10 Ways Uninformed Employees Put Your Organization at Risk

by Sterling No Comments

Companies of all sizes are at risk of cyber-attacks and data theft.  That’s why it is imperative that organizations put together a plan to defend against attacks and educate the staff on company policies on how data, the network and company hardware are to be handled and used.

Here are 10 threats that companies are challenged to combat.

1. Disgruntled Employees – If you decide to let an employee go, it is in your best interest to ask your IT team to restrict that employees access and role permissions before you break the news to them.

While it doesn’t happen often, there is still a risk that you may have a rogue staff member in your midst.  If you have a disgruntled employee with intent on doing your company harm, there are only so many steps you can take to protect yourself from within.  Disgruntled employees typically will steal data, code, intellectual property, and other sensitive information or install harmful software that can wreak havoc on your network.

For starters, make sure there is a plan in place to regularly check all accounts with access to sensitive data and delete any accounts that are no longer in use or are connected to employees that are no longer at the company.  

After you reconcile all privileged accounts, make sure you monitor the remaining account activity.  Implement a plan to track, log and record privileged accounts and set up alerts for any suspicious activity.  Catching an attack like this right away is your best chance at avoiding major damage.

2. Accidental Misuse of IT Assets – Often employees don’t realize they are putting the company at risk, but the consequences can be just as severe as those from a disgruntled employee.  Simple to make mistakes like copying sensitive data onto unsecured storage devices, using remote programs to access the company network and email, or they may have inadvertently downloaded malicious content onto a company computer.

Make sure you educate your employees on the dangers of mishandling company data and hardware.  If they are made aware of how susceptible they are, they may take extra precaution to avoid these types of mistakes.  

3. Cloud Applications –  Demand that all company data stored in the cloud is heavily encrypted.  AES 256-bit encryption is thought by experts to be the sufficient enough to even protect top secret information, even if stored in the cloud.

Protect the encryption keys heavily to stop any third parties or unauthorized employees from gaining access to your data.  Only a select few members of your staff should have access to these keys.

4. BYOD (Bring Your Own Device) – Employee owned devices are now commonplace in the workplace.  The most common device brought in is a smartphone, but employees are also bringing in their own laptops and USB drives to work.

The risk this poses should be obvious.  Who knows if they are regularly updating their machines to patch known security issues.  How strong are their passwords?  Is data stored on their device encrypted?  These are just a few potential security holes that need to be addressed.

To minimize the risk and accommodate employee technology, many businesses are implementing BYOD policies.  While the trend of BYOD boosts productivity and helps lower costs, a BYOD policy is a must.

Common policies include password protecting employee devices, encrypting sensitive data, preventing local storage of corporate documents and/or limiting corporate access to non-sensitive areas.

5. Susceptibility to Phishing and Social Engineering – Its almost hard to believe that about 75% of people will fall victim to a phishing scam.  Most of them by clicking a link in an email or on a web page that can deliver and install a nasty virus or other malicious code.  All it takes is one wrong click on a link.

Other phishing scams include trying to get unsuspecting victims to divulge private data.  Hackers will disguise themselves in an email that looks like it came from within the company.  It can include headers, graphics and signature lines that you find all over other digital company assets.  They hide in plain sight hoping to steal your information or hack into your computer.

Stopping these types of attacks is best done by educating your employees on the threats that are out there.  Make sure every employee knows to check the source of their emails and visited websites and to never click on any link or button unless they are positive it comes from a secure source.

6. Weak Passwords – A study was done last year that revealed the most common passwords.  “123456”, “qwerty” and “password” were all in the top 10!  It is mind boggling trying to understand someone’s thought process when they choose a poor password like this.  Probably because they are not thinking!

All computers, devices and network passwords need to be more complex so hackers have a hard time guessing or using brute-force attacks.  A password management system should be set up company-wide that instructs employees to change their passwords frequently.  Set standards that require them to choose a password (min eight characters) with upper-case and lower-case letters along with at least one number.  You may also require them to use a special character like an asterisk or exclamation point.

7. Browsing to Unsafe Websites – Surfing dangerous websites should never be tolerated in the workplace!  Websites that let you download movies or music are especially risky.  So are most adult orientated websites.  Bottom line, the company network should not be used to browse personal websites.

Unsafe websites are notorious for attacking visitors with viruses and other harmful programming malware scripts that can really cause major damage.  Many times, the user does not even realize what is happening until it is too late.

Block employees from visiting unnecessary websites.  It is easy to have the IT team blacklist certain sites or to only allow access to a list of approved websites.  By doing so you are not only protecting the employee from making a mistake, but also taking measures to protect the company.

8. Installing Rogue Programs – Like corrupt links that get clicked, sometimes a harmless download seems perfectly alright.  Maybe an employee needs to download and install a certain font for a design document.  Or maybe they need some simple software to covert files into PDFs.  We often look for free solutions first, but they can come with a serious price.  Harmful executable files can be hidden in software and other things we download.  As soon as you start the free software or open a file, malicious code fires behind the scenes to steal your data, spy on you, or just simply destroy your equipment.

The best way to avoid this issue is by restricting an employee’s ability to download and install unapproved software.  With BYOD becoming more and more popular, it is getting harder to control what people put on their machines.  Make sure your BYOD policy clearly states the consequences of downloading and installing foreign programs.

9. Naivety with Social Media – Crooks are crawling social media just looking for someone to accidentally say or write the wrong thing.  Maybe they post a selfie from the office and it may show sensitive information in the background like client documents or other information that can be used in their advantage.  Posting too much information about your job at all is a mistake.  Cyber-attackers will compile as much information as they can to use in their phishing attacks.

Social media is also littered with harmful links and downloads.  It is probably best for your company’s safety and productivity if you implement a limited social media policy.

10. Third-Party Services – Many businesses use third parties to install and maintain some of their network infrastructure.  Take a retail store for example, the point-of-sale- terminals and software are often installed and maintained by a different company.

Whenever you involve a third party, you open your company up to a certain level of risk.  Most of the time it is an acceptable level, but to be sure, investigate any third party before agreeing to integrate with them.  Make sure they follow best practices within their company so you can rest assured they are doing the same with yours.

Leave a Reply

Stay Connected

Subscribe to the Sterling Protective Services blog via RSS Subscribe to the Sterling Protective Services blog via email

Get blog updates via RSS or email

Like Us on Facebook