Owning a business comes with grave responsibility. Generally, business owners are responsible for stability, growth, direction and daily operations. Running a successful business is no easy job, and unfortunately, there are many ways that employees can cause major issues. One of those ways being human error.
There's always a threat waiting on the right time for someone to make the wrong move. So, there should never be an assumption that you're in the clear. In some instances, smaller business owners feel like they have nothing to worry about, but that couldn’t be further from the truth.
Everyone is a target for cyber criminals, but the reasons may vary. Those reasons may include, but are not limited to, financial gain, sabotage, revenge, corporate espionage, extortion, and blackmail.
Human error is an act of doing something unintentional that causes or allows a possible security breach to take place. It could be something small or something big, but has the same effect. Technology is becoming more advanced, right along with work environments. There is an abundance of services and tools being used that require proper management to ensure security for a business.
There is an infinite amount of human error scenarios, but there are two types; skill-based errors and decision-based errors. Skill-based errors have to do with smaller mistakes that occur when doing a normal task. In most instance negligence plays a huge role. Decision based error happens when a person makes the wrong decision. The wrong decision could be made because the person does not have enough information, lacks the proper knowledge, or again, negligence.
Human error is one of the most common ways to cause a security breach. No one wants to be the cause of a security breach, as you can become or create the threat. This could lead to unemployment for the employee and a major finical loss for the employer. However, there are ways to reduce the possibility of this occurring in the first place. Let’s dive into the most common instances of human error and what people can do to avoid it all together.
While some cyber criminals aim to scare you for fun, many have every intention of using an attack to obtain and use your financial information, credentials, and company data for their gain. Most, if not all, cyber criminals are doing this for finical gain, so there will be multiple attempts. Including an attempt to take a step into your corporate or government network. Phishing schemes is one of the easiest and most common ways to create a threat for your company. Many data breaches start with a phishing attack. Which is why it’s important to know what to look out for.
Though people normally think clicking on a link is harmless, that simple act can open the door for a load of issues. Phishing is the act of creating a malicious, illegitimate email that urges users to click on a link. Clicking that link allows attackers to gain access to sensitive data. Users are conned into providing sensitive data. The sensitive data could consist of your account login credentials, card credit information, or your company’s information. Malware is most commonly delivered through phishing. Phishing could also be seen as social engineering, as it’s a technique used to scam and manipulate people.
How does it work?
A cybercriminal sends an email to a user. This email is most likely going to suggest that you:
- Click a link to change your password because it has expired
- Click on a document to “view” it
- Send over your personal information
Some may be wondering how people fall for this type of scam. The answer is an easy one, impersonation. The smartest attackers create illegitimate emails that look realistic, making phishing emails become increasingly harder to detect. Once the email is sent, a user clicks on a link to change their password and gets redirected to a bogus page that also looks legit. The user will be prompted to enter their current and new password. The attacker watching the page will take that password to gain access to areas of your company’s network.
Then the user may be redirected to a confirmation or renewal page.
However, while this is happening, the damage is already done. The user most likely won’t be able to log back in to that site, information is being compromised, and a script is being run. Cyber criminals are using this approach because it’s cheap, effective, and easy. Obtaining an email address is just as easy as sending an email, making obtaining your personal information a breeze.
What can you do as the employer?
One way that Sophos protects against the delivery of a threat is with Sophos Phish Threat. It is a platform that allows organizations to test and train their users against email attacks. Simulations are provided to promote security awareness and to teach users what to look for and avoid. Sophos Email checks all emails for malicious links and attachments, blocks 99% of spam, and uses SophosLabs threat intelligence to identify malicious emails. With this cloud email security, you will be protected from phishing, malware, and impersonation attempts.
What can you do as the employee?
As an employee, you should always be cautious of the emails you receive. Taking the Sophos phish training would be highly beneficial if you aren’t familiar with how phishing works. However, there are a few things that are a dead giveaway.
Such as:
- Typos anywhere in the email
- Asks for sensitive information
- Urgency
- Not personalized (ex. Dear customer, Dear user)
- Included link with a different domain
If you are expecting an email from someone but it looks suspicious, check with that person before sending or clicking anything.
Changing work practices that employees are accustomed to can decrease the chance of human error. Since the pandemic, people have become very familiar with technology. Though many were not enthused about the act of working from home, many were thrilled. Working from home has it benefits, but there are many errors that could occur when allowing employees to do so. Every individual working remotely can be a threat for a business.
Human error in this instance can happen many ways. One being through personal devices.
To be direct, personal devices should not be used for work. Especially if they’re not secure. It may seem meaningless, but as the employee, no one besides you should have access to your device. Employees are completely responsible for that device. Meaning if a friend or family member does something to create a threat for the company, the employee is liable. The device should be protected by a password, and it should not be left unlocked or unattended.
Employees search the web regularly. There are tricks and scams all throughout the web and all it takes is for one wrong search to create a threat. Sometimes it’s as simple as one click. Other times you may be prompted to do a little more, like downloading an app. While simply typing something into the search engine of Google shouldn’t hurt, the issue begins when going to websites. Just because it’s on Google doesn’t mean it’s safe and you should never download anything you’re not familiar with. A great option as an employer would be to issue company devices. Though it’s more costly, it’s much safer. These devices can be protected and managed by the employer.
What can you do as the employer?
Sophos Endpoint keeps your data safe and secure with superior prevention, detection, and response. This endpoint protection incorporates intercept X to stop breaches before they even start. Unlike normal anti-virus software, Intercept X focuses on the techniques used to compromise a device, rather than the threat itself. Attack techniques are blocked using exploit prevention, malicious files are recognized by machine learning, and anti-ransomware works to detect and report possible ransomware activity. Once a threat is detected, Intercept X will report any detections and allow administrators to control their protected devices. Intercept X endpoint is the strongest source of protection.
What can you do as the employee?
As mentioned earlier, employees should avoid allowing others to use their device. Use your company device for work only and report any suspicious activity. Put your first foot forward to keep your company’s data safe.
Both employers and employees should work together to create the safest and most secure work environment. With the proper training and protection, a security breach will not be in the books for you. Humans don’t have to be the weakest link, don’t click that link!