Each and every one of us poses the greatest risk to the security of our company’s IT system. “If I want to attack someone, I typically do it through employees. It’s much easier than trying to outsmart technology.” says Peter Leppelt, CEO and Co-Founder of Praemandatum. Almost every 2nd hack is due to human error. One popular method is e-mail spoofing. You pretend to be someone else. Another method is to put USB sticks in parking lots which then are plugged into company computers. Sending compromised PDF files, e.g. as job applications, which are then printed out and make the printer hijackable, are another way to attack IT systems. Employee hacking can be used to gain access to patents or business ideas. Hacking is more profitable than ever. The estimated damage is $600 billion per year (McAfee estimate). Even company stock prices can be greatly affected. At aluminum producer Norsk Hydro, $40 million disappeared from the stock market due to a hacking attack. At the Mariott hotel chain, hackers stole data on 327 million guests, including credit cards and passport numbers. Spectacular hacks ideally go unnoticed by those affected.
Hackers have two main goals. They want to siphon off information as unnoticed as possible or extortion. Malware is used to paralyze the system and only when payment is made can it be released again. It can be observed that social engineering is increasing strongly. Employees are encouraged to release their passwords, e.g. by e-mails that come from supposedly reputable providers and request passwords. Also in social media often more is revealed than is actually good. Hackers are quite capable of deriving passwords from the information available there (e.g. birthdays, names of children or pets). Besides the fact that if you are hacked as an employee, you are causing damage to your employer, you are also guilty of being an accomplice.
What helps against it?
Many employees are not even aware of the dangers. That means you have to raise their awareness through education. This can happen in training sessions or regular newsletters on the subject. Phishing simulations are also helpful in raising awareness. The company sends fake, innocuous emails that resemble fraudulent or malicious emails. If the employee follows the prompts from the email, they receive a note that it could have been a phishing email and educates them on what to look for. Furthermore, the employee should choose strong passwords. Passwords should be at least 8 characters long, consist of upper and lower case letters as well as special characters and should not be found in any dictionary or be associated with you.