How employees put your company at risk during the holidays
Most enterprises of any significant size have implemented security training programs, designed to teach employees how to avoid major security risks – phishing attacks launched from clicking on suspicious email, password requirements that are complex and ever-changing, and perhaps even two-factor authentication when logging in to certain systems.
As the year comes to a close, and employees feel the pressure of both the holidays and year-end close, seemingly harmless behaviors can put an organization at risk. With hackers growing more sophisticated, and increasingly targeting major enterprises (case in point, Sony Entertainment, during the week of Thanksgiving), organizations must be extra-vigilant leading into the holiday season.
Below, we highlight three seemingly harmless behaviors that can compromise your security posture:
Online shopping
While online browsing and shopping used to be taboo in the workplace, most organizations today accept that tradeoff, in exchange for keeping employees in the office, and expecting them to be always available (better to have them at work than at the mall).
While shopping on well-known sites such as Amazon and eBay are likely highly secure, smaller retailers often do not have the capacity to engage in such rigorous security reviews of their sites. This leaves them vulnerable to attacks such as SQL injection, which may be used not only to steal things like credit card data, but also to potentially steal information about your employees (email address, password, mailing address, etc.), which can then be used to compromise other systems. In addition, if your employees provide their email address as part of their contact information (for shipping, returns, etc.), this opens them up to the possibility of a phishing attack, leveraging the information from the brand they shopped with.
Checking in while on vacation
While most bosses appreciate the diligent employee who checks in while on vacation, this can provide unique security challenges as well. Unlike the typical road warriors who are used to logging in remotely, following protocol for remote access, etc., those who only use remote access a few times a year are less likely to be attuned to the security risks. They may be more willing to engage in seemingly harmless but actually risky behaviors, such as utilizing public WiFi, not leveraging approved remote-access tools and systems, and leveraging personal emails or systems as a workaround for any inconvenience they may encounter.
Closing deals at any cost
The third not-so-wise man is probably the hardest to combat, because everything he or she is doing, is done in the name of closing those deals and making those numbers! Sending out proprietary information in the hope of getting a customer across the finish line? No problem! Giving a customer access to a demo server without going through the proper channels? All in the name of making that fourth quarter number, right? Giving a partner access to a portal, a server, or whatever else they need to get their customer in the door? Let’s do it! All of these behaviors have the best intentions, but can open up even the tiniest sliver that attackers may need to compromise your systems.
With cyber attackers increasing in sophistication, and specifically targeting high-value retailers and enterprises for both customer data (Target, Home Depot, etc.) as well as company proprietary information (Sony Entertainment), organizations would do well to remind their employees of basic security hygiene, as well as heightened awareness around these behaviors, over the coming weeks.