While most Australians are wary to the more common tactics of cybercriminals and seldom fall for scams involving emails from Nigerian royalty or phishing scams seeking banking details, few are as vigilant when it comes to protecting valuable company information at work. Attackers are now moving beyond personal data like credit card information to pursuing high-value corporate assets such as intellectual property (IP), access to mission-critical operations and other proprietary data and systems. As hackers and cybercriminals are stepping up their efforts to target businesses to access everything from IP for commercial gain, to customer records for competitive advantage or even resorting to using stolen information for extortion attempts, one careless employee could become the weakest link in your business.
And this is not a problem isolated to a minority, with a staggering 83 percent of organisations having been the target of an advanced attack, and frighteningly it has been found that about half of all employees will fall for a well-crafted spear phishing ruse which could open the door to malware and other threats to the corporate network.
A recent workplace security study by global security firm RSA found that Australians in general have some of the most careless attitudes in the world towards security at work. They frequently engage in a range of risky behaviours such as sending work documents to personal email addresses to access them from home, and uploading work documents onto online file sharing services for vendors or third parties to download.
While mobile devices are now enabling the convenience and flexibility of accessing emails and company desktops on the go to effectively work anywhere, the growth of employee-owned devices and the increasing use of social media applications in the workplace are creating new potential attack access ways, and the loss of employee devices (such as a mobile phone or laptop) is posing a big risk to company IP. Gambling with company information, an alarming 23 percent of Australians have admitted to having lost such a device containing company information. The potential consequences of losing company information in this way are frightening, and organisations need to make sure they have control and insight into the users and devices accessing their network.
It’s a good idea to configure your employee’s devices to get connected to corporate Wi-Fi hotspots, instead of using any public Wi-Fi hotspots, to minimise the risk of any data vulnerabilities and malware infestations. It’s also a good idea to make sure that employees know to turn off Bluetooth or Wi-Fi when not in use. Simple things such as applying a screen lock when the phone is powered on and setting up an inactivity time-out limit or auto-lock can also be useful should an employee lose the device.
Ranked the lowest out of all countries surveyed for strong password creation, only 78 percent of Australians said their companies required them to create a strong password (containing at least eight characters and a combination of numbers letters and or special characters). Yet just because an organisation requires an employee to use a “strong” password or change their passwords on a regular basis, it does not make them more secure, as employees are willing to share passwords and are resorting to unsafe practices in order to remember them. Sharing passwords with colleagues or leaving them written down near a computer is commonplace in most offices in Australia, with 41 percent of Australians admitting to just plainly using another person’s password, 21 percent admit writing their passwords down, and 36 percent saying they use the same password multiple times.
Risky practices such as these, along with ineffective approaches to information security, are making organisations susceptible to these new employee-targeted attacks, with any company with potentially high value digital assets on the hit list. The current level of complexity in our IT environments is also making it easier for skilled adversaries to hide and find unknown or unpatched IT vulnerabilities.
Adding to the problem is that many companies are not able to detect sophisticated attack patterns. Conventional antivirus, firewall, and IDS tools do not form a complete picture of an attack, instead identifying unauthorised access, viruses, or phishing email, but not actually associating these events.
So how do we better stay safe in a world where cyber-attackers are smarter and passwords are harder to remember? Traditionally, firewalls provide defence against attacks from viruses or external attackers, and towards this end, you should review your firewall deployments to ensure that the current rules and processes to implement and maintain them are still valid. You should also make sure that you take adequate measures to help protect devices such as laptops with technologies such as host-based firewalls.
You should not, however, solely rely on firewalls as your single means of defence. There are additional factors to consider for protecting your network. Do you provide secure remote access with strong authentication techniques? Have you made sure you have secured your wireless network to help prevent unauthorised users from gaining access to your network resources?
It will take fresh approaches and new ways of thinking about information security to combat this new class of threat that seeks to exploit the ‘weakest link’ employee in a company. For example, giving up the idea that it is possible to protect everything is something that organisations need to consider. Instead, they need to focus on the most critical information, the company’s “crown jewels”, and concentrate efforts on protecting these core assets. Additionally, the definition of successful defence should change from “keeping attackers out” to “sometimes attackers are going to get in; detect them as early as possible and minimise the damage.” Basically it should start being assumed that our organisations might already be compromised and go from there.
Selling information security awareness to employees can often be hard, but establishing understanding of the importance of staying alert to these types of threats is extremely important. Regular meetings to update employees on security policy issues and to re-emphasise major points is a good place to start.
Top tips for better workplace IP security
- Don’t rely on firewalls
- Use strong authentication for secure remote access
- Make sure employees have screen locks and strong passwords on devices used for work
- Educate employees about being alert to threats such as phishing
–Mason Hooper is a fraud expert with RSA Security.