No matter how strong your firewalls are, or how thorough your anti-virus software is, some security breaches simply can’t be stopped by technology and network rigor alone. Learning to prevent employee error security breaches is key to protecting your business. The hacker community is tenacious. Its members will try anything in their power to access valuable and potentially profitable business data.
From the names and credit card numbers of your clients to business secrets they can sell to competitors, the information on your private network and handled by your employees is highly valuable on the data black market.
The problem is that no amount of cutting-edge network security can keep your business data or even the network itself completely safe. That responsibility, as well as that burden, falls on the shoulders of your employees.
Human Error and IT Security Breaches
The vast majority of all business security breaches aren’t caused by exceedingly clever hackers sneaking onto the network through backdoors and security loopholes. Depending on the study you’re reading, human error is the cause of 60% to 90% of all security failures. This could be anything from setting the wrong permissions on a private document, to being tricked by social engineering.
The new challenge that every modern business must face is a combination of preparation and staff training. They must help employees understand the importance of their cybersecurity decisions and how to avoid accidentally causing a security breach.
Today we’re here to share eight techniques that will help you and your team significantly reduce the risk of human error in your IT security plan.
1. Block All Web Browser Downloads
It’s a fact of modern business that employees will ‘surf’ the internet at their desks. More often than not, this will be part of their job as they perform research, look for solutions, check references, and seek inspiration for new projects.
Of course, not every website on the internet is safe. There will always be a scattered collection of dangerous websites built or infected by hackers that spread malware with a single visit to the home page. Sometimes the spoofs look like popular sites with a single change in the URL. Sometimes they’re pretending to be useful blog articles. And sometimes an employee really will venture into inadvisable online content.
No matter where the web browsers on your workstations wind up, you have an option to prevent them from ever becoming a source of malware infection: block downloads. Microsoft Edge and many other browsers include this as an optional feature so simply make sure that all the browsers installed on your work computers universally prevent websites from initiating a download. You might possibly allow downloads only with a user confirmation. This will prevent malicious or infected sites from starting automatic stealth downloads of malware without the knowledge or intention of the employee user.
2. Isolate Emails from Customers
Phishing is when a hacker sends a targeted email that tricks an employee into clicking an infected email attachment. This can be done by pretending to be a friend or coworker. But the easiest approach for hackers who don’t want to borrow an identity is to simply target customer service staff. Pretending to be a customer, they will send links or emails as attempts to spread their malware. This works when customer service representatives don’t know they’re dealing with a fake client. And diligently, they do their best to be helpful. It almost always results in a hack, malware, or virus infection.
The answer? Know your customers! This isn’t just good marketing and customer relations advice, it’s also important for today’s cybersecurity concerns. Make sure every single paying customer has a CRM entry and try to ensure that every way of contacting your company pre-sorts customers into their CRM identities. If you don’t have a great CRM yet, Microsoft Dynamics CRM, SalesForce, and HubSpot are all excellent options.
Once defenses are up to catch most attacks, train your customer service, marketing, and sales representatives to always confirm that they are speaking to a real customer who is in the system. If the customer isn’t in the system and is lying about being a customer, enact anti-hacker and anti-scammer protocols. It may also be useful to make use of Microsoft’s Phishing Attack Simulator, which allows you to send fake phishing emails and reward those who either don’t click or actively report the hack attempt.
3. Never Open Email Attachments
Speaking of phishing, email attachments are by far one of the most popular ways for hackers to reach out and infect a network directly. All they need is for their email attachment to be clicked on a workstation inside your network and the rest takes care of itself. To that end, employees should be trained to never open an email attachment and not to send them either, since coworkers won’t be able to open them. Make this a universal policy, share it on your FAQ, and ensure that real customers also know this policy.
Everyone in the company should be wary of phishing because anyone could theoretically make this mistake. So email attachments need to be on a company-wide ban. This policy also helps customer service representatives who are the most targeted group. If all real customers and the representatives know that email attachments are off the table, an attachment suddenly becomes a point of suspicion.
While Microsoft Outlook can completely block attachments, there is an even better way. Office 365 offers Advanced Threat Protection, which scans links and attachments in emails in order to help employees know which assets are dangerous. They have recently introduced a major upgrade so that scanning is faster, actively stopping users from clicking malicious links while allowing them to interact with emails if an attachment is still being scanned.
4. Recognize Customer Service Scams
On an interesting note, old skills your customer service teams have already honed are equally useful in fighting hackers. Even without phishing and malware, customer service reps are constantly having to detect and repel scammers. They deal with people who claim they have a defective product (but won’t send it back). And they respond to claims that a rep was rude to them, then demand discounts. There are actually a large number of scam types that customer service representatives have to deal with on a regular basis. This scam-detection ability is incredibly useful when dealing with social engineering hackers as well.
Consider asking your customer service team leads to help train the rest of the employees on how to detect a scammer. That’s often the role social engineering hackers take. Point out clues like:
- Unreasonable belligerence when the contact refuses to compromise (ex: insists you absolutely must click their email attachment):
- Unusual emotional upset; or
- Immediate harsh appeals to authority.
5. Watch for Emails from Non-Contacts
When hackers aren’t pretending to be unknown customers, one of the primary approaches to phishing is email spoofing. This is when a hacker targets an employee, then picks someone they trust like a coworker, friend, or family member to impersonate. The hacker then constructs a fake email address that is only one or two letters off so it looks almost exactly the same. Hackers usually do this with the domain name for additional obscurity.
Ex: DaveGH@davesdomain.com is spoofed as DaveGH@davesdoman.com
Can you see the difference? Most people won’t catch this minor change.
The thing hackers haven’t accounted for is modern contact lists. It’s difficult to train people to look for address spoofing in every email. But you can train them to check and see if the sender is already in their contact list or not. If the email is not from their contact list, but the sender should be, then it’s a likely scam attempt.
6. Always Double-Confirm
Another common attack is a variation of phishing known as Whaling. This is when the hacker either borrows the identity of a boss or another exec. Theoretically, they want to impersonate someone who will be immediately obeyed in the company structure.
Whaling usually involves a loftier goal than simply spreading malware. When a hacker whales, they are trying to send an irrefutable message. They might pretend to be an exec and ask an employee in finance to transfer money for a special project or to correct a pretend mistake. They might ask another exec to reply to the email by sending over a client’s private documents.
The way to prevent your staff from immediately helping a whaling hacker is to initiate a double-confirm policy. This encourages or requires everyone in the company to use two forms of communication in the face of an unusual and possibly risky request. If you get an unexpected request in email form:
- Pick up the phone;
- Contact the apparent sender through the company chat program; or
- Walk over to their desk for a quick confirm.
7. Use a Cloud Document Sharing System
You might be wondering how a company can run on digital documents if you can’t share email attachments or get downloads from websites. The answer is a cloud-based document sharing system set up with categorized employee permissions. For customer service, customers can upload their documents that need sharing to the system. Then, customer service representatives can read them without downloading anything. This technique also works well for inter-office documents and for remote and field workers who are connecting from another location. Microsoft offers a combination of SharePoint, OneDrive, and Azure Information Protection, which is included in Microsoft EM+S for this purpose.
8. Audit Permissions Every Month
As our final tip to prevent employee error security breaches, never let your access permissions go stale. Whether we’re talking about financial documents, customer account information, or access to ongoing project development, employees should have access based on specific whitelist permissions.
However, sometimes when an employee changes roles or someone leaves the company, they keep old permissions. If overlooked, they could have access to that data indefinitely. This can leave employees with access to documents and projects that they shouldn’t have. It could even leave the company at risk of retaliation from previous employees who still has access to team documents. Always update permissions when an employee changes positions. And audit all permissions monthly to make sure no one’s sitting around with legacy permissions they shouldn’t have or lacking permissions they need.
Human error security breaches are almost always the result of a mistake, oversight, or someone falling for hacker social engineering. To prevent employee error security breaches, you need to have a solid combination of training, security policies, and excellent IT support in place. Agile IT can help you with all of these things, including regular audits, reports, and incident response for your business. If you’d like more business security tips or to consult with security experts with the safety of your data and network in mind, contact us today!