By Alex Klamkin, Director, Systems and Information Security, Wilson Allen
It’s that time of year again when many people start to think about holiday shopping. For this year’s shopping season, analysts are forecasting an even greater shift toward online shopping.
With the lines of home and work all but erased for many people, more and more employees are likely to use work equipment for personal means. In doing so, they may inadvertently expose the firm’s data, clients’ data, and their personal information to people with malicious intent.
How can firms minimize this risk? Through better security and awareness training.
Think the risk is slim? Think again.
According to a recent study by the Egress 2020 Insider Data Breach Survey, IT leaders say that 78% of employees accidentally put data at risk in the last 12 months. People may not possess enough knowledge to know what to be afraid of and what to avoid. Better security awareness training helps people understand the dangers of using work equipment for personal means, so they’ll stop doing it.
Take, for example, the work laptop. When people start to use it for personal needs, they’re not generally thinking about its connection to servers and software that firms may have on-premises or in the cloud.
The Rise of Social Engineering
If a wrongdoer wants to steal a company’s data, the lowest barrier to accessing the data is through social engineering – where someone with malicious intent establishes a personal connection with the user of the computer and then exploits it. It’s much more difficult for hackers, and their success rate is lower if they try to use purely technical resources to hack into a network. Social engineering is much more effective.
Social engineering is a non-technical strategy cyber attackers use that relies heavily on human interaction and often involves tricking people into breaking standard security practices. The simplest model would be for a cyber thief to pose as an online retailer. Maybe they have a deal that’s too good to be true, so the user orders an item, and the criminal begins communicating with the user. Through social profiling, the “retailer” may learn that the user works for a large law firm, making him or her an ideal target for a cyber attack. A common ploy would be to send the user a message with a destructive payload in the form of an attachment. Having established a relationship with the criminal, the user might open the attachment because it appears trustworthy. Despite the presence of antivirus software, the “work computer” becomes infected, and the bad actor gains access not only to company files and information but also to the user’s personal information. Because this type of attack is launched from an email attachment, even using a personal email account from the work computer puts the firm and the user at risk.
It’s not just nefarious characters hiding behind their keyboards who pose threats. Sometimes people known to employees take advantage of employees’ work devices that have been left unattended. Whether these people misrepresent themselves with the intent to steal data or act impulsively on an opportunity that suddenly presents itself, unattended and unprotected work computers represent a risk to the employer and its clients.
The greater the perceived value of the employer’s data, the greater the effort people will go to try to access it. Notice the word perceived. Beauty is in the eye of the beholder. Sometimes even innocuous-looking information looks sufficiently appealing for someone to want to steal it. Employees may believe they don’t have anything worth stealing; that doesn’t mean others share the belief.
How Security Training Can Help
Many will think they’re too savvy to fall for any schemes a cyber attacker would attempt. But cybercriminals are constantly developing new tactics and trickery. Because of this, there’s no such thing as too much training or too much information. Even if you’ve told employees five times before to be wary of phishing emails, the sixth time may be the one that resonates the best. And that sixth message may include the key missing details that help people see things in a different light.
Why Training Is In Your Employees Best Interest Too
While all firms have different policies about acceptable use of company equipment, in general, it is fair to say that employees aren’t supposed to use their work equipment for personal reasons. This principle holds for shopping, browsing, streaming, or anything else that is not work-related. Shopping is only one example of a seemingly harmless activity that can actually be risky.
Once a work computer is compromised, cybercriminals can access everything on it for extortion. If employees are storing personal data such as passwords, account numbers, or photos on a work device, they risk exposure of that information when the device is invaded. Moreover, if an employee uses a work computer for a personal project – writing a book or developing code for a new solution – that person’s employer actually has a legal right to the intellectual property created on that device.
There are many potential issues that an employee may not be thinking about when using a work computer for personal means. The way to make them aware of those issues and to avoid them is through training.
To learn more about how Wilson Allen can support your firm’s security awareness training through our Capensys Sentinel program, visit our training page.