There is no question we are living in a changing world. The simpler days of security are behind us. Gone are the days when protecting your business meant simply setting the alarm system, locking the front door and turning on some lights; effectively shutting out the risks that could harm a business. Physical barriers – the fences, walls and doors – that have long been an effective way of protecting a company’s employees, assets and inventory are no longer the solution.
Businesses are increasingly facing threats from both within and outside the organization. In today’s digital world, those barriers do not block the signals entering and leaving the facility. The information highway has many entrance and exit points. Even CCTV systems are vulnerable to hacking which gives bad actors direct access into a facility. The business is effectively at risk 24/7 from multi-pronged attacks by outside actors, hackers, scam artists and employees themselves.
An often-overlooked risk (and also a resource) are employees themselves. Employees have become the proverbial “fox in the henhouse”, either through deliberate actions or complacency. This spells trouble for naïve, inadvertent or unprepared businesses.
A lack of understanding of the systems available to protect businesses, of not being fully knowledgeable of the technology in use, of employee motivations and loyalties, further erode the physical and digital infrastructures that can help protect a business.
What is at risk?
A company becomes successful because of what makes it unique from other businesses in the same field. Any threat to this uniqueness can challenge the future of the company such as the following:
Brand reputation through embarrassing leaks, data leaks, employee actions. Disgruntled or terminated employees may use accumulated information against the business as retribution.
A shutdown of critical systems through malware or ransomware attacks.
Liability through customer data breaches or employee actions.
Loss of proprietary information, research and development projects or industry intelligence.
Loss of competitive advantage if price lists, processes, business models and future plans become public knowledge.
Bad publicity through the personal or deliberate actions by employees.
Insurance claims, civil litigation and criminal prosecution either as a result of internal issues or information obtained internally that can be used against the business during proceedings.
The truth is, the risks can be described as doom and gloom or the new reality… the only real difference being that “doom and gloom” is two words and “reality” is one… there is no other discernible difference.
Bring your own device
One of the most prevalent changes in how business/employee relationships have changed is the increasing use of the Bring Your Own Device (BYOD) model where employees are providing their own smartphones to do double duty as not only their personal device but also their work phone. This can help reduce costs and encourages employees to be available outside of normal business hours but it can also increase risks and reduce productivity since the employee has their personal world (albeit digital) at their fingertips.
Consider this: virtually every employee in your company, whether or not they use their laptops or smart phones for business purposes, carry with them a camera and audio recorder that can be used at a moment’s notice. An employee can surreptitiously record conversations with their managers and co-workers, they can photograph what they perceive to be labour board or code violations, thereby effectively “building a case” against workplace conditions, treatment by management and co-workers and other concerns.
These devices are vulnerable to the skill level of the user who may make poor decisions in the use of their phones. As most people keep their devices with them at all times, they may take them to other places that do not have stringent security protocols such as the homes of family and friends and public Wi-Fi hotspots.
This presents a number of problems:
Data theft. If you let your employees use their own devices unchecked, it’s likely that some of the personal applications they use may not be as stringent with their security requirements. Do they have virus protection? Devices could be syphoning proprietary company data through malicious apps and uploading it to a remote server. Employees can also be stealing critical corporate intellectual property without ever leaving their chair.
In days past, internal theft most often involved cash or tangible assets or inventory. With virtually all employees now carrying a camera in their possession, this has expanded the risk to a whole new level. Employees can now surreptitiously photograph or record anything within the workplace and capture proprietary information to take away with them.
Legal problems. Employers have no control over an employee’s personal device. They cannot legally access it to remove software, photos, emails or other business-related content. Where previously, an employee is required to surrender a key issued to them when leaving their position, businesses may not have any recourse about the wealth of information they may have accumulated. More on this later.
Lost or stolen devices containing company information. A laptop stolen from the back of a car can contain years of work.
Insufficient employee training. Oftentimes, employees do not see the big picture or the consequence of the actions (or inaction).
IT oversight. IT departments face additional burden as they have to be fully versed in a wide variety of devices, operating systems and OS-specific software differences.
Shadow IT. Shadow IT refers to information technology systems utilized by departments other than the central IT department, as a work around the shortcomings of the company’s central information systems.
Improper mobile management. To increase productivity and to function within the construct of the business’ operation, devices are often loaded with company software, data, and communication channels. Often, it is left up to the employee to ensure that devices are updated with the latest software otherwise leaving them vulnerable to zero-day attacks.
Employees can leave to other companies with customer lists, price schedules, policies and procedures.
Loss of productivity through time spent surfing the internet and social media and posting to social media accounts. This also translates into bandwidth theft.
Brand sabotage. They have the best opportunity to gather information that can be used against the business. Employees can also inadvertently damage a company’s brand by posting from the workplace with views that do not reflect the organization. This is especially true with social media accounts such as Facebook or Twitter when a user’s employer is directly linked to them. There have been examples of employees posting derogatory posts from company social media accounts that have expressed views that do not reflect the organization.
External threats
Devices can become an attack surface for malware, viruses and ransomware infections. When those devices connect with the company network, the infections can then spread through the network and can potentially access data and sabotage/damage systems.
For the most part, viruses, malware and ransomware are almost always “invited” into the network, either through a poorly designed firewall, tricking employees into opening or clicking on malicious documents or links or through connecting compromised devices to the company network.
Phishing, spear phishing, whale phishing are types of emails that are used to target the general population (phishing), target a specific individual (spear phishing) or targeting a high-profile wealthy, powerful, or prominent individual (whale phishing).
Social Engineering. Through well planned pretexts, employees can be convinced to reveal network passwords. One common low-tech method of network infiltration is a tactic that targets an employee’s curiosity. Bad actors will drop USB flash drives in the company parking lot at lunch time. Employees will find these and bring them into the workplace, plug them into their computers to see what’s on them while unknowingly introducing malware or ransomware into the network. Skilled pretexts can also be used to reveal internal network names, credentials and log-ins.
Distributed Denial of Service (DDoS) attacks. A DDoS attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.
What can be done?
Businesses should conduct a robust threat assessment with a certified, knowledgeable and external resource to identify and quantify internal threats vs. external threats.
Businesses must introduce a multi-layered defence starting with proper pre-employment pre-screening to ensure that employees are properly identified and vetted. Employees should be engaged, vested, well trained and loyal to the business and its goals.
Companies need comprehensive internal protocols starting from an acceptable use policy for digital devices. The policy must extend beyond the workplace to ensure that your company’s data and proprietary information is safeguarded at all times.
Regardless of a company’s product, employees can be their greatest asset and greatest liability. It is important to invest in your employees. To this end, it is common for companies to have a rigorous onboarding process when employees first join a firm. A part of this process should include orientation with respect to digital safety and security guidelines.
A digital use policy should include the requirement that all devices have the latest software and patches installed as they become available. Such a policy also provides employees with rules and guidelines about the appropriate use of company equipment, network and Internet access. A proper password management involving complex, unique passwords for every log-in.
A Bring Your Own Device policy should include guidelines as to data ownership and the company’s right to access and wipe company data from the device upon departure or at any other time.
On an employee’s departure, an exit interview should be conducted with a series of comprehensive auditable steps to ensure that all access has been disabled and all key departments and team members are informed. If a BYOD policy is in place, then devices should be wiped of any company data and software.
One obvious solution that would require an initial cost outlay but could prevent future issues would be to provide employees with company devices; preloaded with company software, updated to the last versions and with built-in monitoring and kill switches.
Originally published by the Council of International Investigators in their magazine, The Councilor, 2022 Q1
