Cyber security in the workplace has become increasingly important as more businesses move to digital resources and the cloud post-COVID. Ransomware is at the top of the list of threats that can cripple an organisation, and these attacks often start with a malicious phishing email targeting specific employees. It only takes one employee to fall victim to a sophisticated attack, and your organisation could be crippled from blocked file access, stolen data, and advanced persistent threats hidden on the network.
Just recently, the Colonial Pipeline that provides a pathway for gas and jet fuel from Texas to the East Coast was hit with a ransomware attack. The attack halted production and forced the energy infrastructure to shut down. These types of attacks have only accelerated, and they start with targeting an internal employee who does not recognize that a message is malicious. It’s often a failure in cyber security education and awareness within the workplace.
CryptoLocker, one of the first and most popular ransomware attacks, started with a phishing email. It affected almost 500,000 computers and led to widespread data loss across the globe. The malware was deployed by sending massive amounts of email messages containing a ZIP file attachment. Once opened, the ransomware scanned computers and encrypted files so that they were locked and couldn’t be accessed unless a ransom was paid. Users should know that any email with a ZIP file attachment should be treated as suspicious.
CISO: The Value of a Sin Eater
The role of a Chief Information Security Officer (CISO) is much like the mythical and medieval “sin eater” in English folklore. A sin eater would eat a meal and absorb the sins of the dead. The sin eater would then carry around the sins of other people to absolve them of guilt, shame, and repercussions in the afterlife.
A CISO plays a similar role where the sins of internal employees affect the CISO’s reputation, job performance, and future prospects. Should an employee fall victim to internal cyber security scandals, they ruin the reputation of the organisation and bring down production services. To shield a specific employee from the negative impact and consequences, the CISO takes on the sins of the hapless victim and answers for their mistake.
Although only one CISO is present within the organisation doesn’t mean responsibility is solely on one individual. The organisation as a whole takes on the responsibility. In the case of the Equifax data breach, server administrators and the CISO responsible for monitoring and patching software could be solely responsible for one of the biggest data breaches to date, but the Equifax organisation as a whole was seen as irresponsible and took blame for the fallout.
In addition to being responsible for internal cyber security, a CISO has an increasing workload as more organisations move to the cloud and go digital during the pandemic lockdowns in 2020. To keep productive, organisations were forced to allow an at-home workforce after COVID spread globally. This change in working environments led to a sudden push towards cloud computing and digital workflows. The result was that companies were now in the cloud with very little consideration for cyber security. Cyber security was an afterthought, and threat actors took full advantage of the oversight. Phishing and ransomware thrived as more employees fell victim to sophisticated campaigns targeting individuals.
The Seven Deadly Sins of Cyber Security in the Workplace
Cyber security awareness is critical to risk avoidance. If your employees don’t know the anatomy of a phishing attack, they can’t be expected to avoid it. Human error is a major factor in data breaches, but here are seven deadly sins and ways to avoid being the next victim:
- Poor passwords. Password complexity and length reduce the chance of a brute-force attack on employee credentials. Administrators can set up password rules that require a certain length, complexity, and stop users from being reused.
- Public Wi-Fi risks. Users should be aware of the risks associated with public Wi-Fi. Any critical applications should be used over a Virtual Private Network (VPN), and users should never transmit data unencrypted.
- Antivirus installed and updated. Organisations that offer a bring-your-own-device (BYOD) policy should educate users on the importance of antivirus and keeping it updated. Administrators can force updates on workstations, but they rely on users to keep their own devices secure with the latest antivirus software.
- Opening email attachments. Administrators can block suspicious email messages, but false negatives give threat actors the opportunity to trick recipients into opening malicious attachments. Users should know not to open attachments, especially if they come from external senders.
- Clicking links in email. Malicious links open attacker-controlled sites where users can be tricked into divulging their network credentials or other sensitive information. Users should know not to enter credentials after clicking links. Instead, type the domain into their browsers to verify the message is legitimate.
- Sharing credentials with other users. Users should never share passwords. Should they share passwords, an employee no longer with the company could still have access to critical systems even though their own account was deactivated.
- No cyber security awareness. Without education, users don’t have the resources to identify an attack. It’s the responsibility of the CISO to create an environment where cyber security education fosters better risk avoidance and fewer human errors.
Helping Employees Fight Cyber-Attacks and Be More Cyber-Aware
If CISOs don’t take the time to educate employees, they leave a large chink in the company’s cyber security armor. Cyber security awareness is the first defense against sophisticated attacks that target human errors, so it should always be required training for on-boarding employees and current staff.
Awareness can be offered in a number of ways: eLearning, hands-on training, and policies. Employees are not hackers, so information should be easy to understand. They should understand the consequences of falling victim to an attack, and employees should be armed with information that lets them question the legitimacy of an email, phone call, website, and any other form of cyber-attack. They don’t need complete technical knowledge, but employees must be armed with the right information.
The biggest threats to an organisation are phishing and ransomware, but training reduces the risks of these threats. Employees armed with the right knowledge will identify the attack, avoid being a victim, alert the right people, and a CISO will have a much more stress-free job. Without cyber security awareness, the CISO continues to reactively respond to attacks that could ruin the CISO and the organisation’s reputation.