The Secrets of Cybersecurity: How to Protect Employees from Being Hacked?
How do hackers attack employees?
Companies become the victims of cybercriminals not only due to sophisticated methods used by hackers to compromise corporate data but also due to misconduct from the side of employees when working with corporate data. One of the most common methods used by hackers to access corporate data is fishing attacks aimed at hacking corporate databases or devices. To this end, hackers send electronic messages or call to the company’s employees under the guise of management or their colleagues. Generally, before committing this type of cyberattacks, hackers gather publicly available information about the target company and articulate trustworthy reasons for entering into communication with employees. For example, when writing to employees on behalf of a CTO hackers request them to provide their account passwords claiming that they need to check their security. As a result, employees even do not imagine any threat before being hacked and making their company vulnerable to security challenges. In March 2021, California State Controller’s Office experienced a fishing attack resulting in the compromise of identity data of 9,000 individuals by hackers. The hacker had access to the email of one of the agency’s employees for more than 24 hours after the employee in question had followed the link included in the fishing message and entered his ID and password in the respective fields. The hacker managed to collect a large volume of information about the target employee before committing the attack.
Employees may also allow hackers to access corporate resources by downloading non-verified or malicious applications falsely considering that all applications available in marketplaces are safe. Such malicious applications may require a user to enable access to contact information, emails, media files, or even passwords. By accessing this information cybercriminals can steal corporate secrets or access corporate databases using the stolen passwords. Meanwhile, by accessing the user’s microphone or camera, hackers can listen to secret corporate conversations or get information about a particular facility or territory, especially when speaking about the military sphere.
Furthermore, the users of malicious applications become an easy tracking target upon giving administrator rights to these applications and all their movements become monitored by hackers. The process of malware installation may remain unnoticed by users. For example, at the time of the coronavirus pandemic, hackers actively use LinkedIn profiles for malicious purposes. They send job offers to victims in the file named as their current job position. By opening the job offer, an employee starts the installation of malware dubbed as “more_eggs” and malicious actors gain remote control of the victim’s device and access files. The antivirus software installed on devices cannot detect this type of malware.
Employees are often hacked after visiting certain malicious websites in search of information. In the modern digitized international business, websites are the main source of information. Most companies neglect the importance of developing a list of dangerous web resources the access of employees to which needs to be blocked. Thus, when opening a dangerous web resource an employee may download malware or enable hackers to access all information contained on his device without even noticing any suspicious activities. One of the most common methods used by hackers to steal corporate information is access to corporate Wi-Fi. To this end, hackers apply social engineering or other tactics and, as a result, they can monitor all corporate traffic to identify the most frequently used web resources. By creating fake analogues of these websites hackers make employees enable them to collect data and continue spreading of the malware.
Even when hackers fail to compromise corporate data using the above-mentioned methods, they can meet their goals by exploiting human curiosity. For example, when an employee finds a flash drive with the logo of his company, he is likely to view the information stored by inserting this flash drive into the corporate computer. It is what hackers want since the flash drive contains malware that will be automatically installed on the victim’s corporate device. In some cases, this extremely simple type of cyberattacks may bring desired outcomes to hackers. Consequently, cybercriminals can hack employees’ devices to access corporate data mostly by carrying out social engineering attacks rather than using highly technological methods.
Employees got hacked. Risks and response
When hackers access employees’ devices and accounts they can steal almost all available corporate information since companies, in most cases, do not encrypt data to prevent their theft. On average, only 4% of information obtained by hackers is encrypted. The main risk associated with data theft due to employees’ misconduct is reputational damage. The information about a cyberattack experienced by a company rapidly spreads in media and the company’s clients start considering the shift to more reliable competitors while the attractiveness of the compromised company for potential customers becomes minimal.
To recover from the reputational crisis a company needs to develop new strategies of communication with customers and partners by engaging, to this end, additional specialists or ordering services provided by professional PR agencies. Meanwhile, by focusing on recovering from the reputational crisis the internal PR specialists have to postpone the launch of new marketing campaigns thereby reducing the frequency of publication of new materials that has a negative impact on the company’s popularity.
When employees neglect the rules of safe work with corporate data and devices, they can cause negative legal and, thereby, financial implications for their respective companies. For example, according to General Data Protection Regulation (GDPR) that is in force in the European Union and European Economic Area, the company that failed to protect users’ data may face financial penalties of up to 20 million Euro or 4% of its annual revenue whichever sum is higher. Besides, the customers whose data were compromised by hackers are eligible to file individual claims to the court to get financial compensation. In this case, the company in question also has to cover all court expenses. Overall, when employees fail to follow corporate cybersecurity guidelines, their companies are likely to lose competitiveness in the market.
The primary obligation of employees noticing that their devices or account have been hacked is to notify internal cybersecurity specialists of the incident. Employees are strictly prohibited to follow hackers’ instructions and send money to malicious actors. All information about the activities that could lead to the hack of devices or accounts should be provided to respective specialists. The next important step is the estimation of the scale of cyberattack and the identification of compromised systems. The company should notify of the incident the other employees and partners whose data were compromised. It is important to disconnect the hacked devices from the network to stop the dissemination of dangerous content and deactivate accounts used by hackers to access corporate resources. The company, in its turn, has to notify of the incident the police and regulatory authorities. The company may return to normal work after completing the security audit of all software and changing passwords. Overall, only by following the precise response algorithm after being hacked, employees can minimize the scope of potential damage experienced by their companies as a result of a cyberattack.
How to protect employees from cyberattacks?
Taking into account the potential implications associated with the hacks of employees’ accounts and devices by hackers, companies should take measures to prevent such incidents in the future. The company that has experienced a cyberattack should analyze the factors that could enable the issue and eliminate them. One of the tasks for this company is the provision of training to employees on cybersecurity when working with corporate devices and accounts. Employees need to securely store the passwords to their devices and accounts and not disclose them in any form to anybody even in case of getting the message with the request to do it. By setting unique passwords to each corporate device or account employees may significantly mitigate the damage caused by a cyberattack. The hacker who succeeds in getting a password to a single device will not be able to access other devices and accounts.
However, due to various circumstances, highly skilled hackers, as a rule, succeed in hacking one or a few employees’ accounts. In this case, one of the most effective ways to prevent the steal of a large volume of information is access control. Employees should have access only to the files and functionality required to execute their professional duties. The company has to govern employees’ access rights. As a result, when the account of a single employee is hacked, malicious actors can access only limited volumes of information.
Companies suffer from fishing attacks since hackers find publicly available information of their employees and, as a result, gain their trust when communicating with them in the guise of the company’s executive or specialist. To avoid such incidents the company’s employees should not disclose too much information about themselves that may be used for malicious purposes to external parties or strangers. When working on the Internet employees should neither follow suspicious links nor download any non-verified files. When an employee doubts whether a particular resource or action is safe he should consult internal cybersecurity specialists. When employees use personal devices for professional purposes, they need to regularly update security software. To ensure ultimate protection against hacks employees need to thoroughly follow cybersecurity guidelines developed by their company.
Companies, in their turn, should regularly audit the security of their devices, databases, and accounts by using the services provided by professional cybersecurity consultants. The company Hacken provides security assessments services to clients and tests their corporate resources by imitating social engineering cyberattacks. Also, Hacken specialists provide cloud security assessment services to customers. The cooperation with Hacken may allow companies representing different sectors to ensure the safe work of their employees and strengthen their resistance to existing and potential digital threats.