Even the most state of the art data security system can be brought down by a simple mistake from an internal user. Employees at every level in an organization access data on a daily basis and have the ability to put their organization’s security at risk. IT teams should not be the only employees within an organization who have an awareness of the best security practices. So what kinds of mistakes are commonly made, whether on purpose or by accident? And what can be done to make sure that these mistakes don’t become common practice and snowball into an out of control security breach?
There are a few different types of people who tend to put an organization at risk. While most data security aims to protect against the malicious user whose intent is to cause a breach, it is often more likely that a well-meaning employee simply didn’t know any better.
Imagine you work in a financial firm where security is of the utmost importance. It’s Saturday and a coworker has submitted a long report that you need to revise before getting to work on Monday. You hate trying to markup documents on your computer, and would much rather have a printout to easily flip through. Unfortunately, your company does not allow printing via remote connections. In order to solve this problem you send the report to your gmail account so you can use your printer at home and review the document without staring at your computer screen all day. Problem solved. However, this is very bad practice in handling data, and you just put your company’s security in jeopardy.
Emailing data is insecure for many reasons. When email was first developed, it wasn’t made to be secure and ensure complete user privacy. It was simply a convenient way of communicating. When you send an email it doesn’t just go from the sender account directly to the receiver account. The fact is that it moves from server to server and at each server there is a possibility of it being accessed by the server administrator. Once you hit the send button, the data contained in the email is out of your control. For this reason sensitive information should never be sent using email. If you need to share data, use a secure sharing portal that is developed for the purpose of keeping your data safe.
Another way that personnel can be attacked without their knowledge is through phishing attacks. Phishing is when criminals create fake websites that closely resemble real websites and use these fake websites to obtain information from users. It’s hard to tell the difference between these fake sites and the legitimate ones. There might be a slight difference such as a lowercase ‘L’ with a ‘1’ in the url.
Now imagine that you are a user who has the ability to grant access to one of your company’s applications. You receive an email that appears to be from the provider of this application. The email says that the provider suspects a breach and needs you to reset your password. In the email is what appears to be a reset password link except instead of being from ‘www.datasecurityonline.com’, the link leads you to the fake site ‘www.datasecurityon1ine.com’. Such a subtle difference in the url goes unnoticed and you follow the link and enter your credentials. The fake website is designed to save these credentials and now they are available to a criminal.
Situations like the previous one can be very scary for an organization. Unfortunately they aren’t all that uncommon either. This global phishing report found that there were over 123,000 unique phishing attacks in the first half of 2014 alone. Our innocent employee who thought he was protecting his account’s security just unknowingly fell victim to one of these attacks. His company’s security is now threatened and it is possible that no one is the wiser. That is why it is important to always know what you’re clicking on. When in doubt, best practice is to double check with the sender of the email BEFORE taking any action. A simple “Hey did you mean to send this to me?” could save a company a huge mistake, just don’t ask that question by hitting reply to the suspect email.
We may all be devils inside whether we mean to or not. For those who don’t mean to, it is important to be aware of ways to keep yourself and your organization secure.
This blog was written by Carly Bean.