How One Employee Can Destroy Your Business: 7 Examples of Digital Illiteracy
His Work Technologies / / December 28, 2020
New types of cyber threats are emerging every day. It may seem that hackers and scammers are only after the giants of the market. But this is not the case. 63% of all attacks are targeted CYBER THREATSCAPE REPORT small businesses, and 60% of small companies are shutting down after a cyber attack. Moreover, the victims of the attacks are not necessarily Silicon Valley startups. The Prosecutor General's Office of the Russian Federation recorded Information threat: how to protect yourself and your business from cybercriminals 180,153 cybercrimes in the first six months of 2019. And this is 70% more than in 2018.
Even if you have an entire IT department and antiviruses are installed on all computers, this is not enough for reliable protection. In addition, there is always a human factor: the wrong actions of employees can lead to a digital disaster. Therefore, it is important to talk to your team about cyber threats and explain to them how to protect themselves. We have collected seven situations in which one person's indiscretion can cost your company dearly.
1. Following a malicious link
- Situation: an email is sent to the employee's mail, which looks like a regular mailing from a familiar addressee. The letter contains a button that leads to a site that does not arouse suspicion in a person. The employee follows the link and is redirected to the scam site.
The described mechanism is the so-called phishing attack. Microsoft research says Microsoft Research: Phishing Attacks Grow 350% in 2018that this is one of the most common fraudulent schemes. In 2018, the number of such attacks increased by 350%. Phishing is dangerous because it includes elements of social engineering: attackers send emails by email on behalf of a company or a person whom the victim surely trusts.
Fraudulent schemes are becoming more and more complex: attacks take place in several stages, and emails are sent from different IP addresses. A phishing email can even be disguised as a message from a company executive.
In order not to get caught, you need to carefully read all the letters, notice discrepancies in one letter or symbol in the address, and in case of any suspicions - contact the sender before doing something.
Artyom Sinitsyn
Director of Information Security Programs in Central and Eastern Europe, Microsoft.
In addition to regular cybersecurity illiteracy, it is also necessary to conduct "field exercises" - to carry out controlled phishing mailing and record how many people read messages, whether they follow links within the letter and open attached documents. For example, Microsoft Office 365 includes the Attack Simulator tool. It allows you to carry out such a mailing in a few mouse clicks and get a report with accurate data.
2. Downloading an infected file
- Situation: the employee needs new software to work. He decides to download the program in the public domain and ends up on a site where malware pretends to be useful software.
Viruses on the Internet are often disguised as working software. This is called spoofing - falsifying the purpose of a program in order to harm the user. As soon as an employee opens the downloaded file, his computer is at risk. Moreover, some sites automatically download malicious code onto your computer - even without you trying to download something. These attacks are called drive-by downloads.
Further consequences depend on the type of virus. Ransomware used to be common: it blocked the computer and demanded a ransom from the user in order to return to normal operation. Now, another option is more common - attackers use other people's computers for mining cryptocurrencies. At the same time, other processes slow down, and system performance decreases. In addition, having access to a computer, fraudsters can obtain confidential data at any time.
Artyom Sinitsyn
Director of Information Security Programs in Central and Eastern Europe, Microsoft.
It is because of these scenarios that it is important to integrate automatic website and downloaded reputation checks into workflows. For example, Microsoft products conduct reputation analysis through the SmartScreen service. It uses the cyber intelligence data we receive from nearly 8 trillion signals processed in the Microsoft cloud every day.
Company employees should be aware that working software cannot be downloaded from the Internet. People who post programs on the Web do not bear any responsibility for the safety of your data and devices.
It's not only safe, but also convenient: with Office 365 you can use all the applications Office, sync Outlook email with calendar and keep all important information in the OneDrive cloud 1 TB.
3. File transfer over unsecured channels
- Situation: the employee needs to share a work report with confidential information with a colleague. To make it faster, he uploads the file to social media.
When employees find it uncomfortable to use corporate chats or other office software, they look for workarounds. Not to intentionally harm, but simply because it's easier. This problem is so widespread that there is even a special term for it - shadow IT (shadow IT). This is how they describe a situation when employees create their information systems contrary to those prescribed by the company's IT policy.
It is obvious that the transfer of confidential information and files via social networks or channels without encryption carries a high risk of data leakage. Explain to employees why it is important to adhere to protocols that are controlled by the IT department so that in the event of problems, employees will not be personally liable for the loss of information.
Artyom Sinitsyn
Director of Information Security Programs in Central and Eastern Europe, Microsoft.
Transferring a file in a messenger or social networks, then receiving it with comments from several colleagues and keeping all these copies up to date is not only unsafe, but also ineffective. It is much easier to put the file in the cloud, give all participants a level of access appropriate to their roles, and work on the document online. In addition, you can set the duration of the document and automatically revoke access rights from co-authors when the time runs out.
4. Outdated software and lack of updates
- Situation: the employee receives a notification about the release of a new software version, but all the time he postpones the system update and works on the old one, because there is “no time” and “a lot of work”.
New software versions are not only bug fixes and beautiful interfaces. This is also the adaptation of the system to the emerging threats, as well as the blocking of information leakage channels. Flexera Report showedthat you can reduce the vulnerability of the system by 86%, simply by installing the latest software updates.
Cybercriminals regularly find more sophisticated ways to hack into other people's systems. For example, in 2020, artificial intelligence is used for cyberattacks, and the number of hacking of cloud storage is growing. It is impossible to provide protection against a risk that did not exist when the program exited. Therefore, the only chance to improve security is to work with the latest version all the time.
The situation is similar with unlicensed software. Such software may lack an important part of the functions, and no one is responsible for its correct operation. It is much easier to pay for licensed and supported software than to risk important corporate information and jeopardize the operation of the entire company.
5. Using public Wi-Fi networks for work
- Situation: employee works with laptop in a cafe or airport. It connects to the public network.
If your employees work remotely, instruct them on the dangers that public Wi-Fi. The network itself can be a fake, through which scammers steal data from computers when they try connections. But even if the network is real, other problems may arise.
Andrey Beshkov
Head of Business Development at Softline.
The main threats to using public Wi-Fi are eavesdropping on traffic between a user and a website. For example, a social network or corporate application. The second threat is when an attacker performs a man in the middle attack and redirects the user's traffic (for example, to his copy of a website that simulates a legitimate resource).
As a result of such an attack, important information, logins and passwords can be stolen. Scammers can start sending messages on your behalf and compromise your company. Connect only to trusted networks and do not work with confidential information over public Wi-Fi.
6. Copying important information to public services
- Situation: the employee receives a letter from a foreign colleague. To understand everything exactly, he copies the letter to the translator in the browser. The letter contains confidential information.
Large companies develop their own corporate text editors and translators and instruct employees to use only them. The reason is simple: public online services have their own rules for storing and processing information. They are not responsible for the privacy of your data and may transfer it to third parties.
You should not upload important documents or fragments of corporate correspondence to public resources. This also applies to services for literacy testing. Cases of information leakage through these resources have already were. It is not necessary to create your own software, it is enough to install reliable programs on work computers and explain to employees why it is important to use only them.
7. Ignoring multi-factor authentication
- Situation: the system prompts the employee to associate a password with a device and a fingerprint. The employee skips this step and only uses the password.
If your employees don't store their passwords on a sticker glued to the monitor, that's great. But not enough to eliminate the risk of loss. Bundles "password - login" are not enough for reliable protection, especially if a weak or insufficiently long password is used. According to Microsoft, if one account falls into the hands of cybercriminals, then in 30% of cases they need about ten attempts to guess the password for other human accounts.
Use multi-factor authentication, which adds other checks to the login / password pair. For example, a fingerprint, Face ID, or an additional device that confirms login. Multi-factor authentication protects One simple action you can take to prevent 99.9 percent of attacks on your accounts from 99% of attacks aimed at stealing data or using your device for mining.
Artyom Sinitsyn
Director of Information Security Programs in Central and Eastern Europe, Microsoft.
Long and complex passwords are especially inconvenient to enter on smartphones. This is where multi-factor authentication can help make access much easier. If you use special authenticator apps (for example, Microsoft Authenticator), you don't have to use a password at all on your smartphone. But at the same time, if necessary, leave the password entry mandatory for laptops and PCs.
To protect your business from modern cyberattacks, including phishing, account hacking, and email infection, you need to choose reliable collaboration services. Technologies and mechanisms for effective protection must be integrated into the product initially in order to use it was as convenient as possible, and at the same time you did not have to make compromises in matters of digital security.
This is why Microsoft Office 365 includes a range of intelligent security features. For example, protecting accounts and login procedures from compromise using a built-in risk assessment model, multi-factor authentication for which you do not need to purchase additional licenses, or passwordless authentication. The service provides dynamic access control with risk assessment and taking into account a wide range of conditions. Office 365 also contains built-in automation and data analytics, and also allows you to control devices and protect data from leakage.
Learn more about Office 365