Close Menu
X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.

Apple Inc, disclosed a cyber attack Tuesday, which started when employees visited a website for software developers and inadvertently picked up malicious software that infected their computers. Similarly, Facebook announced last week that malware got onto employee laptops after some employees visited a “compromised” developer website. And in a recent report about hackers infiltrating systems at The New York Times, investigators came to suspect that employees opened malicious links or attachments contained in emails.

In these and other cyber attacks on corporations and government agencies, employees often serve as gateways for intruders—underscoring the need for better employee education about digital security, according to a new report by the data security solutions firm Trustwave.

“[A]ll the security controls in the world are useless if an attacker can manipulate an employee with system access,” according to the findings, which include an analysis of more than 450 data breach investigations in 2012.

Whether thieves are after customer data or a company’s intellectual property portfolio, employee email, mobile devices, network passwords, and social media can all open the door for an attack.

“Concern over targeted attacks is increasing,” the report finds. “In previous years, and in 2012, the initial attack is frequently carried out by email, and this situation showed no sign of abating during 2012.”

Contrary to the belief that targeted attacks distributing malware are “ultrasophisticated,” they actually tend toward the “mundane” yet plausible, according to Trustwave.

The covertly malicious emails received by employees may purport to be about conferences, meeting invitations, or security updates. Attackers, having done their homework, can manipulate the “From” field so it looks like the email originated from someone within the company. Given the sender, subject, and context, “the email makes sense to an employee of that organization,” say the report’s authors.

The proliferation of smartphones and mobile apps presents another set of security worries, “as these devices routinely connect to unknown networks every day,” says Trustwave. “Mobile devices not only connect back to corporate networks but also contain valuable personal information, making them attractive targets for cybercriminals.”

Meanwhile passwords that guard devices like routers and firewalls are consistently “configured with weak or easily guessable default passwords,” the report finds.

In a sample of nearly 3.1 million passwords, for example, Trustwave found that while about 1 million were unique, many were not. “Welcome1” topped the list of most common passwords, showing up 30,465 times, followed by “STORE123” (21,362 times), and “Password1” (15,383 times).

“Passwords once thought to be complex enough to make cracking improbable are now able to be reversed in hours or days,” the report states. “This requires users and administrators to rethink how they create passwords and how users are educated about password security.”

Seemingly innocuous postings on social media by employees can also help thieves execute an attack.

“Posting one’s place of work on Facebook might not seem dangerous,” the report warns, “but when combined with co-worker connections on LinkedIn, pictures of office parties from FlickR and check-ins on Foursquare, an attacker can create a very detailed picture of the internal workings of a company without ever setting foot inside.”

All in all, the authors identified employee education as integral to any other cyber defenses, arguing that “no policy enacted will have much impact if employees aren’t on board (especially if they don’t truly understand the consequences of their actions).”

One step companies can take is to conduct training on security awareness. “Regular staff training on both core security techniques and topical issues is important to build a successful security foundation,” the report recommends. “This awareness training must include case studies highlighting both obvious pitfalls (clicking on suspicious links) and not-so-obvious ones (posting company photos online in which staff members are wearing their security badges).”

Running security awareness campaigns also help to reinforce those ideas, and remind employees to stay vigilant. Incentives don’t hurt, either. “Reward staff for identifying incidents, which will encourage them to be observant,” the report advises.

See also:
“Cybersecurity Report Spotlights Risks to U.S. Business from Chinese Hackers,” CorpCounsel, February 2013.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

 
Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.

More From ALM

Premium Subscription

With this subscription you will receive unlimited access to high quality, online, on-demand premium content from well-respected faculty in the legal industry. This is perfect for attorneys licensed in multiple jurisdictions or for attorneys that have fulfilled their CLE requirement but need to access resourceful information for their practice areas.
View Now

Team Accounts

Our Team Account subscription service is for legal teams of four or more attorneys. Each attorney is granted unlimited access to high quality, on-demand premium content from well-respected faculty in the legal industry along with administrative access to easily manage CLE for the entire team.
View Now

Bundle Subscriptions

Gain access to some of the most knowledgeable and experienced attorneys with our 2 bundle options! Our Compliance bundles are curated by CLE Counselors and include current legal topics and challenges within the industry. Our second option allows you to build your bundle and strategically select the content that pertains to your needs. Both options are priced the same.
View Now

Legalweek(year) 2021

February 02, 2021 - July 14, 2021
Virtual

Legalweek(year) will bring together thousands of legal professionals for a series of 5 innovative virtual legal events.


Register

General Counsel Conference Midwest: SuperConference 2021

July 26, 2021 - July 27, 2021
Chicago, IL

GCC Midwest addresses today's legal issues facing companies by providing general counsel with insight and best practices.


Register

General Counsel Summit (GCS) 2021

September 07, 2021 - September 08, 2021
Sydney

General Counsel Summit is the premier event for in-house counsel, hosting esteemed legal minds from all sectors of the economy.


Register

Commercial Real Estate Transactional Associate

Boston, Massachusetts, United States

Large firm with Boston office seeks associate with three to seven years experience to join its real estate practice group. Qualified candid...


Apply Now ›

IN-HOUSE/COMMERCIAL COUNSEL

Boston, Massachusetts, United States

Cutting edge NASDAQ AI/software technology company seeks 5+ year legal counsel to support their North and South American sales organization....


Apply Now ›

Life Sciences Attorney

Boston, Massachusetts, United States

Rapidly growing publicly traded life sciences company is seeking 5+ year transactional attorney with industry experience in structuring, dra...


Apply Now ›

COMPASS LEGAL MARKETING

04/12/2021
DBR Web

RIVERO MESTRE IS PLEASED TO ANNOUNCE OUR LATEST RECOGNITIONS, RIVERO MESTRE NAMED FIRM OF THE YEAR IN THE 2021 BENCHMARK FLORIDA LITIGATION GUIDE. CHAMBERS NAMES RIVERO MESTRE OUTSTANDING FIRM FOR FURTHERING DIVERSITY AND INCLUSION. ANDRES RIVERO, JORGE A.


View Announcement ›

LOMBARDI & LOMBARDI

04/12/2021
NJLJ Web

LOMBARDI & LOMBARDI, P.A. PROUDLY WELCOMES JAMIE D. HAPPAS P.J. Cv. (Ret.)


View Announcement ›

BRACH EICHLER LLC

04/05/2021
NJLJ Web

Please to announce...


View Announcement ›

Subscribe to Corporate Counsel

Don't miss the crucial news and insights you need to make informed legal decisions. Join Corporate Counsel now!

Unlimited access to Corporate Counsel
Access to additional free ALM publications
1 free article* across the ALM subscription network every 30 days
Exclusive discounts on ALM events and publications
Join Corporate Counsel

Already have an account? Sign In