Uneducated employees are dangerous for the company. They could be on some kind of spree, that solving problems could be exhausting. This is true for any industry: clicking on an attachment or inserting an infected USB flash drive brought from home means the end, a cryptoware infects the company’s network, the work is paralyzed, the IT department is looking for up-to-date backups to restore drives encrypted by the virus and CEO calculates losses from downtime.
At the same time, in accordance with the well-known effect of Dunning-Kruger, illiterate employees remain full of confidence that they are doing everything right, or at least nothing terrible. And it precisely leads to disastrous consequences.
In fact, almost all of the security systems are useless if employees do not possess even the basics of information security. Such employees become the main vulnerabilities in a company’s computer system.
Understanding this state of affairs perfectly, cybercriminals start using employees as a vulnerable point for attacks more and more often. Using person’s illiteracy is much easier than finding a vulnerability in the corporate network. Because of the information security literacy of one employee, the organisation risks losing money, data, hardware and reputation. Here are some of the risks employees are exposed to:
Using private phones and laptops in company (Bring Your Own Device, BYOD) is a fashion trend that is especially popular among startups. It seems that such an organization of the process is the embodiment of the Win-Win principle: the company does not have to spend money on the acquisition and maintenance of the workplace, and the employee works on a laptop that he chose and set up. If he wants to work at home, he does not have to copy work files because the access to corporate systems is already set up. The cost of purchasing the device is compensated by the possibility to sleep longer or even stay at home working remotely.
From the point of view of information security, use of one device for doing both work and home tasks is a source of serious risks, especially if the employee is not too diligent in learning the basics of information security.
After a busy day you want to relax. Downloading movies and music, searching for games or pirated programs can lead to something malicious on your computer. And then, when connected to the corporate network, all company data will be under a threat.
If you drop into the cafe and connect to the corporate network through a public Wi-Fi to finish the report with a cup of coffee, the credentials can be intercepted and used to steal confidential information. Even a laptop or tablet can be stolen or taken away on the way from home to the office. And then you also lose all the data stored in the device which is usually much more important.
The many-faced phishing
The traditional way of organizing the workflow in the form of stationary computers partially removes the risks characteristic of BYOD, but even in this case, an insufficient level of information security can be fatal for the organization. All employees use email, which means they are potential victims of phishing – fraudulent emails disguised as messages from delivery services, contractors, technical support or management.
Using phishing, cybercriminals can force the victim to launch malicious software attached to the email, enter network credentials, or even make a payment using the fraudsters details instead of the real counterparty.
Targeted phishing (spear phishing) is more dangerous. In this case cybercriminals first collect information about the organization, its structure, employees and workflows, and then prepare emails containing real names and positions made up in accordance with the standards of organization. Recognizing these emails is more difficult, so the effectiveness of such mailings is much higher.
Phishing emails may not contain any malicious attachments and look completely harmless when it comes to this type of phishing, like Business Email Compromise (BEC). In this case, the fraudsters begin a correspondence with one of the company’s managers on behalf of another organization and gradually convince him of the need to transfer money to his account. Despite the unbelievable nature of the scenario described, in the spring of 2018, the attackers lured out 19 million euros from the Dutch division of the French film company Pathé (https://www.accountant.nl/nieuws/2018/11/ceo-fraude-kost-pathe-ruim-19-miljoen-euro/).
Attackers do not stand still. We will witness the new forms of attacks aimed at naive users and not all of them will be distributed via the Internet. One example is the attack through a free flash-drive. At partner events, presentations, conferences, and just as a gift, employees often receive flash drives with working materials. An employee who does not know the basics of information security will probably immediately insert a USB flash drive into the computer upon arrival at the office – and may get a malicious surprise. Sometimes the organizers of the event do not even know that the computer from which advertising material were copied on a USB flash drive was infected with something.
This technique can also be used to intentionally infect the victim’s computer. In 2016, the University of Illinois conducted an experiment by scattering 300 “charged” flash drives around campus to check how many people will use them and how soon it will happen. The results of the experiment surprised the researchers: the first flash drive was connected to the computer after 6 minutes, and 48% of those who found the flash drives used them, and all of them opened at least one file on it (https://elie.net/blog/security/concerns-about-usb-security-are-real-48-percent-of-people-do-plug-in-usb-drives-found-in-parking-lots/).
The next example of a real attack (DarkVishnya) is when bank security officers did not notice the hidden device connected to the network. To carry out the attack, intruders penetrated banks’ offices under the guise of couriers or visitors, and then covertly connected a Bash Bunny mini-computer disguised as a USB flash drive, or an inexpensive netbook or a single-board computer based on Raspberry Pi equipped with a 3G/LTE modem to the local network of the bank. The device was disguised as a part of interior to make it harder to detect. Next, the attackers remotely connected to their device, scanned the bank’s network for vulnerabilities, penetrated into it and stole money. As a result, several banks in Eastern Europe suffered, and the damage from the DarkVishnya attacks amounted to tens of millions of dollars (https://www.fintech.finance/01-news/darkvishnya-new-series-of-unprecedented-cyber-robberies-in-eastern-europe/).
The impressive impact of the attack with the lost flash drives shows how little people are concerned with security and how important it is to train users about correct behavior in such situations.
What could we do with that?
Despite the abundance of software and hardware protection in the market, it is worthwhile to devote part of the budget to counter attacks targeting employees. We give the most important recommendations:
Educate. All employees should understand that ignorance of the principles of information security is not an excuse, and therefore, be interested in raising their awareness in this matter. On the company’s side, the costs of organizing and conducting training seminars on information security should be considered as an investment in reducing risks and preventing damage.
Train. Theoretical knowledge is quickly replaced in the memory by more demanded information. Practice makes perfect, so you should train your employees and check their knowledge in real life situations This will help to strengthen their skills. With their help, you will be able to identify employees who have not learned the information and re-train them.
Implement the “See something, say something” policy. When confronted with cyber threat, an employee may keep silent about this until the last, fearing dismissal or he could try to eliminate it on his own. Meanwhile, timely notification of the incident prevents the spread of malware throughout the corporate network. Proceeding from this, it is important to build up service regulations in a way that the employee who reported the attack received thanks and the information security service could fix the threat and begin to eliminate it.
Any computer system is vulnerable, and the weakest link in it, is generally a person. The task of each business executive is to minimize the risks in the field of information security associated with attacks on employees. What will help in this task is training and proper organization of the processing of cyber incidents. Ideally, compulsory knowledge of the basics of cybersecurity should be part of a corporate philosophy.