Credential theft and data breaches from even simple things like phishing and brute force hacking are becoming increasingly common as cybercriminals continue to advance their skills and tactics to trick their victims into falling for their scams. While cybercriminals are remaining diligent in their efforts to carry out their attacks, many business owners continue to spend their money incorrectly on cybersecurity.
Not sure what the Dark Web REALLY is? Check out "What really is the “Dark Web”? Shining a little light in the dark".
Often, business owners are unaware of what to do to help prevent their data or credentials from being stolen to be sold in places like the Dark Web. Many people think that that spending a buttload (actual unit of measure, just technically used wrong here because it is fun to say) of money on technology is the answer. Unfortunately, technology fixes nothing when your weakest link is actually your employees, and this is even more concerning in a day and age where employers can be held liable for a data breach caused by their employees, especially so if they haven't taken reasonable measures to prevent it.
There is a great article on Entrepreneur looks at 5 things your employees are doing that put your business at risk. The 2016 State of SMB Cybersecurity Report revealed that half (14 million) of the 28 million small businesses in the U.S. had been hacked by cybercriminals. That number has been increasing every year since then at an alarming rate, but why? According to a CNBC survey of 2,000 small-business owners, small businesses are not spending enough on cybersecurity, and in many cases aren’t spending anything at all or even paying it any mind thinking it won’t happen to them; even though 51% of data breach victims are small businesses.
With human-error being the most common reason for a cyber intrusion, breached credential monitoring (AKA: Dark Web Monitoring) and employee security training are crucial to reinforce the importance of being diligent with good password hygiene, and ensuring your employees know how to spot a attempt to get information and help prevent it. It is also one of the reasons we at LogicCloud IT offer a free breached credential scan to all businesses, no matter what their size.
Since it is possible to reduce your odds of getting hacked through employee security training, it’s important to understand what employees are doing that will get you hacked and why monitoring and training are two of the most basic cybersecurity measures you should be doing at a minimum; and not just because some things are even required by newer laws or industry requirements. Below are the top 5 most common mistakes.
What are employees doing that will get you hacked?
- Being lazy
Employees often feel that it’s not their job to worry about security, that IT is responsible for “that kind of stuff” or even that the company has spent a lot of money on technology, so there is nothing to worry about. Small and midsize businesses often lack IT resources equipped to handle cybersecurity threats or events like ransomware when they happen. Yes when, not if. Another good reason to partner with a managed IT provider for your internal technology management, or to augment and work in conjunction with the current in-house IT person; but that’s a whole other article. Employees should be aware that they are a target for cybercriminals and what to look for (security training), how exposed they are as a known good target for cybercriminals (breached credential monitoring), and that it’s their job to help stop the carrying out of a successful attack by using these tools to always remain diligent. We get calls all the time here at LogicCloud IT from businesses that have searched for an IT provider because of an emergency, and many times the common theme is that someone just wasn’t paying attention. Using a computer is literally becoming like driving a car in the amount of attention it takes. New rule, no texting or Facebooking while computering (I think that should be a new word).
- Unprotected email
Email hacking is one of the fastest growing cybercrimes, with millions and possibly billions of stolen emails for sale on the dark web. Employees often have 2-step verification turned off in their email app, allowing hackers easy access to those email accounts if they have the stolen credentials, or they used an easily brute forcible password. Once a hacker is in that email account they have free range to access any data that may be stored in the account, such a personally identifiable information (PII), credit card data and additional log-in credentials. Many times, they will sit in the email box monitoring it or forwarding the messages for weeks or months before actually making any kind of strike or making their presence known. 2-step verification is simple to enable in most popular email platforms. After 2-step verification is enabled, a code will be required to complete a login, usually from a special app or texted to the employees’ phone, making it so that a cybercriminal would have no way to access that email account without that code. Yes, there are some rare ways to possibly bypass 2-step verification, however because of the difficulty involved it is not worth the effort to most cybercriminals. The vast majority are looking for a quick and easy attack and would rather spend that kind of effort finding new victims since they are plentiful.
- Clicking on fake emails
According to the cybersecurity company PhishMe, 91% of cyberattacks begin with a spear phishing email. In these phishing emails, hackers design the email to look authentic so the employee thinks it is coming from the real source it’s claiming to be. These phishing emails may appear to come from credible company’s customer support departments, such as Microsoft or Google or could even appear to come from someone inside the company. In many cases, once an employee falls for a phishing scam, their computers/mobile devices become infected with ransomware or worse any shared drives or systems they have access to get the same infection so that it spreads. Many time the attacker will simply sit in the email box undetected and have it forward to one of their email accounts to gather data on you and your clients, and then when the attacker is done the compromised email account is then used to send out phishing emails to people that they regularly interact with since it can bypass almost all spam filters because it is a real email address, and is more likely to have success because people are unguarded when they know, or regularly do business with the person or place the email is coming from.
- Lousy passwords
SplashData reported that the most common password in use today is 123456. Not only is this a very weak password to begin with, but people are often reusing their easy to crack password across multiple sites and accounts, as well as sharing them with co-workers. Other common employee mistakes when it comes to passwords include physical protections, such as writing them on a sticky note and leaving that on their computer, under their keyboard, or even on or in their desk. Employees may also be typing their password without paying attention to wandering eyes that may be watching them.
- No backup
There’s a good possibility that at least one employee in your company, if not the entire company, isn’t backing up the data they should be, which is a major problem. Now days this even includes the most commonly overlooked backup that should be in place, the one for cloud stored data. Making sure your companies cloud systems are backed up, including the big ones such as Microsoft Office 365 (SharePoint Online, Exchange Online, etc...), Google Apps and Dropbox to name a few. This is often overlooked since it assumed that the backup the provider does has their business covered. The cloud providers backup is to protect THEM, the provider, in the event of an issue in the data center, not you from an issue on your side. Even your website(s) should be backed up. Not only is there a risk of files being lost due to technical issues, there is also danger in losing those files to a cybercriminal or even your own employees ; that recycle bin and second stage recycle bin won't save you in the event of a full-on ransomware attack, let alone from a rouge employee you forgot to lock out before firing them or before you got wind they were quitting. During a ransomware attack for example, a cybercriminal locks the user out of their account, computer, or files and denies them access unless a ransom is paid. Even after the ransom is paid, there is no guarantee that the files will be returned to the user, making backup files crucial, and almost a 100% guarantee that your data has already been uploaded to the Dark Web or another source for sale.
Although these employee mistakes can lead to major issues for your business, it’s not too late to start the bare minimum in cybersecurity protection to protect yourself and your organization! Training employees on what to be on the lookout for is vital and a great way to ensure they can help prevent a hacker from carrying out a successful attack on your business; and breached credential monitoring and one time scans like our FREE Breached Credential Scan, are an amazing asset to help shed light on how alert an employee needs to be and how big on an attack target they are. They also help to reinforce the importance for good password hygiene on an ongoing basis; both of which should be the bare minimum foundation of any businesses cybersecurity plans. In addition to security awareness training and breached credential monitoring, it is beneficial to share these 5 common mistakes with your employees to bring them to their attention and help them understand the risks they may be presenting.
The best offense is a good defense, and employees are the most powerful defense for a business. Isn’t that the reason why many businesses and top execs hire assistants and receptionists that are good at telling the difference between a sales cold call and a customer, and let them know when someone made it through that shouldn’t so they are trained and aware for the next one? If your time is too valuable to waste on constant sales of things you don’t need, isn’t the constant barrage of attacks that could close a business for good at least worth a small look?
Below are a few resources to save to get started on your businesses cybersecurity journey.