Small and Medium Businesses – Remember: Your Own Employees Might Cause Cyber Compromise

Many small or medium businesses think they can do without a cybersecurity solution since they believe they cannot  fall prey to cybercriminals. However, the recent study reports that nearly 46% of all cyberattacks are targeted at SMBs. And, according to the data from the World Economic Forum,  95% of cybersecurity breaches are attributed to human error.

These figures claim that small and medium-sized businesses may be unaware that their employees could unintentionally – or even deliberately – cause harm to their company’s “well-being”. Some improper behavior might lead to financial losses, reputational damage or decreased productivity of the whole business.

Let’s explore how employees, their negligence, or vindictive feelings may affect cybersecurity or SMBs. In this article, Adrian Hia, Managing Director for APAC, Kaspersky shed light on these questions, and none of them will remain unanswered.

 Negligence isn’t bliss

According to the Kaspersky 2022 IT Security Economics survey, involving interviews with more than 3,000 IT security managers in 26 countries, about 22 percent of data leakages in the SMB sector were caused by employees. Almost the same proportion was due to cyberattacks, which, at some point, makes employees almost as dangerous as hackers. Of course, in most cases, this happens because of employee negligence or lack of awareness.

There are various ways that employees’ actions can unintentionally lead to serious security breaches and harm the cybersecurity of small and medium businesses. The main ones are:

1. Weak Passwords: Employees might use simple or easily guessed passwords, which could be effortlessly cracked by cybercriminals, ultimately resulting in unauthorized access to sensitive data. There’s even a list of the most hacked passwords – check to be sure yours is not among them.

2. Phishing Scams: Employees might accidentally or unknowingly click on phishing links in emails, leading to malware infections and unauthorized access to the network. Most scammers can mimic an email address supposedly belonging to a legitimate company, and when sending an email with an attached document or archive, it turns out to be a malware sample. A recent example is the Agent Tesla attack that affected users around the world.

Example of a mass malicious mailing message

Example of a mass malicious mailing message

3. Bring Your Own Device (BYOD) Policy: BYOD gained greater impetus as a result of the successive lockdowns during the height of the COVID-19 pandemic. At this time, staff in non-essential sectors were forced to work from home and business continuity, rather than security, was foremost in the minds of company managers.

Employees frequently use personal devices to connect to corporate networks, which can pose a serious security threat if these devices do not have adequate protection against cyber threats.

Given the fact that there are over 400,000 new malicious programs appearing every day, and the number of targeted attacks against companies is growing, businesses find themselves in a very dangerous situation. At the same time, the majority of companies are not planning (or find it impossible) to completely block personal devices from accessing corporate data.

Unprotected business data stored on a personal laptop that gets lost in the airport or a taxi is a typical nightmare of an unprepared IT department. A number of companies solve this by allowing employees to work only in the office on approved PCs with highly limited abilities to send data and a ban on using USB flash drives.

This approach, in fact, will not work in a BYOD-driven company. First, employees use their own computers for greater flexibility; but this should not mean that security is compromised. The ideal solution to the problem of losing devices is full or partial encryption of corporate data, enforced by a policy.

This way, even if a laptop or a USB Drive has been stolen, the data on it would not be accessible data without a password.

4. Lack of Patching: If employees use personal devices, IT staff may not be able to monitor the security of those devices or troubleshoot any security issues. Furthermore, the employees might not apply patches or updates to their systems and software regularly, leaving vulnerabilities that can be exploited by cybercriminals.

5. Ransomware: In case of ransomware attacks, it is important to back up your data – to have access to the encrypted information even if cybercriminals have managed to take over the company’s system.

6. Social Engineering: Employees might unintentionally provide sensitive information such as login details, passwords, or other confidential data in response to social engineering tactics or phishing scams.

Those more likely to be easily tricked are new employees who are unaware of the company’s “rituals”. For example, a scammer may pretend to be the “boss” to a newcomer, and then try to steal some important information about the company or extort money.

One example of the way scammers operate is by  sending an email posing as the boss or someone senior (using an unofficial address) asking the employee to do a task “right away”. The newbie will be happy to oblige.

The task might be, say, to transfer funds to a contractor or purchase gift certificates of a certain value. And the message makes clear that “speed is of the essence” and “you’ll be paid back by the end of the day”. Scammers highlight the urgency so as not to give the employee time to think or check with someone else.

These are mistakes that employees can make out of negligence. But what can happen when an employee deliberately seeks to undermine a company’s security while employed or right after leaving their job? More troubles may arise then.

Desire for revenge

Let’s begin with some statistics obtained by Kaspersky. Although innocent mistakes or ignoring cybersecurity policy were behind most leakages, security managers reported that around a third (36 percent) of employee-triggered leakages were deliberate acts of sabotage or espionage.

Kaspersky reported several issues relating to deliberate sabotage. One example occurred when a former medical device supplier sabotaged deliveries to customers: after being fired from their entity, a healthcare exec used a secret account to delay the shipping process.

Since the healthcare company was unable to deliver supplies on time, it was forced to shut down all business processes temporarily, and interruptions persisted even months later. In the end, the company resorted to contacting law-enforcement agencies.

Another case of this type was when an IT ex-employee filed a racial discrimination complaint against an organization. Once offered a relocation package, he refused; working remotely was one of his key conditions.

As a result, he was dismissed – and decided to take revenge on his employer. He changed the company’s Google account password, denying former colleagues email access, and blocking more than 2,000 students from receiving study materials.

These examples show how former employees, in the seek of revenge, might cause real harm to their once employer.

SMB needs some action – what should be done?

The high number of cyber incidents stemming from employee action shows all organizations need thorough cybersecurity awareness training to teach staff how to avoid common security mistakes.

Businesses should use endpoint protection with capabilities for threat detection and reaction to reduce the risk of attacks and data breaches. Managed protection services will also assist organizations with attack investigation and professional reaction.

To lessen the possibility of incidents brought on by employees, thorough cybersecurity awareness training that teaches how to prevent common security threats is also necessary.

To be truly assured that everything is fine with your firm’s cybersecurity, Kaspersky prepared a list of advice:

  • Use a protection solution for endpoints and mail servers with anti-phishing capabilities, to decrease the chance of infection through a phishing email.
  • Take key data protection measures. Always safeguard corporate data and devices, including switching on password protection, encrypting work devices, and ensuring data is backed up.
  • It is important to keep working devices physically safe – do not leave them unattended in public, always lock them, and use strong passwords and encryption software.
  • Even small companies should protect themselves from cyberthreats, regardless of whether employees work on corporate or personal devices. Kaspersky Small Office Security can be installed remotely and managed from the cloud; it doesn’t require much time, resources or specific knowledge for deployment and management.
  • Finding a dedicated solution for small and medium businesses with simple management and proven protection features; such as Kaspersky Endpoint Security Cloud. Alternatively, delegate cybersecurity maintenance to a service provider that can offer tailored protection.

By Adrian Hia, Managing Director for Asia Pacific at Kaspersky

Author: Terry KS

Share This Post On