11 (+1) Human Factors in IT Security in 2018
Originally published on June 25, 2018 by Sascha Neumeier
Last updated on June 26, 2018 • 9 minute read
Surely you are familiar with the sentence: "People are often said to be the weakest link in the chain of IT Security". As old-fashioned as this sentence may sound, it still applies in 2018! IT admins are faced with the human factor every day over and over again.
Today we want to look in detail when employees in the company represent an IT security risk and, as a result of the risks, show you 13 efficient ways to boost the IT security understanding of your colleagues and employees!
Nowadays every second company is being digitally attacked! The employees are already enabling many attackers to access sensitive information. This makes industrial spying, data theft and sabotage easy!
To take appropriate measures, we look at the typical traps your employees fall into, and at which points some colleagues have criminal intent:
1. The Discovered USB Stick
Have you ever found a USB stick? I don't mean your own one, which you had misplaced at some point, but a strange stick, which was lying around somewhere? Yes? Were you curious and did you put the device in your computer? If so, you're in best company! Within the scope of a study, almost 300 USB sticks were "accidentally" lost, to find out what would happen. Nearly all sticks were taken by finders, with 45% of the drives having a saved file opened.
An attacker who prepares a stick has many opportunities. For example, it can use an infected file to spy out access data and passwords (social engineering) or spread zero-day exploits across the network. The attacker can even prepare the stick in such a way that the data carrier disguises itself on the computer as a keyboard and then executes commands on the computer via simulated keyboard entries. This is called HID spoofing.
2. The Profitable Sale of Company Data
Anyone who has ever worked in a development department knows how valuable company data can be. Selling blueprints, recipes, development designs or other trade secrets to competitors is a valuable business for employees. A dissatisfied co-worker, paired with a sufficient criminal impulse and approved data transfer possibilities is enough to lead a company into a crisis.
3. Steal Customer Data When Changing Jobs
In some areas it seems to be standard practice to take sensitive customer data from one employer to the next. Every one of us knows this one sales representative, who got hired at a competitor and who contacts us soon afterwards to get back into business with us. What happens in this case is classic theft, which is no less serious than if the employee were to withhold a company laptop and the company car at the end of his employment contract.
4. Convenience Beats Safety
After installing the latest Windows updates, the computer has to be restarted. The on-access virus scanner slows down the computer. Comfy employees prefer to avoid such processes completely. If it is possible to deactivate updates or virus scanners, this will be used, and IT security suffers tremendously!
5. Uncertainty, or: The CEO Fraud
In the case of the so-called CEO fraud, for example, offenders pretend to be the managing director of the company by telephone or e-mail and arrange for an employee to transfer a large amount of money to a foreign country. The employee is confused by the authority of the other party and approves the transaction. This scam can cause damage of several millions with sometimes weighty consequences for the affected companies or the fooled employees.
6. Unprotected Downloads & Streaming
Many employees have access to the Internet directly at their workplace. Despite constantly improving IT security systems and web filters, experienced, IT-knowledgeable colleagues manage to access unsafe content on the net again and again. I probably don't need to explain how this works to the admins among us. ;)
In my 20-year IT career, I've met some very sophisticated employees who have been able to stream the latest movies from the Internet in unattended night shifts, or download a mass of questionable, supposedly malicious files.
7. Hide Security Incidents
In 40 percent of all companies worldwide, employees have already swept incidents related to IT security under the rug. This was the result of a survey conducted by Kaspersky in cooperation with B2B International - employees from 5,000 companies were surveyed.
These security incidents include scam or Malware attacks, during which malicious software was transferred to an employee's computer. If the affected employee remains silent about this incident, the malicious code may spread through the company network.
8. BYOD (Bring Your Own Devil!)
I also like to call BYOD "Bring Your Own Devil"! In many cases, the employees bring the devil into the company. Suddenly, sensitive company data romps around on private smartphones, without ensuring consistent device security.
The same smartphone on which the current sales figures are stored in the afternoon is handed around the pub in the evening to show photos of the last holiday.
The possible loss of mobile devices also plays a role. According to one study, more than half of all security incidents at the companies surveyed are due to the loss of such a device.
9. Good Faith
Many attackers like to take advantage of people' s good faith! Did you not ever call a colleague as an admin and ask for his password on the phone? Either because it makes remote maintenance easier or because it has simply saved time or distance at that moment? Probably your colleague told you the password, too. What if the "colleague from the IT department" had been an unknown attacker? This example works in this way a thousand times over every day!
Indifferent employees are poison for every company! They rarely contribute to productivity and are also a potential vulnerability in terms of (IT) security. The "I don't care" attitude can be reflected in all security-relevant things. Whether it is the lax handling of passwords, the outspread disclosure of sensitive information or the too general distribution of access rights when sharing files with external partners, security is invariably compromised by such employees.
The most classic vulnerability in IT security is still very popular! Inconsiderate clicking aka curiosity about file attachments from unknown senders or entering sensitive information in input fields not intended for this purpose continue to cause annual losses in companies running into billions.
+1. Have an Eye on Your CEO!
Yes, you read right! Your CEO isn't any better than the rest of the staff! The man or woman at the top of your company should also be at the top of your security list. The FBI has estimated the monetary loss from C-level scams at around $2.3 billion over the last three years. Many CEOs also feel they are above making such mistakes, renounce security software, and take the view that something like this could not happen to them.
You can summarize all the above in the following 5 categories:
- Weak Password Security
- Careless Handling of Data
- Inadequate Software Security
- Ineffective Data Access Management
- Low Security Awareness
Well, all this is no reason to give up hope for a secure IT environment. Many of these vulnerabilities can be addressed and your colleagues' understanding of data and IT systems can be improved. To find out how to proceed most efficiently, read our summary - and of course we are looking forward to your experiences in the comments!