The weakest link: employees, not technology, are the cause of most hacks

When most people think of cyberattacks, they think of some hacker sitting in a dark room, probing a company’s network for ways to break in.  While that still happens, more and more often cyberattacks are the result of some action by a company employee.  In its 2016 Data Breach Investigations Report, Verizon found that more than half of all data breaches occur as the result of inadvertent action by an employee.   This means that employees are doing something, or failing to do something, that results in a successful hack, usually because they don’t know better.

What are some of the ways that hackers get into a company’s system through employees?  Here are just a few:

• Ransomware: the fastest-growing cause of breaches, ransomware is a malicious software that infects a computer or network. Most often, an employee receives a “phishing” email, either from an unknown or apparently familiar source, with an attachment.  If the recipient opens the attachment, the malicious software (often called “malware”) infects the computer.  The malware may steal data, or shut down the network, or do other bad things.
• Poor password control: the most commonly used passwords are: “password,” “123456,” and “12345.”  These are easy for a hacker who knows the email format of a company to penetrate, using special software.
• Downloading unauthorized software: popups that tell the user their computer is already affected are often scams that lead to malware, and even legitimate software may have weaknesses that hackers can exploit.
• Unknown devices: flash drives that an employee “picked up somewhere” may have malicious code loaded on it.

These are just a few of the ways an employee can allow a hacker into your company’s system.  Cybersecurity experts, including attorneys, stress that employee training is a critical part of improved cybersecurity, reducing the risk of a breach or hack and lowering your company’s liability if there is one.  Below are some areas in which all of your employees should be trained to improve cybersecurity:

• Good password practices: employees should use “strong” passwords, either a longer combination of upper and lower case letters, numbers and symbols, or a phrase they will remember (such as “Ilovemintpistachioicecream!”).  These are much harder to crack.  Also, force employees to change their passwords periodically, and not just by adding a digit each time. Tell employees not to share their password with anyone else, no matter who is doing the asking.
• Ransomware and malware: if an employee receives an email that looks suspicious or unfamiliar, he or she should delete it.  If it has an attachment (a so-called invoice, or report, or spreadsheet), the employee should never open it, and just delete the email.
• “Spear-phishing”: the employee receives an email that appears to be from someone inside the company, especially a higher-level executive, asking for something unusual, such as all of the employee W-2 forms, or to wire money to some unknown party. The employee should pick up the phone or send a new, separate email to the supposed sender, to confirm the request.  Don’t just reply to that email.
• Unknown software and hardware: don’t allow employees to download software without prior permission from whoever manages the company’s IT system. The IT folks can look at the software and determine if it is safe and the best way to download it. Likewise, never use a flash drive or external hard drive from an unknown source, as you do not know if it contains a virus or malware.
• Mobile devices: most people have smartphones today, but these devices are often more vulnerable than laptops to cyberattacks. Using the public wi-fi network at Starbucks or Barnes & Noble is not secure. Train employees not to use smartphones to gain access to your company’s network or data, unless they have a virtual private network, or VPN, app installed.  And if you expect employees to access company networks remotely using their own phone, provide them with a VPN application and pay for it. Company-issued laptops and phones should have a VPN installed.

There are many other areas in which you should train both new and current employees. It is also important to repeat training periodically, both to reinforce best practices and address new threats that hackers have devised since the last training. As you can see, this training need not be expensive or time-consuming. Training your employees to be “cyber-aware” will greatly reduce the risks of a cyberattack, and should be part of a comprehensive cybersecurity plan and policy. Call Spitz Legal Counsel at 720-575-0440 or email at mark@spitzlegalcounsel.com if you have more questions.