Risky Business: Three employee behaviors that expose businesses to cyberthreats

Google Cloud and Thales are joining forces to give organizations more control over their encryption keys – and sensitive data.  (Originally appeared on Flickr by brionv/CC BY 2.0)
A Google-Harris poll found that 52 percent of respondents use the same passwords across multiple accounts. Today’s columnist, Chris Hallenbeck of Tanium, warns that security teams have to focus more on the human element to prevent breaches. (Credit: CC BY 2.0)

An estimated 75 million U.S. employees shifted to work-from-home (WFH) at the onset of COVID-19, creating the largest employment shift –– as well as one of the most disruptive periods –– that businesses have ever faced. This was especially true for security teams, which had to transition almost overnight from a centralized model to a vastly distributed environment, including a surge of unsecured endpoints, VPN bottlenecks and new vulnerabilities that malicious actors can exploit.

One of those vulnerabilities? Employees. While spearphishing attacks have become increasingly common, they spiked in the first quarter of 2020, playing on fears around the pandemic to get employees to click malicious links or open attachments. But it’s not just the actions of malicious actors putting organizations in harm's way. Studies have found that employees themselves are engaging in risky online behavior while they’re working from home, often on devices that can access organizational resources. Here are three employee behaviors that undermine security efforts and put valuable corporate data at risk:

  • Risky web browsing.

As enterprises look for ways to improve security, they find that employees may undermine their efforts by unwittingly clicking a link. In the COVID era, with employees at home, it’s much more tempting than ever to mix work devices with personal browsing – and what employees do with their personal browsing may well increase the risks for their employers.

According to research from Netskope, between March and June 2020, employees accessing online pornography on their work laptops climbed in the triple digits. This suggests employees have lowered their guard and operate with an off-hours mindset even when they are working, which makes keeping systems updated and hardened all the more important.

Then there’s social media. Sites such as Twitter and Facebook are often rife with disinformation linking to questionable websites –– a problem that exploded in the early months of 2020 as attackers sought to take advantage of the chaos of the emerging pandemic. According to Google, the number of phishing sites increased by 350 percent in the first half of the year. At the same time, social media usage was exploding as people around the world were confined to their homes and isolated from friends and relatives. Social media has become problematic because it encourages rapid consumption and sharing often without critical thought as to the origin or authenticity of the information. Casually flipping back and forth between work and social media could make it easier for employees to fall prey to phishing.

  • Bad password practices.

Despite repeated warnings about good password practices, employees still don’t practice good password hygiene. A 2019 Google-Harris poll found that 52 percent of respondents use the same passwords across multiple accounts; and 13 percent use the same for all their accounts –– including work accounts. If credentials are stolen from just one account, a malicious actor could use those same details to breach company-related accounts, posing a serious risk to an organization’s sensitive data.

While many organizations have made great strides in how they implement and enforce secure password policies and best practices, this enforcement only extends to company devices and resources. Just as organizations are grappling with employees accessing and downloading potentially malicious content on corporate devices, in the WFH era they also grapple with employees using personal devices with questionable protection to access company resources.

Policy enforcement alone does not cut it. In the WFH era, organizations also need to double-down on employee education and implement multi-factor authentication. As recent ransomware campaigns have shown, attackers often gain initial access through poorly protected accounts. Companies should also encourage employees to use Universal 2nd Factor (U2F) devices to protect their personal accounts.

  • Problematic clicking.

The Verizon Business 2020 Data Breach Investigations Report found that social attacks and credential theft account for more than 67 percent of security breaches. The confusion in the early months of the pandemic created fertile ground for phishing scammers. BEC scams are also on the rise. The FBI's Internet Crime Report estimates that malicious actors used BEC scams to take in at least $1.77 billion from unsuspecting victims in 2019 alone. This problem will not go away. According to research conducted by Tanium, 90 percent of chief executives and VPs saw an increase in the number of cyber attacks between March and June. Phishing and BEC scams were two of the top three most common attacks to increase during this period, with respondents reporting a 37 percent increase in BEC/transaction fraud, and a 35 percent increase in phishing activity.

For organizations with large remote workforces, educating employees about how to spot these types of attacks remains critical. As we’ve seen during the pandemic, attackers will take advantage of general fear to increase the efficacy of social engineering. Equipping employees with the skills to spot manipulative content, as well as best practices around how to verify requests or senders, can help prevent a major security disaster.

With so many people at home, organizations need to realize that employees are often tempted to do casual web browsing on company and personal devices that are ultimately connected to corporate networks. They may not understand the risk of phishing and BEC, especially if they have not encountered any problems previously. And they may not realize the many risks associated with video conferencing. On the plus side, by implementing the proper policies and procedures, organizations can minimize these risks and decrease their exposure to cyberthreats.

Chris Hallenbeck, CISO of the Americas, Tanium

Chris Hallenbeck

Chris Hallenbeck is CISO for the Americas at Tanium. Chris provides security leadership and operational insight gained from over 20 years in both public and private sector. Chris came to Tanium after almost 7 years of government service at the U.S. Computer Emergency Readiness Team (US-CERT). At US-CERT he designed and built their incident response capabilities, and restructured the team’s focus toward strategic remediation with a goal of building more resilient organizations. Chris believes that breaking the incident response “Groundhog Day” cycle requires an emphasis on IT hygiene. Prior to joining US-CERT, Chris worked for RSA Security as a security engineer and with AOL/Time Warner on their global incident response team. He started his career as a Unix sys-admin at Binghamton University. When not chasing electrons he prefers to be 20-30 meters under the sea.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.