The answer is yes. Here’s why – and specific steps to mitigate the threats.
Is the biggest cybersecurity threat located inside your offices’ walls? The truth is that, despite dramatic plot-lines in movies and news stories, the most common cybersecurity threat isn’t from shadowy, skilled hackers, but from all-too-human mistakes and weakness within your organization.
The cybersecurity risk from inside your office is only increasing, due to several factors:
- Escalating complexity of systems
- For convenience in this increasing complexity, users are given privileges far beyond what they need
- Soaring amounts of valuable data are being generated
- Employee training for security awareness is often overlooked in a focus on efficiency and productivity
This article discusses exactly how risks are hiding within your office and what you can do to mitigate these too often overlooked risks. With mitigation, you’ll reduce your threat profile by avoiding the most common cybersecurity vulnerabilities – and may well lower your cyber insurance cost if you document your mitigations.
Many cybersecurity risks originate with accidents resulting from carelessness or lack of awareness. These include:
Usernames and passwords accidentally exposed. This common mistake occurs in almost every way imaginable, from writing passwords on clearly visible post-it notes, to emailing oneself a password, to choosing a password that’s easy to guess. When threat actors have access to such credentials, they can (if multi factor authentication or other safeguards haven’t been implemented) access the system just as easily as the legitimate holder of those credentials.
Mitigation of this risk includes supplying a dedicated password manager for employees, enforcing the use of strong passwords; employing multi factor authentication; limiting privileges to only what is needed for any given user, and deleting credentials no longer in use.
Ports unintentionally left open or set improperly. Although critical for allowing networks to function, ports can offer points of attack. Criminals use tools that scan IP addresses and note open ports, allowing not only gathering of information about the system but also allowing attackers to behave more stealthily, allowing them to more narrowly target their attacks, which makes detection and defense more challenging.
To mitigate this risk, your IT team with relevant expertise should audit the system periodically to ensure ports are configured correctly.
Poorly secured WiFi and IoT devices. While almost everyone these days secures WiFi with encryption and password protection due to widespread default settings from the factory, the WiFi password should be changed before deployment to a password that’s strong, unique, and secret (i.e., not the one printed on the back of the router). The WiFi password should also be changed periodically, so that passwords previously shared with on-site contractors and guests are rendered valueless to any outside threat actors.
Similarly, Internet of Things (IoT) smart lighting, smart thermostats, smart locks, monitoring apps, and printers, etc., should be locked down properly. That means creating a separate WiFi network for IoT devices, disabling features you don’t use, using strong unique passwords, employing multi-factor authentication, and using a dedicated password manager that securely stores passwords for easy access by designated users.
Disgruntled or disloyal employees can do a lot of damage, whether in terms of selling valuable data, deliberately exposing the system to bad actors, or committing outright vandalism. Mitigation of this risk includes limiting all users’ system privileges to only what they need to do their work, and setting up system surveillance that flags unusual activity such as certain kinds or sizes of downloads.
Vulnerability to phishing
Perfectly happy and highly loyal employees can also become vectors of damaging attacks through phishing. Convincing ruses that deceive an employee into divulging information necessary for breaking into a system can arrive not only via email or text messaging, but also through paper mail, telephone calls, and even in person.
Target data can involve not only usernames and passwords but any sensitive information which opens an organization or network to further attack, including system settings, addresses of devices, financial details, locations of vulnerable data, personal details of key individuals.
Mitigation includes routinely educating users about the sophistication, creativity, and ubiquity of phishing attacks as well as best practices such as not downloading or opening attachments, not clicking on external links, and not using company machines for personal business.
Leaders can also implement policies that reduce the danger: making it hard for attackers to reach your employees by not listing individual email addresses publicly; making it easier for your employees to report suspected phishing; and installing a response protocol to quickly evaluate and further defend against an attack.
When researchers track the top ten most-used passwords, the results are not surprising. Sadly, they’re quite stable over the years.
At the time of this writing, they are:
Hackers routinely probe systems with automated attacks using harvested usernames and vast lists of the most common passwords. To mitigate this threat, systems can be programmed to require strong unique passwords, multi-factor authorization can be required, and employees can be furnished with cross-device, easy-to-use, secure password managers based on biometric and multi-factor authentication.
Although the biggest cybersecurity threat is still located within your office, effective mitigation is also within your power through the common, but sometimes overlooked or neglected, measures mentioned above in connection with each categorized threat.
Beyond the security benefits of taking the aforementioned commonsense, easy-to-implement measures, they’ll also put you in the best position to get highly protective cybersecurity insurance, which in this threat environment is more necessary than ever, at an affordable price.
About the Author:
Doug Kreitzberg– Founder & CEO of SeedPod Cyber
As CEO of USI Affinity and Programs (2004-2018), Doug led affinity business development, marketing and program businesses, including professional liability, commercial property & casualty, personal lines and life and disability Programs. In 2018, Doug founded a cybersecurity and data privacy risk consulting firm. It was through his consulting practice that he learned the value that Managed Service Providers bring to small and medium sized businesses. That insight formed the basis for SeedPod Cyber, a cyber insurance managing general agency Kreitzberg founded in 2021 which partners with Managed Service Providers to provide cyber insurance to their clients.