What poses the greatest cybersecurity risk to your business?
“As we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know.” – Donald Rumsfeld, US Secretary of Defense, 2002.
Is your biggest cybersecurity risk vigilantes trying to make the world a better place, like the so called “Impact Team” who stole user data from the extramarital affair-enabling website Ashley Madison in 2015?
Or does your cybersecurity risk come from cyber criminals looking to exploit your business’ weaknesses, like UK retailer Sports Direct experienced in September 2016, when a security hole in its staff portal was breached and the personal details of many of its 30,000 employees were stolen?
While focusing on external cyber-threats, what many organisations don’t consider are the cybersecurity risks posed by their own employees — the “known unknowns” of a business. In mid-2015, Woolworths was the subject of an accidental data leak when an email containing a spreadsheet with the details of thousands of Woolworths’ customers and a link to vouchers worth A$1,308,505 was inadvertently circulated by an employee to over 1000 people.
(Want to know how to prevent a data breach? Read our guide.)
Accidental data breaches are not restricted only to the private sector. In November 2014, an Australian government employee accidentally sent an email containing the personal details of 31 world leaders attending the G20 Leaders’ Summit, including Barack Obama, Vladimir Putin, Angela Merkel and David Cameron, to an unintended recipient. Of course, this is probably not a concern for the current Leader of the Free World, as his personal details and musings are already publicly available: see Twitter handle “@realDonaldTrump”…
There’s even a cyber-threat for the nautically inclined: “spear-phishing” occurs when a person creates a convincing email which appears to be from a reputable source. However, when an employee opens the email, a virus is released and the employer’s computer system becomes infected as a result. This is becoming more prevalent, as cyber criminals target businesses’ employees and attempt to coerce or manipulate them to reveal confidential information, or grant access to internal systems.
However, while employees can present a significant cyber-risk to employers, they can also be a business’ greatest cyber-security asset and a strong first line of defence. So, what can you do at the very minimum to ensure your employees are a help and not a hindrance to your cybersecurity?
- Provide employee training to assist in recognising and reporting potential cyber threats (including spear-phishing attempts)
- Develop and implement a thorough cybersecurity policy, outlining the requirement for employees to not install third party applications on their work computers, to maintain strong passwords, and to delete suspicious emails, among other things.
- Develop and implement a strong social media security policy to prevent confidential information being accidentally, or intentionally, posted online, and to avoid criminals being able to build detailed profiles of employees for the purpose of exploiting this information in spear-phishing campaigns.
Avoid being the next business to make headlines due to a data breach. Make sure you have measures in place to reduce cybersecurity risk, and to ensure that your employees won’t be the ones causing you any cyber-headaches!
Aaron Goonrey is a Partner and Luke Scandrett is a Lawyer in Lander & Rogers’ Workplace Relations & Safety practice. Aaron can be contacted at agoonrey@landers.com.au
Image copyright owned by USA Network, taken from ‘Mr. Robot’