Firewalls and Antivirus are Great, but what about your Employees?
The Verizon Data Breach Investigations Report states that emails are the primary source of two-thirds of malware compromises. Email is an easy target simply because there is more human touch involved in managing them. There’s always a stray chance that someone will end up clicking on a phishing link, opening the wrong attachment or simply including sensitive, confidential information in an unencrypted email. The first step to securing your email systems is training your employees. Train your employees to identify harmful email messages and to be aware of your firm’s IT protocols and rules. There are four major ways in which your employees may end up compromising your email security.
- Falling for phishing scams: These emails will appear to have come from an authentic source and urge the reader to take an action. Usually the action involves clicking on a link and/or sharing sensitive information via an online form that looks authentic. The phishing links and the webpage clone the original site so well that it is easy to mistake them for their authentic counterparts. For example, an email that looks as if it is from the IRS, asking for sensitive financial data, or an email that seems to be from the bank asking you to log into your account.
- Mistaking hacked emails to be authentic ones: These emails are actually from an authentic sender account, but the account may have been hacked. One way to spot such email messages is if something seems not quite right. For example, an email that’s ridden with typos, spelling and grammar errors, or if the writing style is different, or includes an unexplained instruction to download an attachment, fill a form or install a patch.
- Not following strict password hygiene: There are two angles to this. The fiirst is password sharing. Sharing passwords indiscriminately puts your email systems at risk. Often, people trust their coworkers and end up sharing system or email passwords without realizing the possible consequences. Sometimes, it is just so much easier to share the password than follow the protocol. For example, Bob from sales is too busy to prepare his commission report. So, he gives his password to Lisa from accounting so she can calculate his commission for the month and Lisa shares with her team so they can work on the reports. See...before you know it three or more other people apart from Bob have access to his system including his emails. The second issue in password hygiene pertains to ignoring password basics. For example, having passwords that are too simple or obvious using dictionary words and proper names, not changing passwords as recommended or having the same password for multiple accounts.
- Exposing their personal devices to safety threats and then using them for work purposes in a BYOD environment: This is a threat brought into the picture due to the flexibility-oriented culture of the modern workplace. Businesses allow their employees to work from anywhere, using their own devices. For example, someone could be accessing and replying to an email from work, using their phone or iPad, connected to the open wifi at the mall’s food court. The risk such open networks bring to the table is enormous.
As discussed in the beginning of this blog, emails are a soft target because of the human element. You can organize classroom training sessions to educate your employees about your IT usage policies related to password management, use of personal devices, data sharing and internet access. You can also conduct IT drills and workshops to help your employees identify possible IT security threats and steer clear of those. If you don’t have the resources to do this, contact us. We have training resources that allow you to track employee progress and provide proof of policy acceptance—which can be critical in proving due diligence to insurers and customers when a breach happens.