Security awareness

Most Vulnerable Positions in the Workplace from a Security Awareness Perspective

Aroosa Ashraf
July 7, 2017 by
Aroosa Ashraf

Information security has tremendous importance in preventing any kind of unauthorized inspection, use, modification, disclosure, access, destruction, disruption, or recording of information. In general, it is used regardless of the type of information in question.

There Are Two Major Attributes That Need to Be Considered:

The cyber-attackers with every passing day are getting faster and better in their technologies to carry forward the attacks.

Two year's worth of NIST-aligned training

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.

The organizations, on the other hand, are struggling to cope with and counter such attacks. They are eventually getting overloaded with urgent security tasks.

Currently, cybercrime has become the second most reported economic crime and it globally affects more than 32% of the organizations. Attacks delivered through the Internet are no longer a concern for the future, instead they are the reality. Moreover, these attacks are often very difficult to trace.

There are five key areas that organizations should consider seriously having a holistic approach toward in order to ensure information security. Interestingly, it is not the network which is of great concern. Of course, networks are vulnerable, but often other areas need more of your attention. In fact, vulnerabilities in these other areas make the network vulnerable and the information is compromised. It is important to understand the threat and determine the appropriate resources needed to mitigate such risk and safeguard your organization.

Currently, the incidence of data breaches is increasing day by day, causing huge loss to businesses and making it critical that every company, large or small, understands the importance of information security.

Based on research from IBM, the average cost of information security breaches ranges around $3.8 million, with 77% of businesses reporting data breaches in one year. The global estimates of total data lost because of cybercrimes are in the range of over $1T. The most frightening fact is that a staggering 63% of the organizations don’t possess a mature system to at least track their sensitive information.


[Free] Marine Lowlifes Campaign KitMarine Lowlifes Campaign Kit

You don't need an unlimited budget or dozens of hours to create a truly engaging security awareness campaign. You just need the right resources and a playbook.

[Download] Free Security Awareness Kit

Organizations equipped with the proper security tools and knowledge can secure vulnerable areas, thus minimizing the data breach risks. The major areas to look into are:

The Employees

The employees of an organization are the most important risk factor (even more than the hackers), as the internal attack is one of the top threats. This is due to the fact that it is incredibly easy for employees who already have access to the resources and sensitive information about the organization to tamper with it.

FBI guidelines about dealing with the insider threat, which were presented at the Black Hat hacker conference a few years ago, state that organizations are at risk of having data stolen (both physical data and devices loaded with data) by unhappy employees. To minimize such risks of internal attacks by unhappy employees, it is advisable to ensure that all user accounts are kept up to date with security access and status of the employees' employment.

After getting sacked or having a contract terminated, an employee should not have any access to the organization’s systems. This ideally should happen prior to termination or literally within minutes of termination of the contract. A good idea is to incorporate removal of IT system access in the termination process. This will ensure real-time termination of access. Even a one-day delay in removing such access to any terminated and unhappy employee may result in significant losses to the organization. If any organization has not updated the user accounts recently, it should be done immediately to delete those that belonged to persons who are now not a part of the organization.

Organizations must have a monthly or for better a weekly review process for any rogue or suspicious accounts, followed by the development of a system to monitor these accounts for any possible suspicious activity.

At the same time, security should be ensured through two-step verification and strong passwords.

It is also good to have a system to track physical assets (hard copies of important documents) if the companies uses them, and devices and computers must to be turned in once an employee leaves the organization. Similarly, uninformed and careless employees pose a risk by using easily guessable passwords for sensitive accounts or forgetting to log out the accounts when leaving the device.

Even small errors, such as sending any document to the wrong recipient may be extremely detrimental to the organization. Such risk can be reduced by making sure that all employees are thoroughly trained regarding security measures. This can be achieved by incorporating strong policies and security training in mandatory annual training. Some such policies are changing passwords regularly (it’s good to have a specific time frame) and web filtering that may restrict the types of websites employees can access through the work computer to avoid the risk of downloading malware.

Installing a good firewall for Intrusion detection and prevention has become an absolute necessity for every organization. For smaller organizations, there are inexpensive solutions having most of the required features.

Insecure Mobile Devices

To maintain a high level of security, there should be some control on unsecured mobile devices. It is very difficult to maintain a secured environment if the employees continue to use these personal devices to perform official works (such as accessing official e-mails from their personal unsecured mobile devices). If the organizations don't have any bring your own device (BYOD) policy, then the situation is even worse. Even with an effective BYOD policy, employees still continue to use their own devices for organizational work. This is almost inevitable for every organization.

Organizations have less security control when the employees start using their own devices for work. Then employees can set passwords and download applications as they wish. Moreover, it is impossible to know who is using that device, as family members and even close friends of the employee might have access to it.

Most organizations have to allow BYOD at the workplace as it is not always easy to deploy policies to completely restrict the use of personal devices and do the work through devices deployed by the organization. When using BYOD, there should be a clearly written policy to ensure that employees are well informed regarding the possibility of information security threats and the expectations of the BYOD.

A data breach can be minimized by using mobile security solutions that protect corporate information. Older companies like Symantec and IBM provide several mobile device management solutions. New companies like AirWatch and iBoss also have good solutions for mobile device management.

Cloud Storage Applications

Storing applications and data in the cloud is convenient in several ways, as it allows companies to access their information from any part of the world and often on more than one device.

But this convenience may also make it easier for attackers to get access to the data if proper security measures have not been taken. The risk can be minimized by choosing a cloud storage company that has a good reputation and encrypts the data.

Companies should also find means to restrict access to this cloud-based information and solutions by installing dual factor authentication. This may increase the fees required to have the cloud-based services, but these additional security measures are necessary and worth the money spent.

Companies should carry out a security checklist before implementing cloud storage to make sure that every changed process involving cloud storage and data access is validated for any possible security loopholes that may be different from those present when the applications were locally hosted.

Third-Party Service Providers

Another important aspect is the third-party service providers apart from the Cloud storage companies. With outsourcing often being convenient and cost-effective, it is more likely that organizations will use third- party service providers for multiple purposes. However, problems start when these parties do not use secured systems while they are accessing the company’s information.

As an example, if third-party accounting software is used by an organization, a hacker may easily gain access to the financial records by getting into the third-party system. This type of problem occurs when the third-party service providers use lower-quality security methods, including the use of the default password for every client account. This results in an increase in the risk of security credentials being stolen and many related threats.

It is reported that the Target breach took place through the system of air conditioning vendors. This happened because it was connected to the internal networks of the victim. These data breach risks via third-party service providers can be reduced by selecting reputable providers. Make them validate the data security procedures they have in their contract. Also, if possible practically, it is better to have them assume every liability if any data breaches take place due to a fault at their end.

Still, organizations must have an additional security layer for their data sets through making an arrangement to limit access to the third-party service providers for certain hours and then minimizing the number of networks and systems to which access is needed. Another good practice is to disable the third-party accounts immediately after its job is done.

Malicious Attacks

Whenever the term “data breaches” is used, the first thing that comes to mind is hackers who attack company systems to gain unauthorized access to information. One way to become vulnerable to these types of threats is to download malware. This is typically unintentional but often occurs when an employee clicks on a suspicious link or visits an untrustworthy website.

In other instances, hackers can guess the employee’s password and then send phishing emails (seemingly trustworthy) to other employees (colleagues) to get their passwords as well as other sensitive information. The risk of malicious attacks also increases if the organization has outdated systems. Outdated or older operating systems, for example, often have vulnerabilities that are widely publicized. Thus, even not so sophisticated hackers can exploit it by downloading those publicized materials.

If organizations do not update their applications and operating systems frequently, hackers get more opportunity to exploit the already known vulnerabilities. Therefore, organizations must keep their systems updated using the most recent patches, including the browsers and operating systems. This will considerably reduce the risk of a hack. Companies should also equip their devices with security software and anti-virus.

This prevents damage even if an employee accidentally opens a malicious file. Endpoint software further offers another security layer, thus providing another means of breach prevention. Another critical aspect is to have a sound policy to alert the management in case of a malicious attack. Training employees should be carried out so that they can effectively spot any suspicious emails and immediately report them to the relevant department of the organization.


[Free Trial] Email Reporting and Threat Analysis

Sign up for a SecurityIQ free trial and try PhishNotify email reporting and PhishHunter threat analysis today!

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

Learn More

Aroosa Ashraf
Aroosa Ashraf

Aroosa Ashraf is a trained and registered pharmacist from the Government College University of Faisalabad (GCUF). She completed her graduation in 2013. She is an experienced researcher and technical writer and for the last 4 years, she is working as a writer on different platforms. Currently, she is writing many technical and non-technical articles for her national and international clients.