What does the Facebook debacle tell us about workplace security?SecurEnvoy 17/05/2018, Security
Data breaches are getting a lot of press of late, most notably due to the Facebook / Cambridge Analytica Fiasco that has seen Mark Zuckerberg up in front of a senate select committee to explain the company’s actions and treatment of data.
I’m sure many of us in the IT security industry were less surprised than some of the senators about what information Facebook and other sites collect on their users, and what they do with it.
Sometimes one has to ask the question, what do you expect when you use a powered solution such as social media applications for free? - they need to earn money one way or another and the obvious way of doing that is through their users' data.
But what was perhaps more of a wake-up call was that the debate certainly shed light on quite how laissez-faire many people are with their personal information and how naïve they are about what the implications of that may be: they’re happy to share information in online quizzes, give their mobile apps access to the contact lists and photos held on their phones, and even share the routes they take when going jogging or cycling.
While you can argue that everyone’s free to do what they like with their personal information, the challenge for employers is how to stop these attitudes infiltrating the workplace. With BYOD policies increasingly becoming the norm, it’s difficult to manage what mobile apps have the potential to access professional networks, and it can be equally difficult to change behaviours.
An employee with a blasé approach to data protection can become more than a simple frustration – they can be the cause of serious financial or reputational damage to the business. Weak or re-used passwords, sharing logins with colleagues, or transferring sensitive data via email or USB stick are all easy pickings for any would-be attacker. Unfortunately, they’re also present to some extent in almost every business. in almost every business.
So how do you protect yourself from these behaviours?
We’d like to think that any additional security starts with education: changing behaviours is an important first step in securing your business from the harm of employee negligence but it can’t and shouldn’t be the only step.
Staff are still a key target - and a productive one at that – for attacks against businesses, with 7.3% of users targeted being successfully fished (DBIT 2017). In some sectors – healthcare and retail, where credit card and health data are of great value to hackers, that rate worryingly reached double figures. While those stats might seem a little alarmist, they underline the level of exposure to threats all businesses face. A successfully phished employee with weak, or reused passwords could open up your entire network to unknown third parties, leaving you open to attack, theft or ransom.
But how do you add the requisite security to prevent the poor habits of a few staff members without making the rest of the team feel like they’re working in Fort Knox?
Many of our clients have found that implementing a Multifactor Authentication solution such as SecurAccess enables them to do just that: With an interface that is incredibly intuitive – and familiar to anyone with a smartphone – SecurAccess allows staff to confirm their identity easily and securely, while putting appropriate safeguards in place not only to prevent initial access to third parties, but to restrict known users’ access to the areas they need to be. Not only does this prevent ‘bad apples’ from accessing and misusing data they shouldn’t, it also secures against the impacts of phishing, with secure blocks in place that restrict lateral movement within the system should an employee’s account be compromised.
A lot of people have been reminded very publicly how easy it is to lose control of their personal information. Make sure your business learns from the Facebook debacle and both educates its employees and protects itself against their poor behaviour. To find out how we can help you do just that, email us at firstname.lastname@example.org and one of the team will be right back in touch.