Cybersecurity Threats Target Your Employees: What are the Human Costs?
Much has been said about how employees can often be an organization’s most significant point of vulnerability when it comes to cybersecurity threats. A 2017 study found that 84% of respondents attributed the success of cyberattacks against their company, at least in part, to human error.
However, the risk to an organization isn’t just an employee falling for phishing emails or business email compromise (BEC) attacks and consequently providing an opening for a malicious actor to access protected networks. When an employee’s personal devices are hacked, it can have harmful effects on the company they work for:
- Stress and effort in dealing with a hack or identity theft will be a distraction from their job and can negatively impact morale.
- Passwords that they use on personal devices and at work may find their way onto the dark web, providing a point of entry into your system.
- In the worst-case scenario, a compromised employee may be blackmailed into committing industrial espionage.
However, a cybersecurity professional who sees an organization’s employees solely as a point of weakness against network security threats and cyberattacks is missing a large part of the broader picture – the human cost.
An employee stressed after being the victim of cybercrime may be a liability to the organization, it’s true, but as an employer, you need to be aware that their stress matters on a personal, ethical level, as well. Your valued employees are precisely that – valued – and the resources an organization can bring to bear are often significantly more powerful than what any individual employee can access.
Knowing what you, as an employer, can do to help an employee who has been hacked isn’t just ethically sound; it’s also good business.
Teach Employees How to Recognize Basic Scams and BEC Attacks
Training your employees how to recognize the most common sorts of attacks cybercriminals will use – like phishing, spear phishing, clone phishing, and more – will serve them well, both in the office and in their home. Teaching workers how to recognize scams and suspicious links needs to be part of every security training program.
After all, your business’ firewall and email filter may catch malware, but phishing emails often slip through. And what about a message sent to your employee’s personal email account? Those emails often are opened on company machines, and employees could be targeted at home instead of at work since the attackers expect the user will have less protection on their personal email account. In other words, more things will make it into the inbox via personal email accounts, increasing the attackers’ odds of getting in.
Knowledge is the best way to fend off cybersecurity threats.
Be a Resource – and Have Them Available
You, as an employer, are certainly not responsible for what your employees do outside of work. However, your organization should have the information that an employee can use to make their IT security life a little easier.
This can include having access to, or insights on, tools like password managers, which employees can grow comfortable using both at work and in their personal lives. Being a resource can also involve having knowledge of things like Dark Web monitoring services, where employees can check to see if their stolen passwords are for sale, as well as tools and services that specialize in helping victims of identity theft.
You don’t need to offer these things yourself as an organization. In fact, depending on your size, you may not have the resources to be able to provide these specialized services. Still, it’s never a bad idea to know how to point your employee in the right direction so they can start helping themselves.
When Threats Target Employees
Remember: When an employee is dealing with a breach of their personal information, they may not be thinking clearly or keeping a cool head due to worry, guilt, and frustration. Having a “what to do if you get hacked” plan that you can point your employee to can be a tremendous help in quickly getting their issue resolved. For example, it could include changing passwords, deleting sensitive or confidential information from the hacked account, un-authorizing social media accounts, and simply telling your friends.
One of the largest sources of stress is bound to be uncertainty, after all. Having a plan doesn’t completely solve their problem, but it may well help them focus on actionable steps rather than getting lost in their quite understandable worry.
Foster a Security Culture in Your Organization
You should already be trying to promote a security culture in your organization, because it helps keep your business’ sensitive data secure. The healthiest companies in the realm of cyberattack prevention are the ones that understand that cybersecurity is everyone’s job.
This means that you should develop and encourage an environment where people are open about cybersecurity – and they aren’t afraid to ask questions out of worry that they’ll face punishment or ridicule.
If your employees are too worried to ask about the weird popup they saw on their PC this morning or to mention that they fear the eCommerce site they just put their credit card information in was a little shady, then this could very well come back to bite them – and you.
Consider Solutions to Protect Your Business from Follow-up Cybersecurity Threats
The threat may have started as one aimed at your employee, but that doesn’t mean that it will necessarily stop there. Your employees are human and make mistakes, and even if they are well trained and being careful, they may relax their vigilance after work, once they’re no longer in the office. And between things like remote cloud-based work and the mainstreaming of Bring Your Own Device (BYOD) policies, it is increasingly common for work-related content to be on personal devices.
If your employee’s home PC or notebook gets compromised, what information might exist on it – email addresses, reused passwords, open cloud solutions – that could allow a malicious actor to access your business’ network? If an employee’s personal data and systems are compromised, their business credentials may not be too far behind.
With all the stress that a hack is already placing on your employee, a comprehensive cybersecurity solution can alleviate their fears that their personal breach may affect their colleagues or their employer. A machine learning solution that specializes in insider threats, for example, can detect suspicious activity, even when that activity is coming from an account that appears to have proper credentials.
Your employee has enough to worry about with their own hack. InfoSec having their back to mitigate any follow-up network security threats takes a burden off their shoulders.
Whether you’re protecting your business or your valued employee, it helps to get an expert opinion. Contact Lastline today to learn how to shore up your cybersecurity response.