Though organizations are enforcing stricter security policies and implementing state-of-the-art technology, employees still remain the single greatest security threat.
In this brief we will look at the tactics and methods used to exploit human behavior and the related education and policies needed to increase protection.1) Phishing Emails
Phishing continues to remain a key strategy that threat actors use to breach organizations due to its inexpensive and anonymous nature. Basic phishing targets include both employee and personal email addresses accessed from company devices. Spear phishing is a more targeted method using social media and search engines to gain personal information on specific targets for use in an email exploit that directly correlate to a person's interests or family.What you can do
Employees need to be aware of the various appeals of phishing emails and how their trust can be exploited. Security training can educate employees on things to look out for such as unknown persons asking for sensitive information, validating a sender's email address or avoiding links in emails without checking the web address.
2) Unintended Disclosure
Humans make errors. Whether an employee, contractor or even subcontractor is at fault, sensitive data can be exposed or mishandled. Sometimes the error is a result of coding mistakes that erroneously exposes personal data. Other times it may be an email error where the wrong address or list is selected and confidential information is sent inadvertently.What you can do
Unfortunately, some mistakes are unavoidable. However, organizations can implement policies or training to prevent many of these errors. Educating employees on what data is sensitive, what to do when an accident occurs and the processes and procedures to follow can help reduce unintended disclosures.
3) Hacking and Malware
Advanced phishing techniques (called a strategic web compromise) include adding malicious links on commonly visited websites that download malware when clicked. As employees get into the habit of visiting the same sites daily, they may click on an ad or link thinking the site is completely safe. At this point, they unknowingly infect their computer and potentially the rest of the network.What you can do
Educating employees on common threat vectors is essential to avoid the risk of compromise. Train employees on topics such as avoiding malicious links, checking web addresses for legitimacy and being cautious about downloading unknown software. These are just a few of many educational topics that can help employees protect themselves and the organization.
4) Physical Loss of Device
Laptops, mobile phones, tablets, flash drives and other devices can easily get lost or stolen with sensitive data on them. If devices have not been properly encrypted, hackers may be able to access sensitive information.What you can do
Organizations must continually educate employees on how protect their devices physically and digitally. Make sure policies enforce encryption, complex start-up passwords and procedures on deletion of emails and text messages.
5) Insider Threat
Insider breaches happen. Whether it's a disgruntled employee, a contractor or even a vendor who has access to an organization's sensitive information, it's unfortunately not uncommon. Besides targeting your proprietary information, insiders may be targeting the confidential information of your customers.What you can do
While there is no way to ensure this never happens, there are methods that reduce chances of an occurrence such as: enforcing strict access rules to sensitive information, implementing a thorough screening processes of contractors and subcontractors and logging who is accessing confidential data and analyzing for changes in trends that might indicate potential theft.
* November, 2013. Allen Paller, director of research at the SANS Institute, https://blogs.mcafee.com/business/security-connected/is-there-something-phishy-in-your-inbox