Looking at the field of IT and security lately, we can easily spot an interesting trend growing in popularity – taking advantage of a user in order to break into the system. It doesn’t matter whether it’s ransomware, phishing, or data theft, a big part of present-day attacks relies on an ordinary user to open, intentionally or unintentionally, a door into the system for the attacker.
User = the weakest point of any system
Attackers wanting to compromise systems or even entire companies rely more and more on typical system users, because with regard to the development of security solutions, these become the easiest way to overcome all the rules set for protection. Research done by the Osterman company shows that every other company has been affected by ransomware in the last year. Other statistics show a growing number of phishing attacks on companies of any type and size. Internal security incidents in which a user (un)intentionally sends sensitive information to an incorrect recipient are also far from rare.
It’s not difficult to find victims of similar situations, it’s happening everywhere. One of the lesser incidents we lately heard about from one of our Czech customers is the following: An employee wanted to share about 100 scanned national ID cards with an external partner. For this he (very unwisely) used a Czech file-sharing platform uloz.to, making the content available to anyone visiting the site. Another example: in another organization, an employee unintentionally sent their entire customer list to a client of theirs.
In most cases, such failures arise from user’s mistake or ignorance which are very easy for an attacker to misuse. The problem is they are correspondingly difficult to defend against. In fact, it is often sufficient to click a wrong button or open an attached file. So little is enough for an incident with wide-ranging results to happen.
So, is there a solution?
Not surprisingly, the only protection against mistakes of regular users is prevention. The first step in a company environment is to define rules and policies. These documents are of informative character and should lead employees in the right direction when working with computer and company systems. If the text is easy to understand and not too long, the probability that employees will follow the documents grows.
Documentation is of course just the formal side of things. What is really important though is to invest enough attention to training and reminders of the most important rules. Let’s try to give it some thought and prepare a set of simple suggestions which even our (grand)parents can understand. The list will most likely include at least these ones:
- Do not answer any unsolicited e-mails!
- In a rightful communication nobody will ever ask you to send your login information via email or share it during a phone call. Do not react to these kinds of requests!
- Do not click on any suspicious links or banners!
- Keep your system and programs up to date, use antivirus and do not install unknown applications.
- Before you provide anyone with your personal or sensitive information, twink twice if it’s really needed and if the request is legitimate.
It is also important to have enough space to think about your own activities when working on a computer – especially when you work with sensitive data. Ideally you should avoid working under stress or time pressure - although we all know that this is easier said than done.
It is also a good practice to display security tips to employees while working. It's no big deal whether they appear in an information system, on company intranet, or right after the computer is started. The more the recommended steps are mentioned, the higher the probability that they’ll be really taken.
From the technological point of view it’s smart to use tools for security audit, which reveal potential risks – for instance employees using a service of the above uloz.to type, as they don’t know of any better alternative for data sharing. Next step is implementing a Data Loss Prevention (DLP) solution, which can display a notification to users when they are working with sensitive data. Depending on the settings, they are able to warn the user about the fact that he’s trying to send an internal document outside of the company. This way they can prevent human error before it is too late.