The biggest problem most workers face is not knowing they could be victims of a cyber attack. The truth, however, is that non-technical employees are the most common targets for digital criminals.
Through their poor online habits or lack of basic knowledge about staying safe, non-technical employees are sometimes the easiest targets for hackers. During the pandemic, when remote working has taken hold, knowledge deficits and bad habits can put at risk not only the person in question, but also the entire company they work for.
This is supported by a report by Tessian (a U.S.-based cybersecurity firm), in which more than half of IT professionals say that remote work has made employees less vigilant about security and introduced bad online habits. What’s more, more than a quarter of employees are afraid to admit that they’ve made mistakes that jeopardize job security.
The primary mistakes of employees working from home include:
- failure to update system software, device firmware;
- underestimating the scale of complexity and quality of cyber attacks – relying solely on anti-virus software;
- failure to adequately monitor endpoints, network devices, processes, services and events;
- disregarding email security;
- opening suspicious messages and websites;
- creating weak passwords and changing them irregularly.
Phishing – one of the threats of pandemic time
As the coronavirus spread around the world, hackers began to use this to their advantage. The shift to remote working by many employees has opened up additional opportunities for them to attack large companies through their weakest links – employees outside of IT departments. They are more susceptible to phishing attacks, i.e. cybercriminals impersonating, among others, courier companies, government offices, telecommunication operators, or even our friends in order to phish for login credentials to e.g. bank accounts, social media accounts we use, or business systems.
In fact, there is only one effective solution to this problem – employee training. The fight against hackers is largely a battle against windmills. If you manage to repel one attack or fix its effects, another one may appear in a moment. The best method in this case is to avoid or minimize the possibility of such threats. The best way to do that is to organize trainings for employees and make them aware of potential online threats and how to protect themselves from them.
Why is training so important?
When many of us moved from work to home, hackers began to attack much more often, and the quality and sophistication is growing all the time.
55 percent of companies in Poland estimate that the risk of cyber attacks increased during the pandemic. Moreover, as many as 64 percent of companies reported at least one such incident in 2020. However, what is most worrying is that only 25 percent of companies in the Polish market have increased spending on security, downplaying the risk of digital crime.
The most vulnerable to attacks are small and medium-sized businesses, which have huge gaps in their security against cyber attacks. Although larger companies are usually fully aware of the threat from hackers, shortcomings and mistakes happen there too.
This all goes to show how important it is to educate your employees about cyber security and minimizing the potential threat of online attacks. Such training can develop good habits in all employees and adherence to existing instructions and procedures. This will enable them to defend against hacking attacks, such as phishing, in which criminals use psychological manipulation to coerce users into clicking fake links and/or providing sensitive data. At the end of the day, a company’s success depends on their employees, and establishing an ongoing cybersecurity training program will keep them abreast of all new hacker methods.
How do you protect yourself from attacks?
Leaking data, exposing company secrets, developed technologies, etc. are all risks that come with not being prepared for cyber attacks and making mistakes online. All this can have huge consequences, not only financial, but also in terms of image.
All this is connected with damaged or even destroyed reputation of the company and loss of new as well as current customers. To remedy this, it is essential to build a coherent cyber security strategy, where tools and resources reduce the risk of human error followed by the risk of attack. Of course, this is not a simple task. A company must address resource shortages (human, budgetary), manage complex technologies, train end users, and meet the expectations of both management and customers.
To prevent this, it’s a good idea to start with the basics of network security when working remotely and develop some habits:
- Keeping up to date with security guidelines;
- using a VPN;
- using separate devices for work and personal matters;
- properly securing your home Wi-Fi – updating router/access point firmware, WPA2 or WPA3 authentication, strong Wi-Fi password (non-word and over 13 characters);
- recognizing phishing emails;
- tracking your devices (if they have this functionality);
- Multi-Factor Authentication;
- regular data backups;
- securing sensitive data (e.g., by encrypting drives/directories);
- using different (and strong) passwords for different services or devices.
In order for the employer to be 100% sure that he has done everything to secure his employees and, at the same time, the company online, the training should be selected accordingly, depending on the profile of the employees for whom it will be intended. For example, an employee who deals with payment cards should go for PCI DSS (Payment Card Industry Data Security Standard) training, while for a frequent business traveler, classes on public Wi-Fi and mobile devices would be a good choice.
Author: Dominik Węglarz, IT Trainer at Altkom Akademia