With remote work now pushed to the fore, cybersecurity departments are coming under increasing pressure to maintain the organisation’s cybersecurity outside of traditional perimeters. While employees are a company’s biggest asset, they are paradoxically, also the biggest threat to perfectly constructed systems that would otherwise ensure business data remain safe and secure.
How then do we strengthen the weak link of cybersecurity – humans – when trying to safeguard an organisation and its data?
Whether it’s taking a more relaxed view when it comes to opening emails or mixing the use of personal and business devices, applications and websites at home, people will naturally use workarounds and shortcuts simply to get the job done. If IT leaders do not develop robust partnerships with the entire workforce, providing solid cybersecurity solutions combined with regular cyber education programmes, then their business’ security posture will be in jeopardy.
In line with Privacy Awareness Week, an initiative by the Asia Pacific Privacy Authorities (APPA), it is always a good practice to remind employees that they have a key part to play in ensuring that business data remains protected and uncompromised. Here are three areas which cybersecurity leaders can explore to minimise the risks of data breach.
- Privileged user access
According to Forrester, about 80 percent of data breaches have been linked to compromised privileged credentials.
Common causes for this are that organisations often fail to revoke particular rights when an employee’s role changes, or there is a blanket policy where everyone at a certain level is automatically granted access. Recent Forcepoint research shows that some organisations even assign staff with privileged access for no apparent reason — a particularly worrying trend.
The risk caused by over privileged users is not new, nor is it going away. But it does make the work of the attacker a lot easier.
Take for instance the SingHealth cyberattack in 2018 – where more than 1.5 million patients, including Singapore Prime Minister Lee Hsien Loong’s personal particulars and information of his outpatient dispensed medicines, were accessed by privilege and copied. This unprecedented incident highlights how cyber theft is a key risk as countries advances digitally.
As such, properly managing privileged, administrator level accounts with, for example, appropriate controls such as two-factor authentication (2FA) should be a high priority. However, a Cyber Security Agency of Singapore (CSA) report reveals that close to three in five Singaporeans do not enable 2FA – highlighting how users are aware of the need for 2FA but are not adopting the practices.
- Out-of-Office and business email attacks
Business email compromise attacks are becoming more and more common, but organisations may not be aware of the threat that the simple out-of-office reply can pose.
Providing extra detail in out-of-office messages can seem like a way to help employees truly switch off, and avoid work-related requests whilst on leave. But employees and managers should think twice about exactly what they are sharing in these notifications before they log off, as any names and phone numbers listed can prove useful intelligence for those planning phishing, impersonation or other social engineering attacks. CSA has reported that in 2019, 70% of cybercrime incidents reported to SingCERT by SMEs occurred through phishing attacks.
By knowing who reports to who, and potentially even receiving contact details that might not be publicly available, threat actors can get to work. With email addresses of senior leaders, attackers could use them to impersonate and send false requests for payment, access or more. Details might identify those responsible for making higher-level decisions, helping other kinds of entry into networks and access to sensitive data.
- Human error
Finally, one of the biggest risks to an organisation is human error. As Singapore and many organisations in Asia Pacific continue to work remotely amid the pandemic, the stresses of working at home are opening businesses up to cybersecurity attacks due to human mistakes. Other recent Forcepoint research has found that caregivers, in particular, tend to feel stressed out by competing demands from their personal and professional life.
People are also less likely to follow basic cyber hygiene practices at home such as locking their screens, logging into VPNs and using strong passwords.
A single mistake from a distracted employee, whether that is uncritically clicking a link, downloading an attachment, or responding to a seemingly genuine request to share sensitive details, could be all it takes to open organisations up to an attack.
Employers need to be aware that humans have a finite amount of memory and attention. When they are stressed and distracted by an unconducive home working environment, they are more likely to make mistakes, including cybersecurity related ones.
Combatting these Risks
To mitigate these risks, humans should first and foremost be viewed as the front line of any cyber defence. Training will help employees understand cybercriminals’ thinking around business email compromise attacks and create a procedure for them to raise the alarm when they receive requests for fund transfers or passing on confidential data. Businesses should also ensure staff take extra care in double checking what information they are giving away automatically in out-of-office responses, or in speculative emails.
Web security and email security tools should be in place to counter attacks before they have started, and multi-factor authentication on email accounts can stop hackers obtaining access to legitimate email accounts.
In addition, organisations must do a better job in tracking users with privileged access and ensuring that once access is granted, IT teams have a continuous understanding of how users interact with data, in order to prevent and respond to data breaches.
To cope with the ongoing remote or hybrid work environment, organisations need to provide greater support to their staff so that they can continue to stick to pre-set and learned IT security rules. Only by creating an environment where privacy, culture and security act as one, can businesses maintain a relationship of trust with their employees and safeguard their data, now and into the future.