It is often said that the human factor is the weakest link in corporate cybersecurity. This certainly explains why phishing is one of the most frequent attacks. Faced with the massive use of telework during the health crisis, companies’ exposure to risks has increased. Beyond the day-to-day management of the infrastructure, IT teams must also address certain risky behaviors of employees, which sometimes turns out to be a real headache in terms of security.
No two employees are the same
In today’s environment, to keep the business secure, IT managers need to know where the potential risks lie and be able to contain them by taking concrete action.
To do this, it is important that they take into account the attitude of employees towards cybersecurity. And in this case, from one person to another, behaviors are sometimes radically different. British independent expert in cyber-psychology, Dr Linda K. Kaye distinguishes four main profiles of collaborators within organizations: the stressed, the good students, the naive and the reckless. Identifying them and understanding how they work allows IT teams to define a specific and more effective approach to training and awareness.
The good news, however: it seems that the fact of working in isolation from colleagues and line managers promotes real awareness of security issues. How does this translate?
In particular, employees have realized the importance of using platforms authorized by the company to send files and are aware that using a non-professional application constitutes a risk for the security of their company. In the current context, it is a question of carefully following the instructions of the IT department, which employees seem more inclined to apply. Certainly a way for them to admit that they have their share of responsibility in the security of the company …
However, safety is also a matter of common sense. Clicking on suspicious e-mails, especially the most attractive ones, constitutes a significant risk-taking and the quasi-insurance of a fraudulent e-mail. This golden rule applies both in the private sphere and, even more so, in the professional context.
Still a long way to go
Despite this, a large number of bad security practices remain rooted in the habits of employees working from home. Repeatedly, they could expose companies to serious risks: data theft, systems intrusion, hacking, production line shutdown, etc. Some of these bad practices include:
WiFi connection and remote work:
By choosing to connect to public WiFi, without using the company’s VPN, the employee runs the risk of having both their passwords and their browsing history stolen. A carefree attitude, and all the more so when the employee works on documents sensitive to the sight of any public, without using a confidentiality filter on their screen.
Exposure of business PCs to online threats :
A large majority of employees admit to using their professional PC for personal purposes (80%). Even if only in rare cases of travel, such activity represents a potential gateway for malware on torrent sites, unapproved app stores, or adult content sites.
Personal devices used to access data professional :
Employees often use potentially less well-protected personal devices to access the company system.
Shadow IT and non-professional applications:
Many people download corporate data to a non-professional application. While these can be legitimate applications, the fact that they are not authorized by the IT department compounds the visibility and control challenges associated with shadow IT.
Fortunately, even in the context of telecommuting, companies can take steps to mitigate risky behavior of their employees.
Security managers must both define strict policies on the acceptable use of IT (BYOD, access management, risk assessment based on the sensitivity or criticality of data) and increase awareness to ensure to better manage the issues related to teleworking. This involves training in security best practices, including how to detect phishing attacks, through hands-on exercises and simulations that ultimately induce behavioral changes.
In the current pandemic, the home office is set to become the norm for some time. As the initial rush to implement teleworking facilities has subsided, it is now time to seriously plan measures to mitigate the risks highlighted by this new context.
This also means that companies must take advantage of this forced reorganization to audit the level of security of their infrastructure (servers, means of access, shared spaces, software used, employee workstations), while implementing security campaigns. awareness raising to empower employees. There are only two axes that the company will strengthen its protection against any attempt at a cyber attack!