AmCham Slovakia

Behind most cyberattacks against business there lies a human error. For enterprise networks – which face various types of security incidents and are literally under fire from attackers every day – employees are proving to be a major vulnerability. They are the ones who open the door for hackers more widely. Why are employees becoming the weak link in cybersecurity? And what are they doing wrong?

Soitron, an IT integrator of innovative solutions and technologies, has identified the areas where employees open the backdoor of corporate IT environments. “The risks are divided into two areas. Carelessness (or even naivety) and ignorance, i.e. employees realizing that they are doing something wrong but they do it anyway,” says Martin Lohnert, a cybersecurity specialist at Soitron. Some employee-induced threats are caused by employees sharing their passwords, having an inconsistent approach to updates, opening suspicious email attachments, and clicking on dangerous URLs. Other reasons include accessing corporate networks from unauthorized and unsecured personal devices.

“If we were to count all the potential threats of attack caused by employees, the list would be endless. Let’s just mention those that are the most common and most likely to be committed by any employee,” says Lohnert.

1. Humans are social

Information sharing is very popular today. It is even considered a desirable, unselfconscious activity that is instilled in our DNA. But sharing should be reasonable and within certain limits. This is far from what is actually happening; employees quite often share information unwisely – even about their work – and attackers take advantage of this. This makes it easy for them to find out a lot of information about a company, be it from screenshots, email addresses, photos of equipment, or anything else.

2. Humans are curious

Curiosity is another strong human trait. What does a person do when they think they have won something? They want to check what they have won, how much it is worth, and how they can claim the prize. Clicking on various links announcing a win or offering some free stuff is very dangerous. In addition, social engineering comes into play here by creating a sense of urgency: the prize must be claimed by a certain time, creating space for mistakes and hasty ill-considered reactions.

3. Humans ignore things

Systems are designed to work. Ideally, they should work automatically – but this is not always possible in real life. That is why user interaction is required from time to time. If an employee receives a message from an antivirus software provider that something suspicious has been found on their PC, they should not ignore it. The same applies if they are prompted to install an update or reboot the system. Alerts and notifications are there for a reason, and they should not be ignored.

4. Humans are traceable

Usernames and passwords were invented to prove identities and the right to access a service; however, they have other uses as well. They make it possible to keep track of a user’s activity in the system. Multiple employees using single-access credentials is bad practice because it makes it impossible to identify the system penetration point in the event of a security incident. In other words, it makes it harder to detect how the problem occurred or how the access credentials were stolen.

5. Humans act foolishly

It is undeniable that people are lazy creatures. That is why even with passwords, they choose ones that are easy to remember. They try to use one password for everything; they use passwords such as “password123”; or their use their own name, the names of family members, and so on. This is bad practice, because such passwords are easy to crack. Importantly, strong passwords can actually be easy to remember. You can use your favourite quotes from books, movies, or even something from commercials, some favourite verses, song lyrics, or anything else, and then modify it with upper and lower case letters, numbers, and special characters.

6. Humans are lazy

The COVID-19 pandemic gave rise to the use of personal devices for business purposes; however, their poor security is a source of incidents in corporate networks. Few people realize that the reverse is also true. Ideally, a single device should not be used for both corporate and private purposes. If this is unavoidable, companies should use security features such as VPNs – preferably with multi-factor authentication.

Free doesn’t necessarily mean safe to use

These are just some security risks corporate IT networks face in relation to employees. But there are many more. For instance, there are open public networks masked as legitimate ones. “A common situation is that a hotel guest wants to connect to the hotel Wi-Fi, and there are two networks available. One is secured and one is unsecured. While they should ask for access credentials and connect to the secured network, they often connect to the unsecured network for convenience; however, the unsecured network might not necessarily be the hotel’s actual network. Because of its similar name to that of the hotel, it may seem legitimate – but it could just as easily be a deception. As soon as a hotel employee or guest connects to such a network, the attacker can intercept their online communication,” Lohnert points out.

It is similar with the use of non-company devices. An unauthorized connection to the corporate infrastructure is another major security risk. Even small things such as USB devices may create a major security problem for a company. “Of course, it is difficult to make sure that employees respect all security recommendations; however, a whole host of unwitting mistakes can be prevented with proper training and by raising awareness. If this is not done, patient zero may not actually even know that they are doing something wrong,” Lohnert concludes.