Risks Employees Pose to a Firm’s Cybersecurity Posture
If you missed it, last week we shared the first excerpt from our newest whitepaper, A Fund Manager’s Cyber Security Action Plan, which we wrote in conjunction with Sadis & Goldberg. Today, we’re sharing our section on the risks employees pose to firm security, including both unintentional and malicious actions that can wreak havoc on an organization.
With mounting regulatory pressure, Fund Managers can no longer afford to sit idly and rely on technology to protect them from the next cyber-attack. Advanced technology systems and infrastructure protocols are, of course, critical in mitigating cyber risk, however, for the prudent Fund Manager, the list of defense mechanisms cannot end there. Even while the sophistication of perimeter security systems and vigilant monitoring tools increases, the greatest vulnerability to a firm remains within its interior: its own employees – the people who use IT systems to conduct transactions and access sensitive data.
Employees – particularly those with unrestricted access to sensitive information and financials – are a hacker’s easiest access point into a firm. Every day, more employees fall victim to social engineering schemes and phishing attacks designed to fool them.
Entering a password or financial information. Downloading malicious software. Transferring funds. Hackers are well-versed in how to trick users into committing these acts. And while not malicious (though we’ll discuss that also), these employee actions can end up costing their organizations more than money.
Let’s look at unintentional security risks presented by employees – many of which can be addressed through training and creating a culture of security.
Getting Caught by Phishing
The art of phishing has evolved greatly over the last several years. Once a spam-like email asking the recipient to click a link, today’s “phish” are targeted, highly personal and sophisticated. Hackers are conducting thorough background research to compile employee names, titles and contact information. Emails that include personal information are more likely to be taken seriously, meaning employees need to be much more vigilant when combing through their inboxes.
In today’s world of oversharing, it’s become much simpler for hackers to acquire personal information and understand organizational hierarchies. Social media profiles, in particular, are great fodder for would-be cyber criminals. With modern-day ability to obtain private details and observe communication styles and patterns, hackers now have access to a variety of tools to mirror email addresses, website URLs and dialect. The end result is the criminal’s identity masqueraded as a legitimate, trustworthy source.
Unintentional Risks Abound Beyond Social Engineering
Social engineering – broadly defined as any act of manipulation designed to obtain the confidential information or property of another party – continues to put firms at risk at the hands of sophisticated hackers. But beyond phishing schemes, there are a number of unintentional threats that can pose danger to a Fund Manager as a result of an employee’s actions or inactions, including:
Employees being too busy/rushed. Sometimes users are in too much of a rush to think through their actions. Perhaps an employee is expecting a package in the mail. When they happen to see an email that looks like it’s from a postal service, they click the link – without, of course, realizing it’s an elaborate phishing scheme.
Weak or shared passwords. Passwords are one of the easiest gateways for hackers to infiltrate a firm’s network. Passwords that contain basic user information (names, birthdates, kids’ names, etc.) are often easy to guess after a simple search of a user’s social media profiles. Organizations should enforce strong passwords, prompting users to change them at least every 90 days and ensuring they contain uppercase and lowercase letters, special characters and other unique requirements.
Poorly protected mobile devices. Users are responsible for ensuring the devices they use on behalf of their company are protected. Laptops and mobile devices should require strong passwords to access (see previous) and should not be left unlocked and unattended. Additionally, access to computer room infrastructure or backup tapes should be limited to only essential employees.
Improper disposal of hard copy documentation. If financial documents or other sensitive materials are left sitting on a printer or not disposed of properly, this poses another security risk to the firm.
Visitor access to the network. Providing non-password-protected guest Wi-Fi access or allowing visitors to access firm computers also opens the Fund Manager up to security threats. Organizations should keep strict visitor logs and ensure non-employees only have access to necessary information.
Lack of knowledge or security awareness training. The above threats may be unintentional, but they all can easily be avoided with comprehensive information security awareness.
Intentional Risks: Insider Threats & Disgruntled Employees
As outlined above, there are a number of instances in which employees unintentionally put their firm’s data at risk. But beyond naiveté and laziness, there are also employees who deliberately choose to attack their firms by way of stealing, compromising or deleting company confidential information. A disgruntled employee may have an axe to grind if he/she has recently been reprimanded or doesn’t agree with management decisions. Some employees may look for monetary gain if they have access to company financials such as credit card or wire transfer information. Others may look to share trade secrets or destroy a company’s reputation – perhaps for no reason at all. And, of course, there are those employees who will attempt to steal confidential information for their own personal gain.
Consider the high-profile case involving Goldman Sachs and its former employee, Sergey Aleynikov, in which Aleynikov was hired by Goldman Sachs in 2007 and, in conjunction with his acceptance of employment by a competitor, admittedly stole the code of Goldman’s high-frequency trading model with the intent to use such code to compete against Goldman itself. The dispute has still, as of the date of this writing, not been entirely resolved and has forced each party to expend enormous amounts of time, resources and money to deal with it. Many similar cases have since been reported, involving both sophisticated enterprises including Highland Capital, Société Générale S.A., Citadel, and other, less notable, trading enterprises.
As has been clearly demonstrated, employees are often overlooked as a significant and visceral vulnerability when it comes to security. Ironically, the case can also be made for a firm’s employees to be its greatest cybersecurity asset. With the proper training, education and firm-wide support, employees can provide the most formidable and effective line of defense against everything from the savviest hackers to simple, everyday security exploits.