While the world prepares to celebrate Valentine’s Day, many companies are finding that the Month of Love can be a dangerous time for their security apparatus. While employees use their work devices to order flowers and candy and book trips to celebrate with their partners, company data is compromised as promotions for chocolates and nights in a hotel turn out to come from cyberhackers. The scam artists use the connections that these innocent clicks and orders open up to hack into the company’s data and use that access to wreck havoc with Cybersecurity Protocols.
The FBI reports that these attacks are increasing. During the first few months of the COVID-19 pandemic, the agency saw a 400% increase in cyberattacks. Companies are increasing their investments into cybersecurity but the vulnerabilities can often be traced back to non-digital sources – employees who are, after all, human and who intentionally or unintentionally breach security Cybersecurity Protocols which makes the entire company infrastructure vulnerable to an attack.
Clay Posey is an Associate Professor of Information Systems in the Brigham Young University Marriott School of Business. He researches the human element in organizational cybersecurity as influenced by employees promoting and inhibiting protection of the employer’s sensitive data.
He recently teamed up with Mindy Shoss, an Associate Professor of Psychology at the University of Central Florida whose work focuses on workplace stress, counterproductive work behavior and the future of work to examine employees’ daily stress levels and their adherence to cybersecurity policies, both of those working on-site and those working remotely.
The study, Exploring the Cyber Behaviors of Temporary Work-From-Home (TWFH) Employees, determined that adherence to security conventions is intermittent with the most breaches coming when respondents felt that the violation of security protocols would allow them to get the job done more effectively and efficiently. In other words, the employees felt that they were doing their employers a favor by overriding the rules.
Additionally, Posey and Shoss found that the more stress the employee felt, the more likely s/he would be to knowingly break security protocols. Employees seemed to have less tolerance for following rules that would impede the progress of their work when they were pressured.
These stress-inducers included fears of job security, completing work assignments despite family demands and the cybersecurity policies themselves – employees were sometimes made to feel that they weren’t working “fast enough” due to the time taken up by the security protocols which could result in them ignoring anything that they felt might reflect on their productivity.
Posey and Shoss note that, since their study was based on a survey, they couldn’t measure breaches that employees didn’t know about. But it does suggest that the “insider threat” isn’t even as much of a concern as are threats of an unintentional nature.
Posey and Shoss suggest that security policies should be designed that are based on unintentional error as opposed to malice. Employees need to be trained in a way that teaches them how to balance productivity and security so that employees will be assured that they won’t be penalized if, by adhering to the security policies, their productivity suffers.
One way to do this might include involving employees in the development and testing of security policies so that the decision-makers understand how the rules increase stress or interfere with workflows.
The training process must include educating managers to understand how cybersecurity and job design are linked. Compliance with cybersecurity protocols adds to an employee’s workload so the managers must know how to take that into account, as well as how to identify and reduce sources of stress, when determining workloads.
Hackers also take advantage of well-meaning employees’ desire to help one another. This, however, can leave the company vulnerable, especially if the employee is prepared to bend the rules in order to help out a colleague. That means that the training sessions must emphasize the importance of adhering to the protocols under all circumstances.
The scams even have a name – Business Email Compromise (BEC) scams. In this type of con the attacker will pose as a co-worker or a supervisor and email the target with an urgent request – for instance, a request to transfer funds. The time pressure constraints, combined with the desire to help out may push the employee to facilitate the transfer without the proper verifications. Preparing employees to resist the urge to forgo proper verification procedures through training will help protect your digital space.
Together with proper training, companies must ensure that they have the right tools activated to bolster their security. They include:
- Two-Factor Authentication / Multi-Factor Authentication for network access, remote access, access to email programs, access to web-based applications, etc.
- Policies for emailing – employees should be made aware that under no circumstances can they use corporate email for personal reasons. There should be no access to any email program, including web-based email programs, on company devices
- Leverage anti-phishing tools to protect employees from becoming targeted by phishing attacks. Train employees about the types of emails to avoid and how important it is to ascertain the source of any link before clicking.
- The company’s password policy is non-negotiable. Employees should be taught that they can’t use identical or even similar passwords for both business and non-business accounts . A credential monitoring service is a good way to ensure that employees maintain the password policy and will reset the company password if an employee breaches the protocol.
- A VPN (Virtual Private Network) is a good way for a company to ensure the security of their network when employees are accessing it remotely. Further security is provided for a system that is being accessed by multiple remote workers via Two-Factor Authentication / Multi-Factor Authentication and by direct-to-machine or desktop protocol access.
- Third-Party Risk Management (TPRM) – For many businesses, outsourcing third-party vendors is a decentralized function, which means the vetting process can vary across an enterprise. To learn more about TPRM, get the guide to help employees understand the risks associated with granting outside access to sensitive data.
When all is said and done, the best way for a company to ensure that their systems are safe from cyberhacking is to set up proper security protocols and train employees in the importance of adhering to those policies at all times.