Friend or Foe: Employees as Security Threats

Hosting legal tech webinars and consulting with lawyers has opened my eyes to attorneys’ greatest cybersecurity misconceptions: their firms are too small to be targeted, and that simple firewalls keep bad guys at bay.

The truth is that businesses of all sizes are at risk, and most data breaches originate INSIDE your office.

While several high-profile breaches have grabbed headlines and rocked American corporate giants, hackers primarily prey on much smaller outfits. Specifically, 29% of law firms experienced data breaches in 2020. 

The most common tool of these infiltrations? It isn’t brute force hacking. It’s employees.

Friend or Foe: Employees as Security Threats

Up to 90% of data breaches are attributable to human factors, including deception, carelessness, and malice. Read on for available measures to help your best employees avoid critical mistakes and keep your worst ones from ruining your reputation.

Deception: The Subtle Art of Social Engineering

Most of your employees are great workers and great people who would never intentionally put your firm at risk. Still, they can be overmatched by increasingly sophisticated hoaxes designed to elicit info and access.

“Social engineering” is the catchall description for manipulative methods that win confidence and subtly coerce users into divulging sensitive information or making security mistakes. They began as clumsy Nigerian Prince scams but have evolved into phishing efforts able to hook Google and Facebook.

Social engineering can take many forms, including:

• “baiting” (requesting info to collect a prize or offer)
• “scare tactics” (declaring your system infected and offering a downloadable cure)
• “pretexting” (posing as a trusted figure who needs you to prove your identity)
• “phishing” (fake emails seemingly from reputable senders that trick recipients into clicking dangerous links).

It’s easy to think. “I’d never fall for those traps!” — but the methods grow ever more complex and convincing. Even good employees can make mistakes, and it only takes one slip to render your system vulnerable.

You can’t personally screen every message and response, but you can give your team the skills to spot social engineering via security awareness training. Of course, the problem is that security training programs usually SUCK, meaning that employees will skip, forget them, or find ways around completing them with minimal effort (along with learning and retention). How do they suck? Here are two major ways:

• Far too long – 45 minutes is that average length of cybersecurity training
• Boring – yes, I swear they go out of their way to find the most monotonous and dull speakers to record these trainings

Thankfully, training has come a long way from PowerPoint snoozefests of the past.

Relying on multimedia presentations and behavioral science techniques, the best providers employ an engaging approach that entertains while educating (and tracks employee progress and participation). BobaGuard’s solution includes just such a program, which covers all aspects of social engineering and other cybersecurity issues like mobile security, Wi-Fi integrity, best browser practices, privacy safeguards, malware defense, and more. They use short videos, 7 minutes on average and engaging cartoon characters that make it fun (and more engaging, hence memorable and effective).

Alas, some social engineering tactics are so tricky that training alone isn’t enough — specifically, phishing. It’s a treacherous challenge that accounts for 1/3 of all data breaches, so I recommend regular phishing simulations that assess employees’ perceptions and keep everyone on their toes.

These simulations send convincingly crafted (but harmless) emails to your team, gauging how they’re handled and diagnosing additional measures necessary to protect your data. Simulations are also included with BobaGuard’s multi-layered plan, including immediate remediation training. If someone clicks on a link in one of these phishing emails or enters their credentials, they are directly routed to training to learn what they missed and how to protect them firm the next time, making them better prepared.

Training and testing will equip your team to handle social engineering’s deceptive practices, but there’s more work required to turn your staff from a weak link to an anti-hacking squad. That’s especially true when it comes to managing credentials.

Carelessness: The Perils of Bad Password Hygiene

Passwords are our first line of digital defense and — used correctly – provide solid protection…but when improper practices put keys in the wrong hands, those codes suddenly become a weapon.

Unfortunately, far too many employees are careless when it comes to credentials.

Google discovered that 2/3 of employees use the same password for several (or all) of their logins. The average password is reused four times, meaning one lost key corrupts several accounts.

I get it: creating, tracking, and typing complex unique passwords for every site is a lot tougher than remembering your pet’s name. Laziness is understandable…but also unforgivable once data breaches harm your firm or your clients.

Fortunately, there is another easy solution – password vaults.

These team-based credential managers generate and store complex, unique strings for every site in a safe central location that your staff shares and is universally updatable. No more messy Post-Its or production lost to conflicting credentials – your whole team is up-to-date, secure, and able to automatically enter the passwords with accompanying browser/mobile apps.

In addition to a vault, you should make sure employees activate two-factor authentication (2FA) for all accounts. 2FA employs an alternate confirmation (text, email, security question) to verify suspicious logins. It’s another simple step that’s often overlooked (or permanently procrastinated), but in just a few minutes can save a lot of trouble down the road.

One other essential tool in the fight against password breaches is Dark Web monitoring. This measure won’t stop employee carelessness but detects when mistakes have imperiled your firm’s credentials. Proactively scanning digital black markets provides alerts when company information is being traded by hackers, letting you change the locks before they can strike.

Proper password hygiene requires a certain level of vigilance that not all employees will practice…and if just one worker slacks off, all of your data can be exposed. Enlisting services that automate best practices while making life easier for your team is a great way to implement critical protocols.

Interlocking layers are the “key.” Password managers ensure unique codes, 2FA adds a layer of safety, and Dark Web monitors patrol for stolen credentials…all working together to secure your data and keep your online access “oops-proof.” They’re also all included as part of BobaGuard’s turnkey solution.

Malice: The Danger of Disgruntled Workers

The last category of employee misconduct is the one we least like to consider, yet one that poses a genuine danger: malicious acts.

A recent security assessment revealed that 22% of data breaches were intentional deeds committed by internal actors. Such attacks can be particularly damaging: fired workers know passwords, are familiar with your network and may retain direct access to your cloud apps and records.

Disgruntled employees often prove particularly dangerous to smaller firms run more like a family and lack corporate HR experience to deal with the threat.

In such instances, established security protocols can prove invaluable.

Security protocols specify protective/remedial measures necessary after certain foreseeable challenges. In addition to emergencies like natural disasters, external hacks, or facility damages, these plans cover the steps to eliminate employee access and prevent disgruntled revenge. In the emotional aftermath of a tense termination – protocols provide checklists to avoid fatal oversights.

Regular system scans are also essential in case a departing worker has left malware or ransomware behind. These programs can lie dormant and undetected in a network until future activation; it’s imperative to identify and extract them before that can happen.

Backing up data can also be vital to overcoming malicious deletion or corruption. Employees with access can erase countless files, so having an offsite copy of critical data (like email) is an insurance policy against the unthinkable.

Every employer hates to consider that they might be at risk from their workers; we screen all our hires, grow close to our team, and shudder to think of a breach that’s also a betrayal. But it happens.

You can’t catch every bad apple, deflect every temptation, or be a perfect psychologist for your staff…but with security protocols, system scanning, and email data backup, you can limit the damage suffered should things go south. BobaGuard’s plan includes all of these precautions. 

Conclusion

The cybersecurity landscape is daunting enough without having to worry about threats from within. Unfortunately, the deception of social engineering practices, the carelessness of credential mismanagement, and the malice of soured workplace relationships all make employees a danger to data…whether intentional or not.

By training (and testing) your team, giving them tools that simplify compliance, and taking precautions against someone going rogue, you can instill confidence and implement safeguards to better protect your data.  

Don’t let your greatest assets become an existential liability – make your good employees better and your bad ones less risky. BobaGuard is ready to help.

Comments are closed.
_320343 - Stupid Simple Security Tips - A4 Landscape

Want to receive more
Stupid Simple Security Tips?
Sign up below.

FREE CHECKLIST

The Security Checklist for Busy Lawyers

The Security Checklist for Busy Lawyers