Employees: The biggest risk and defense in cyber crime

Employees: The biggest risk and defense in cyber crime

The news is full of stories about how computer networks are being infected by malware, trojans, viruses, and that nasty malware variant known as ransomware. Starting off as an innocent looking email with an attachment or link sent to someone in HR or Finance, an independent consultant, even the business owner, and ending with the encryption of the business’ networks or a data breach. The news loves to harp on the fact that the human factor is the biggest risk in cyber security but they often do not talk about how humans are also the best defenders against cyber crime.

You can’t just rely on one person in a 10-person company; everyone needs to have a good understanding of cybersecurity and what the risks are for the organization.

Patricia (Pat) Toth

Supervisory Computer Scientist, NIST


Employee education is one of the best ways to defend against malicious activity. Letting your staff know what a phishing email looks like, why they should not enable macros on files they receive by email, and just overall being smart about how they use the internet are all steps in a positive direction for businesses who take cyber security seriously. Firewalls, endpoint protection, SIEM, that’s all great but unless you also pay attention to the inside of the business, the threats and damage will continue to occur.

Four in ten organisations had experienced insider damage at least quarterly in 2015.

Information Age, 2016

Start with Employee Orientation: Incorporating data protection and cyber security best practices into new employee orientation and annual training is a great place for businesses to start hardening their inside defenses. Nearly all companies handle sensitive data, whether from employees to customers, so outlining safe data practices in the employee handbook and giving employees guidelines on how to safely handle data could be the difference between a W-2 phishing scheme that reveals sensitive data about your employees to a hacker and keeping that data secure.

Passwords: Seems like a no-brainer but organizations continue to struggle with password expiry, complexity, and even forcing their IT professionals/admins to change their passwords on a regular basis. A survey during the RSA security conference found that 55% of admins make users change their passwords more regularly than they change their administrative credentials. And believe it or not, 123456 and password still top the list as the most popular passwords still in use.

Safe Data Handling: Employees need to be aware of ways to safely handle data. Whether it’s encrypting sensitive data sent by email or shredding sensitive data on paper, employees need to be told how to handle data.  Employees also need to know the process for assisting people who call for assistance. Kevin Roose from Fusion learned the hard way how easy it was to con a customer support representative into letting a hacker into his mobile phone account with the help of the recording of a crying baby and the hacker pretending to be his stressed-out wife.

See Something, Say Something: Employees should not be punished for asking for verification of requests emailed to them. Too often phishing schemes are successful as they appear to be coming from the highest levels of management and are labeled urgent. Employees should know the normal procedure for making such requests and management should put check-and-balances in place to ensure sensitive data and money do not leave the organization without some form of verification. Those in Accounting should be told that the CEO, COO, etc will not email and tell them to wire money to a vendor without a verbal confirmation (and if that is not the procedure, the business should consider it or else be at risk for failing victim to a common phishing scheme!) And HR departments need to know that they won’t receive email requests for sensitive employee information either.