It's a very modern problem
Cyber-attacks are increasingly focusing on using employees as a backdoor into businesses.
Through phishing emails, social engineering attacks and identity theft, employees are now finding themselves at the front-line of fending off attacks, according to Keith Marlow, Security Architect at ELMO Software.
“Most finance staff for example, have encountered the 'emergency purchase order with payment to a new bank account' attack and similar techniques to obtain money by deception,” Marlow told HRD.
The problem is that with people's tendency to post more and more about themselves onto social media, it is also becoming easier for a motivated hacker to determine which business decision-makers to target with a greater likelihood of success.
“Employees are now being targeted to plant malware and unwittingly allow hackers to enter business infrastructure, where they can lie in wait for months for the right opportunity to arise. A sad reality is that hackers are also not above blackmailing employees,” said Marlow.
READ MORE: Employer considers bra ban to improve security
In the future, Marlow sees hackers utilising AI to speed up the attack cycle and allow them to engage in more large-scale social engineering-type attacks via multiple and simultaneous communication channels.
“Once they are able to gain someone's trust - or coerce it - they can then 'own' their role and their personal identity to get up to all sorts of mischief within a business and beyond.”
Marlow offers the following tips for organisation to ensure employee data is secure at all times:
Firstly, you must ensure that each employee has a distinct login to any employee data holding services they use. Shared accounts and passwords should be banned within an organisation because it is critical to know who is doing what, and when an employee leaves, you need to be able to cut off their access.
Secondly, you must avoid passing around sensitive data by email or via other insecure mechanisms (like a USB thumb drive). The trouble here is that it is very easy for such data to be seen by the wrong person or even misplaced within an organisation, and there is nothing you can do after the fact to get it back.
Thirdly, if you must store such data on a shared drive or network storage, make sure that the drive is encrypted and only those who need to access it can. If the drive is stolen or it is replaced and the old drive goes missing, encryption offers an additional layer of protection.
Fourthly, when personal data is no longer needed, delete it. The tendency for businesses is to hang onto data on a 'just in case' basis, however personal data is often forgotten about and left to accumulate on shared drives and employees’ laptops. This is a ticking privacy time bomb that could easily result in a Mandatory Breach Notification if a hacker was to get their hands on such data.
Once you are done with the data, always delete it and remember, you can always ask for it again if it is needed in the future. Alternatively, an organisation can avoid directly storing and manipulating employee data on their systems, enlisting help from an external service provider to manage ongoing security and employee data storage.