Co-authored by Daria Kirilenko, research consultant at CEB, now Gartner
Cyberattacks feature prominently in the news almost every week. While external hackers are often to blame for these incidents, data from CEB, now Gartner, indicates that surprisingly, half of successful cyberattacks are caused by employee mistakes (like opening a malicious link or attachment in an email) rather than sophisticated attacks (disclosure: I work for CEB, now Gartner).
Not only are these errors in judgement preventable, but they can cost companies millions of pounds and even more in reputational damage. There are also severe repercussions on customers and employees - exposing National Insurance numbers, addresses, compensation and tax withholding amounts. When personal information is exposed, it can be sold in underground cybercrime stores, making victims vulnerable to identity theft.
With attacks--and mistakes--occurring on a daily basis, employees need to take an active role in helping prevent and detect potential breaches. Here are three ways you can help prevent a hacker heist at your company and protect your personal information:
1. Be wary and purposeful in using social media. Infected links aren't just sent in emails, they're also lurking on social media. 2016 saw a 150 per cent rise in social media phishing from the previous year. With the rise of Facebook, Twitter and Instagram, sharing personal information with the broader public has become the norm. But perusing social media sites on personal cell phones while at work allows hackers to circumvent any barriers Information Security erected to prevent employees from entering high-risk sites. As such, they are able to launch targeted attacks on company employees - for example, sending videos and writing posts that appear to be sent by the victim's "friend" and masking malicious links on Twitter with a shortened URL to make them appear legitimate.
To help thwart this type of attack, don't alter your phone's pre-set security settings. Instead, complement existing security by installing an app that offers things like antivirus protection, data backup and remote wipe. But technology alone won't solve the problem. Be cautious in using social media when at work, regarding links with more suspicion and double-checking any suggested downloads and requests to share personal information.
2. Don't default to email. Studies have proven that lower volumes of email actually increase employee productivity and decrease stress levels, but sending and receiving fewer emails can also help reduce the likelihood of a company data breach. Email volume continues to grow at a healthy pace, with about 3 per cent year over year growth in business email since 2015. Considering companies have an increasingly global workforce, this upward trend is unlikely to reverse any time soon as we need to communicate across geographies, languages and time zones. Yet the proliferation of email has led to decreased time and attention we give to each message that comes through our inbox - and hackers prey on this behaviour.
To decrease the effectiveness of phishing attacks via email, use other forms of communication more often. Opt for quick meetings and calls on topics where a quick decision can be made or, alternatively, that require more of a discussion.
3. Protect your passwords. Passwords have been used for years as the first line of defense for many systems. But employees often use old passwords or use the same password across multiple sites, which compromises security. Even tactics that seem smart, like using the same word stem with an increasing numeric value, are easy to hack.
Make your information more secure by creating a password that is complex to others, yet memorable to you. Start with a phrase that you've memorised - a line from a song, book or quote - and take the first letter of each word. Then randomly create variety in the letters using upper case, lower case and special characters to generate a unique password. Regularly create new passwords for critical accounts like online banking, retirement, and sites that store personal health information.
Security experts agree that for organisations, a cyber incident is not a matter of "if," but "when." But while companies can withstand the financial loss and reputational damage of an attack, employees may experience difficult personal consequences as a result. By remaining alert and following company security policies, employees can keep their company--and themselves--safe.