Well-Intentioned Employees May be Your Greatest Cybersecurity Risk

July 16, 2021


As employees navigate returning to the office, continued work-from-home situations and new hybrid workplaces, ransomware hustlers are salivating.


That’s because all threat actors thrive on confusion. And what a confusing time it has been. In many ways, the chaos sparked by the pandemic remains, heightening the opportunity for the planet’s hackers.


For small businesses, the danger from ransomware has reached new levels. Not necessarily because they are core targets (although some very much are), but because small and midsized businesses (SMBs) increasingly rely on a patchwork quilt of vulnerable third-party providers to deliver exceptional end user experiences. To a cybercriminal, those providers spell S.C.A.L.E.


Hackers are devious, but they’re not stupid. Like their legitimate counterparts, they value efficiency. If breaching one business yields the personally identifiable information (PII) of a few thousand consumers and another yields the PII of a few million, which basket would get your business’s eggs?


Because of this environment, small and midsized businesses (SMBs) must pay just as much attention to their partners’ cybersecurity strategy as to their own. While those of us in highly regulated industries are no strangers to vendor risk management, many SMBs in less restricted or emerging sectors may have some work to do to get up to speed on the strategy.


This is not to say SMBs can ignore their own cybersecurity controls. A decentralized network stood up to support a remote workforce puts every device connected to it at risk.


In conjunction with regular backups, strategic segmentation of critical systems, deployment of multi-factor authentication and continuous patching of known vulnerabilities, employee training can be one of the most highly effective ransomware-fighting weapons in the SMB’s arsenal. This is especially true in the context of ransomware. Ransomware attacks are almost always successful because of human error, not technology failure.


The most valuable employee training extends beyond the enterprise, shedding light on best practices for personal cybersecurity. This is so important today, as the lines between work and home are blurrier than ever. (How many people are finishing up their online grocery order while simultaneously chatting online with a colleague?)


According to Kaspersky Lab, 90 percent of corporate data breaches in the cloud can be traced to social engineering attacks on targeted employees. Bank Iowa has consulted on numerous cases of financial fraud that started out this way. A CFO gets an emailed request “from the CEO” to wire money to an account ASAP. It looks legitimate because the CEO references being out of town at XYZ Conference, which the CEO actually is attending. How did the crook who is spoofing the CEO’s email know? Because it’s all over LinkedIn.


This kind of attack has been working well for cybercriminals for years; now layer in the challenge that colleagues are interacting less because they are in the office fewer days of the week, if any at all. IT directors and similar leaders, too, are having their emails spoofed. The crook sends out directions to “download this update” ironically disguised as a security patch. Remote employees believe it, click it and the nightmare that is ransomware begins.


In most cases, employees ensnared in these traps are simply doing what they think is right. They are helping out the boss or following the request of a respected colleague. Sadly, good intentions do not protect businesses from cyberattacks.


With the myriad challenges of running and growing a business in a post-pandemic environment, why should leaders prioritize advancing cybersecurity strategy? Several reasons, but one stands out for me as a technology leader working for a purpose-driven company. Beyond protecting against financial, operational and reputational risk, advancing a SMB’s cybersecurity measures keeps the customer at the center of everything. All businesses, large and small, have a responsibility to protect their customers’ data. Incorporating this value into training can go a long way toward earning the attention and engagement of employees. It may also help identify the best third-party providers, as cultural alignment can be the secret sauce that takes a partnership from good to great. And, at the end of the day, it’s simply the right thing to do.


Dustin Caldwell is director of information technology for Bank Iowa. As such, he manages strategy and direction of the bank’s IT function, facilitating partnerships in banking and information services, managing internal and external projects and maintaining the bank’s technology infrastructure. He can be reached at dcaldwell@bankiowa.bank. Member FDIC.]