previous years, and in 2012, the initial attack is frequently carried out by email, and this situation showed no sign of abating during 2012.
Contrary to the belief that targeted attacks distributing malware are ultrasophisticated, they actually tend toward the mundane yet plausible, according to Trustwave.
The covertly malicious emails received by employees may purport to be about conferences, meeting invitations, or security updates. Attackers, having done their homework, can manipulate the From field so it looks like the email originated from someone within the company. Given the sender, subject, and context, the email makes sense to an employee of that organization, say the reports authors.
The proliferation of smartphones and mobile apps presents another set of security worries, as these devices routinely connect to unknown networks every day, says Trustwave. Mobile devices not only connect back to corporate networks but also contain valuable personal information, making them attractive targets for cybercriminals.
Meanwhile passwords that guard devices like routers and firewalls are consistently configured with weak or easily guessable default passwords, the report finds.
In a sample of nearly 3.1 million passwords, for example, Trustwave found that while about 1 million were unique, many were not. Welcome1 topped the list of most common passwords, showing up 30,465 times, followed by STORE123 (21,362 times), and Password1 (15,383 times).
Passwords once thought to be complex enough to make cracking improbable are now able to be reversed in hours or days, the report states. This requires users and administrators to rethink how they create passwords and how users are educated about password security.
Seemingly innocuous postings on social media by employees can also help thieves execute an attack.
Posting ones place of work on Facebook might not seem dangerous, the report warns, but when combined with co-worker connections on LinkedIn, pictures of office parties from FlickR and check-ins on Foursquare, an attacker can create a very detailed picture of the internal workings of a company without ever setting foot inside.
All in all, the authors identified employee education as integral to any other cyber defenses, arguing that no policy enacted will have much impact if employees arent on board (especially if they dont truly understand the consequences of their actions).
One step companies can take is to conduct training on security awareness. Regular staff training on both core security techniques and topical issues is important to build a successful security foundation, the report recommends. This awareness training must include case studies highlighting both obvious pitfalls (clicking on suspicious links) and not-so-obvious ones (posting company photos online in which staff members are wearing their security badges).
Running security awareness campaigns also help to reinforce those ideas, and remind employees to stay vigilant. Incentives dont hurt, either. Reward staff for identifying incidents, which will encourage them to be observant, the report advises.
See also: Cybersecurity Report Spotlights Risks to U.S. Business from Chinese Hackers, CorpCounsel, February 2013.