Raising employee awareness: a data protection prerequisite
Ideas & initiatives
Employees, a key part of cybersecurity systems
In a world in the throes of a fundamental digital revolution, the data security question is becoming increasingly important. Over 50% of French companies admit to having been targeted by cyber attacks in the last year*. At the same time, human error is estimated to be the entry point of 90% or more hacks* – mainly phishing and rebound attacks through a provider that has itself been hacked.
WHY ARE EMPLOYEES BEING PUT AT FAULT?
Nowadays, the predominant cyber attack trend is hacking that results in financial gains for the cyber attacker. Ransom demands, hijacked money transfers, sale of confidential data: there are many scenarios.
To carry out this type of cyber attack, it’s essential for the attackers to access a company’s servers. One way to do that is to steal an authorized employee’s credentials – or even to then hack into their phone if they’re protected by two-factor authentication.
The breach is here: an employee unwittingly lets their credentials filter out, thereby letting the hacker enter the system and explore it, and raise the privileges (server access rights) to carry out their attack:
- data theft;
- system encryption;
- ransom demand;
- hijacking of a partner’s bank details to steal their bank transfers;
- setting up a false transaction to transfer money to themselves;
- etc.
THE ATTACKERS’ CLEVER PLOYS
The methods used by hackers vary, but they all have one thing in common: they need a click on a link or the opening of an attachment that will cause an employee to reveal their credentials or allow the installation of malware.
It may be an email from a trusted sender whose address has been hijacked (colleague, institution, bank, delivery company, …). Clicking on the link then leads to a pirate copy of the site which requests a connection using the credentials.
The circle is complete: the fake website owner gets the credentials. Identity and password.
Many users have the same password for all their accesses: exploring the possible connections then becomes relatively easy for hackers.
Sometimes an IoT (a surveillance camera, for example) is only protected using the manufacturer’s password which is available online in the device user manual. More than a hundred million camera passwords worldwide weren’t changed when they were installed; and a connected camera is often enough to reach the company’s servers.
For supposedly legitimate attachments (text, table, image, pdf), clicking opens it and discreetly downloads a few lines of a malware program, which can be:
- a virus;
- a Trojan horse;
- a worm (a virus that’s used to download other hacker applications);
- software that captures passwords as they’re entered on the keyboard or scans application code to copy credentials.
Reading a message without following a link or opening a fraudulent attachment is normally safe: it’s the click that directs the user to the risk area.
Company IT departments implement various protection systems:
- access partitioning;
- granting of privileges (in particular administrator rights);
- automated data flow monitoring;
- impossibility of installing executable software without verification and special authorizations;
- encryption of stored data and data in use;
- etc.
However, personal employee liability is in play: the use of such very practical computer resources (especially when traveling or at home) requires precautions that only employees can implement, systematically, every day, and all the time:
- Never mix personal and professional use of the same equipment. A virus downloaded from a general public application, a game, a special offer, … will also be used to hack the professional accesses..
- Define strong passwords (complex, varied, regularly changed).
- Use multi-factor authentication: double the basic login by an additional confirmation (code sent by text message, notification to be confirmed, …). As a rule, no one and no machine should be trusted – The generalization of the “zero trust” concept aims to authenticate the hardware and users at every connection request.
- install a brand name antivirus on the hardware and keep it up to date.
Vigilance and common sense must prevail: every message must be checked (text message, WhatsApp or Signal messages, emails, links, attachments, …):
- First, check the sender: are they known or not? A complex and unknown transmission address probably indicates a suspicious origin. You need to be careful, sometimes hackers change just one letter of the address of a relation, or replace it with a sign that looks like a letter: this is the sign of a forged e-mail address, very probably misused.
- Then check the message content, especially if it contains a “connection” link. Simply moving the mouse pointer over it without clicking shows (usually in the bottom left corner of the screen) which web address the link points to. Sometimes it seems suspicious: and rightly so.
- Finally, check the attachments: some e-mail programs filter attachments by passing them to their antivirus software, but others let everything through. A protected employee, in particular with a block on the installation of any software, can download the attachment without opening it and then run it through an antivirus/antimalware. Even if the sender looks legitimate! Don’t hesitate to contact the sender by other means to find out if they have sent a document, …
A last tip? Employees should never leave their machines unattended; it is recommended that they be powered off or put on standby, with a session login code to turn them back on of course. Even at the office, ….
It’s essential to remember that any solicitation can be a source of risk, even if it seems totally legitimate; vigilance and positive verification must be the rule. Trust, yes, but that doesn’t mean not checking.
IMPLEMENT AND MAINTAIN A SECURITY MINDSET
It’s only with proper awareness raising – and even more, proper training with tests of the acquired knowledge – that all an organization’s staff will follow these good practices:
- posters and instruction reminder nudges;
- serious training (not just a few hours of MOOC);
- epeated every year in line with the the constantly changing threats.
In France, good technical advice can be found at the ANSSI or more accessible advice can be found at Cybermalveillance.gouv. How-to sheets and educational videos – some of them funny – can be downloaded.
RAISING EMPLOYEE AWARENESS OF DATA PROTECTION: GOING TO THE NEXT LEVEL
IT security is crucial for organizations: it has to be organized, shared, accepted and be part of the company’s operating rules, which must combine officially negotiated commitments and sanctions.
It’s then a question of conducting an HR awareness-raising campaign and negotiating with trade unions and staff representatives: this can be achieved using an IT charter attached to employment contracts or as an amendment signed by employees, for example.
Beyond this well-designed framework, company computer security is also a source of pride and enthusiasm. Nowadays it’s become a key motivational factor to be faultless in terms of data security.
The data security effort must become a competitive advantage
One shouldn’t consider IT security as a source of additional costs, but rather as a business advantage: company partners must feel reassured that the data they entrust is properly secured; they can even demand it. Customers too.
Data security is included in requests for proposals requirements, similarly to CSR or environmental impact requirements.
Beyond this still rare obligation, it’s a notable differentiating factor that companies can propose in their quotations and responses to requests for proposals. Promoting a high level of security and putting it forward is a strong argument.
A TRANSPARENT SOLUTION: ENCRYPTION
There is an effective and comprehensive way to protect data from misuse: encryption.
The data may be hackable, but will be unusable and won’t be disclosed.
Transparent encryption (unseen by the user), on-the-fly (as soon as a document is created), immediate and managed by the company (meaning it mustn’t be outsourced to the cloud, only the company should have the encryption keys) is the guarantee that no one other than duly authorized users will be able to see and understand the data.
It’s a system that should be generalized to all static or mobile team workstations.
Every user, from the highest to the lowest access level, must take responsibility for the handling of data. To do that, common sense dictates that any solicitation of the system be considered with caution, and that good security and authentication practices be generalized.
*source: CESIN 2021 report