Human Error in Cybersecurity Breaches

Running a business is difficult work. There are so many factors you need to consider. One area of business that’s become increasingly more important is cybersecurity. Cyber-attacks are on the rise, so you’ll need to do everything you can to protect your company.

Cybercriminals are always looking for ways they can exploit organizations. One of the main ways they like to manipulate people is by taking advantage of human error. So, what exactly is human error in cybersecurity, and how can you protect your company?

This article explains some of the different kinds of human error that affect cybersecurity and offers security tips to help keep your company safe.

 

Physical Security Errors

Many people don’t consider physical security a part of cybersecurity. However, cybercriminals often resort to “real-world tactics” as companies are increasingly paying attention to things like firewalls, antivirus software, and data backups. If a criminal can physically get into your company property, they can damage your digital infrastructure. For example, they could install new keyboards that log keystrokes, insert malicious USB sticks into workstations, or simply walk out with sensitive hardware.

Letting unauthorized people into your company offices is a significant human error that can compromise your organization’s security. Given that this type of error could lead to a significant security breach, you’ll need to take measures to minimize this threat. For example, you might require employee swipe cards or use specific keys or access codes to enter the premises. You also need to ensure your employees know that letting unauthorized people into the offices poses a risk to the organization.

Another physical security error is when employees don’t properly secure the site. For example, they might go home without locking doors properly. This could allow unauthorized people to get in and access the computer systems. You can mitigate these kinds of problems by having clear expectations and responsibilities laid out. Everyone should know basic security rules and know who is responsible for locking up the property at the end of the workday.

 

Skill-Based Errors

In small-to-medium-sized businesses, people often make skill-based errors. This is when someone performs a task incorrectly, potentially causing a security risk. For example, a worker might fail to correctly set up antivirus software on their workstation. Or they might turn off the antivirus protection entirely. You can minimize these skill-based errors by reducing the control workers have over their workstations. You should have clear administrator privileges set up. This means people won’t be able to tamper with the antivirus software unless they work for the IT department.

Skill-based errors don’t necessarily happen because an employee is incompetent. These errors often occur because an employee is tired or distracted. This means you can reduce skill-based mistakes by making sure your workers are not fatigued or overworked.

This type of error can also occur when employees don’t have the correct training or if they’ve been dishonest about their level of experience. As an employer, you must always ensure your workers have the skills they need to do the job. If your employees’ IT skills are lacking, you should consider training seminars or training courses. Not only will this help protect your company against cyber-attacks, but it will also help your workers develop their skills and become better professionals.

 

Decision-Based Errors

Decision-based errors are another kind of error that could impact business protection. This is when an employee makes a decision that leads to a security issue. For example, someone might open a file that installs ransomware on the company network. Someone could also plug in a USB stick that was infected with a virus.

If you want to reduce decision-based errors in your workplace, you need to prevent people from making poor security decisions. This means your staff will need to understand security risks well. You can do this by having security seminars and a clear security policy in your employee handbook.

Another solution is to have systems in place that prevent risky behavior. For example, you might prevent people from being able to plug in USB sticks or open EXE files.

 

Misdelivery

Misdelivery is a form of human error where someone sends files, documents, or information to the wrong person. This can be a significant problem if your company deals with confidential data.  If misdelivery occurs, you’ll need to disclose the data breach to your customers, which could impact your company’s reputation and lead to less business in the future.

 

You can combat this by ensuring there are clear procedures for working with confidential information and ensuring you are compliant with security standards.

 

Password Problems

Another form of human error relates to passwords. Everyone knows that you need to have unique, strong passwords, but few people put this into practice. In fact, around 56% of people reuse the same password across multiple services.

When people do this with their work account, it introduces a problem. You can’t control what your workers do in their personal lives. If someone is using the same password at home and on their personal accounts, it’s a significant risk. If hackers get into their personal account using their password, it’s possible they will try the password across other services. This will enable hackers to breach your systems.

One of the best ways to deal with this is by having a good password policy. Having mandatory password changes every few months makes it much less likely that people will use the same passwords they use in their personal life.

Another potential solution is using multi-factor authentication. This is when you need both your password and a verification code to log on. When you input your password, a verification code is sent to a second device or service. For example, you might receive the code as a cell phone text message.

This is a great policy as it eliminates a lot of the risk of human error. Even if hackers have an employee’s password, they still can’t break in without the code.

 

Social Engineering

Another way hackers use human error to their advantage is through social engineering. Social engineering is when hackers use clever psychological tricks to manipulate people into compromising their security.

For example, someone might call an employee pretending to be the CEO. If the employee falls for this technique, it’s a serious human error. Social engineering is very prevalent because it exploits well-known weaknesses in human psychology. These attacks often convey a sense of critical urgency. If a situation feels urgent, people are much more likely to make a mistake and compromise on security.

In the last decade, most companies have stepped up their game in terms of cybersecurity. Most companies run robust firewalls and antivirus software, but none of this matters if a hacker uses social engineering techniques. Social engineering techniques are so prevalent in cybercrime that some statistics suggest hackers use social engineering in around 98% of attacks. The only way to protect your company is to make sure your employees understand how these attacks work.

The only real solution here is to have frequent security training. Your employees need to recognize social engineering and have someone they can report suspicious behavior to.

Human error is much more likely if people feel their reports won’t be taken seriously or if they’ll get in trouble for reporting a false positive. Creating a strong security culture in your organization is the best way to reduce human errors.

 

Take the Necessary Steps to Reduce Human Error

To conclude, you need to understand that some level of human error is inevitable. With that said, this article has shown there are many measures you can take to reduce the risk. You can have strong security policies, set up permissions systems, and create a strong security culture.

 

Of course, setting up strong cyber defenses is a very complex task. The world of cybersecurity is constantly changing, and it’s a full-time job in itself to monitor emerging threats.

With this in mind, working with a managed IT services company makes a lot of sense to help safeguard your company. If you want to work with such a company, contact us today and take the first steps in protecting against human error and securing your business.

Pegasus Spyware: The Zero-Click Spyware Infecting Smartphones

Pegasus Spyware: The Basics

Back in June, it was discovered that Pegasus Spyware, specifically developed to track criminals and terrorists, made its way to more than 50,000 phone numbers, some of which included heads of state governments, presidents, and prime ministers. Because this spyware was discovered on the devices of the world’s elite, everyday smartphone users are left wondering if this spyware is lurking within their devices and if it is, how they can detect it and remove it. Below, we’ll dive into Pegasus Spyware, helping you determine your risk and what you can do if you’ve been infected. 

Spyware is something that the world has known about since 1995, introduced as an interchangeable word to refer to adware and malware. It wasn’t until the turn of the century that spyware started to evolve, becoming one of the most dangerous threats on the web. In 2021, spyware has become a whole new beast, especially as the global use of electronics, specifically cell phones, is on the rise. 

 

What is Pegasus Spyware?

Pegasus is advanced spyware created by Israel’s renowned technology firm, NSO Group. Specifically designed to target smartphones, Pegasus doesn’t discriminate, creating a risk for all devices within the platform trifecta Android, iOS, and Blackberry.

Like other types of spyware, Pegasus is designed to gain access to devices. While other traditional spyware is mainly acquired via mobile vulnerabilities, Pegasus is installable on devices via apps like WhatsApp, leaving no traces behind. Other spyware usually requires the installation of a malicious app (primarily via jailbreaking and rooting) or the click of a malicious link that led to the installation of spyware on the device.

Pegasus is so powerful because it requires the user to do nothing, taking advantage of a known vulnerability in apps like iMessage. Once embedded into a device, Pegasus spyware can access all apps, including those with access to real-time details like cameras and microphones. It’s not easily detectable and can linger in devices long enough to collect sensitive information.

 

Who might be vulnerable to it?

According to statements from the NSO Group, the only entities with access to Pegasus software are “the military, law enforcement, and intelligence agencies from countries with good human rights records.” Though their intentions might be good, that didn’t keep some countries from restricting use, including the United States and France.

Those that may be more vulnerable are activists, journalists, businesspeople, known criminals, government leaders and anyone connected to them that is suspected of a crime. Currently, NSO Group is not releasing clients, so it’s unclear whether or not those that are vulnerable or targeted are regulated.

Because of these spyware discoveries, Pegasus spyware is starting to get a negative reputation across the globe, with many world leaders concerned with their privacy and national security. Apple is among the first platforms to sue NGO groups, though others are expected to follow suit. When notified about the lawsuit and the implications they were facing, NGO Group did not admit to any wrongdoing and claimed that their product nor procedure were not breaking any law. In fact, they pointed out their strong suit, claiming “authorities combat criminals and terrorists who take advantage of encryption technology to avoid detection.”

 

How does it infiltrate a phone?

Pegasus spyware is more sophisticated than other types of spyware, able to infect devices without user interaction. Pegasus works by targeting zero-day vulnerabilities, which are vulnerabilities that cybersecurity experts are not yet familiar with. The attack is considered zero-click and typically infects smartphones with vulnerable apps.

Recently, Apple discovered that the spyware was targeting iOS messenger because of a vulnerability not yet patched. Because there is no user involvement required and no noticeable changes to infected devices, it can be difficult to detect. At the moment, there doesn’t seem to be a tool to directly detect Pegasus spyware, though there are ways to understand risk.

Assessment of risk is perhaps the most aggressive measure against Pegasus spyware, though users can do other things to detect its presence on their device.

 

How can someone detect Pegasus Spyware?

There is some good news for those who have a smartphone and are worried about the presence of spyware. Though 50,000 numbers have been listed as infected, it is not just an ordinary list of people. Those 50,000 were linked to several government officials, political activists, journalists, and those involved in their country’s politics.

That means that most smartphone users are excluded, though that doesn’t make most feel at ease. Spyware of any kind can infect devices, which is why it’s helpful to know how to detect it. Due to Pegasus spyware’s sophistication, it’s not detectable with just any antivirus, leaving users to seek other detection methods.

One popular method of detection that works on all devices is Amnesty International Mobile Verification Toolkit.

This toolkit is compatible with Linux and macOS, searching the device for unknown items that could represent a malware infection. Because news of this spyware is novel, it’s not yet set up to work 100%. While it will not detect Pegasus spyware directly, it alerts smartphone users of “indicators of compromise,” showing an infection on the device. 

Though Amnesty International’s toolkit seems promising, cybercriminals are always trying to stay one step ahead in their methods of defeat. Word of a recent campaign to trick users looking for a way to protect their devices hit newsstands in early October, with a group of cybercriminals disguising themselves as Amnesty International. For those looking for a way to detect Pegasus spyware on their device, Amnesty International is a safe bet. However, they should only inquire about information from the actual website and avoid clicking any unknown third-party links.

An additional option for iOS users that shows promise for detecting Pegasus spyware is Apple’s very own iMazing. This optional scan was created to scan devices to provide evidence of spyware. Installing it on devices is simple and comes with a guided process that takes about 30 minutes. iMazing will scan each app on the device and check for malicious content, creating a detailed report that users can access to find out whether or not they have items on their device that require attention. 

 

How can it affect security?

Spyware is different from other types of attacks in that it turns the cell phone into a surveillance device. The longer that spyware is left on a device, the more information it can gather and the more harm it can potentially cause. A few of the most common security implications due to Pegasus software include copying and sending private messages, recording phone calls, and collecting photos both taken on the device and received from messages and apps.

Pegasus can even gain access to users’ microphones and cameras, spying on users without their knowledge. Because of this powerful ability, users with Pegasus spyware installed on their device could have someone monitoring their phone calls and starting the device’s camera without their knowledge, falling victim to severe implications if any wrongdoing is suspected.

For most smartphone users, access to such information will not be lead to criminal action, though it could cause issues with loved ones or professionally. However, because Pegasus targets criminals, world leaders, and other important figures across the globe, some captured information could lead to further investigations.

Apart from the ability to monitor those who might cause harm, Pegasus spyware could create danger if the information is passed into the wrong hands. National and international security could be in harm’s way, and other sensitive details could result in increased criminal activity. Companies too could face implications if collected information falls into the wrong hands, with others able to predict their next move.

Because of these serious security implications that companies are taking action, including global giants like Amazon. They, like others, are making moves to restrict and even shut down services linked to Pegasus spyware. Though companies are taking action on their own, cybersecurity experts are closely monitoring for increased malicious activity and attempting to stop further infections of Pegasus spyware until proper regulations can be put in place.

 

Can Pegasus Spyware be removed from a device?

Because this spyware is new, sophisticated, and not very well understood, there is not currently a removal solution. These zero-day vulnerabilities created with help from knowledgeable cybercriminals are very difficult to patch until developers find a solution to mitigate them. Even though it’s not removable at the moment, there are some ways that those who are at risk for Pegasus spyware (and any other spyware) can protect themselves.

One of the most effective defenses is active and frequent monitoring of devices, including regular scans to detect suspicious activity. The more active users are running scans and monitoring all activity, the better they will be at detecting spyware and stopping it before it can infect devices and escape without being noticed. In addition to a plan to scan and monitor, users can take other precautions, a few of which we’ll mention below.

 

Securing your Device

Since smartphones are targeted by Pegasus spyware, users should first secure their devices. There are several ways that users can do this, including keeping their devices updated with the latest version, updating all apps when necessary, and getting on a monitoring and scanning schedule.

Frequent monitoring is recommended, with regular users running scans at least once a week. This should ensure that there is no new suspicious activity or installations that could indicate a security breach.

 

Securing your Data

In addition to protecting devices, it is recommended that companies protect their data. Data is one of the most valuable targets online, with data breaches reaching all-time highs in 2020 and expected to continue to increase in 2021 and 2022. Smartphone users are encouraged to protect their data by managing their permissions in all apps (especially those with access to sensitive details) and ensuring that all passwords are up to date and secure.

Mobile phones often ask for permissions to access apps and other connected devices, which could lead to an additional vulnerability. If there is sensitive information on any device connected to a smartphone, users are encouraged to avoid permitting access to prevent further complications and risks.

 

Securing your Network

It’s not just about securing mobile devices but also the network to which they are connected. In 2021, most areas feature free wi-fi, though users don’t always consider risks. Public network attacks are on the rise as more and more smartphone users demand access to wi-fi on the go.

There are several ways users can protect themselves and their network, including utilizing advanced security suits that protect each layer. Frequent monitoring of networks and scanning for unknown connections and devices is one place to start, helping users identify understand if something needs their attention.

It’s not just necessary to protect from known attacks but also to have the capability to protect and prevent zero-day attacks too. These days, users are encouraged to use antivirus and other security tools that can help isolate and patch attacks with help from automation.

 

Pegasus spyware protection

Because Pegasus spyware is linked to two apps, it’s recommended that users take steps to disable each of them if possible. The two most common attacks have been with WhatsApp and iMessage, both of which can be disabled by users.

Pegasus is different than other spyware and can infect systems without user interaction, so at this time, there is not a specific fix. For now, it’s recommended to keep internet access secure, limit others’ access to devices, get on a scanning schedule to check for vulnerabilities, stay up to date on the latest iPhone and Android news, and update when necessary to prevent access.

Are you concerned about the cybersecurity of your company? Edge Networks can help! If you’d like to find out how your company is performing and isolate weaknesses in your cyber defenses, schedule a call with us or take our free, self-guided IT Security Risk Assessment.

How to Maintain the Cybersecurity of Your Remote Workers

The Sudden Jump to Remote Work: The Need For the Cybersecurity of Your Remote Workers

In August 2020,  Malwarebytes (PDF)  released a report including data from a survey conducted with 200 IT and cybersecurity professionals examining the impact of COVID-19 in the security world. They found that over 50% of IT employers stated their biggest work from home (WFH) challenge was training remote workers to work at home most securely and compliantly.
 
This daunting challenge is shared by many, from IT professionals to small-business owners.  You can’t escape the cybersecurity risks of working from home because there are always security issues with working remotely. However, with the quick jump from working in an office space to working remotely, many employees were undoubtedly left even more vulnerable to cyberattacks than before.
 
Although there is no way to ensure your team is 100% secure, we want to share a few working from home cyber security best practices and remote employee security tips to help you and your team stay protected.

Work from Home Security Tip #1: Educate Your Employees

Working remotely places more responsibility on individual employees to ensure security, but you should never assume they know the slightest thing about cybersecurity. Creating a plan to focus on cybersecurity for remote workers will help you in the long run. In an ideal world, security would be everyone’s responsibility, but that’s not the case when employees feel they are already overwhelmed with their current responsibilities. 

 

Set and Communicate Expectations 

Add that to the chaos of working from a distraction-filled home, where there may be children running around, a dog that needs walking, or a quick chore that needs to get done. It’s difficult for anyone to keep cybersecurity at the forefront of their mind with the endless distractions when working from home.
This is where you come in to provide helpful resources and clear expectations to ensure your company’s security in the form of education and a solid work from home security policy.
Setting clear expectations for remote employees doesn’t have to be complicated. It can be as simple as sending an email or as detailed as a remote working security policy they’re required to sign. Just remember, it should be easily accessible and clearly outline the company’s expectations as they work from home, including security guidelines, plans, and policies.

Phishing and Malware

Many people think cybersecurity attacks aren’t a real threat to them until it’s too late. Cybercriminals adapt along with the world’s current events and will take any opportunity to get what they want. A more recent example of this is with COVID-19.
When the second round of stimulus checks was approved, the IRS warned that scammers may reach out through text messages, social media, phone calls, and emails to disclose personal or bank information. These scammers would often use words such as “stimulus” and “coronavirus” and offer opportunities to invest in companies producing COVID-19 vaccines.
This serves as a great example to remind your employees to avoid phishing scams and malware, which are as high a risk as ever when working from home. Remember that there are many affordable resources available to help you manage IT security problems like phishing and ransomware attacks, such as KnowB4 or Proofpoint, and the cost is worth your peace of mind.

Password Management

Did you know that in 2019, compromised passwords were responsible for 81% of hacking-related breaches? Good password management practices can save you a lot of money, time, and heartache in the long run. Always train your employees to practice good password management.
A secure password includes:  
8-Character minimum length
Both upper and lowercase letters
At least one number
At least one special character
When possible, enable multi-factor authentication for an extra step of security. Schedule an annual password audit, never reuse old passwords, and don’t post your password in an unsecured location (such as in your device’s “notes” app, programmed as a device contact, or in an unsecured excel file). A great way to ensure cybersecurity for remote workers is to ensure your passwords are secure is by using a password manager, such as Dashlane, Last Pass, or 1Password, to keep your passwords in one place and create unique passwords for every account.
Remember that your employees have a lot going on outside of work, and you can’t expect them to become cybersecurity professionals overnight.

Work from Home Security Tip #2: Ensure Device Security

The good news is that many employers were able to supply their staff with devices to work remotely. The bad news is that not many employees were trained in caring for and ensuring the security of these devices. One of the most critical things you can do as an employer is to encourage your employees to have good work from home security awareness and to keep their devices secure through updated software, regulated personal devices, and avoiding unsecured networks.

Up-to-Date Software

Software updates can seem like a nuisance at times. It’s easy to click “Remind Me Later” when prompted to update but doing so can leave you vulnerable to attacks. Cyber threats are continually changing, which means operating system providers need regular updates to combat and keep on top of them. When you update your software regularly, you are less vulnerable to compromise the data on your devices.
One of the best ways to ensure your software is updated is by enabling automatic updates when possible. This takes the stress of manually updating off you and allows the system to update on its’ own, usually late at night when you most likely won’t be using it. If automatic updates aren’t possible, you can set a reminder to do it when you’re home from work or about to get in bed, so it can be updated by the time you need your device again.

Personal Device Use

 Another critical factor in the security of your devices is understanding and regulating personal device use. Personal devices can be easily compromised, which is why it’s startling that 48% of workers use the same passwords in both their personal and work accounts. Workers also seem to be prioritizing the security of their personal accounts over their work accounts, according to LastPass’ Psychology of Passwords global report (PDF).
What this means for you is that your employees’ flawed security behaviors or complacency with password management can likely extend into your business. Make sure you take the time to create a remote working security policy for company devices and educate your employees about how they should use them. One should only use their work-issued laptop for work-related business and avoid similarities in their personal and professional passwords, which can quickly lead to a company data breach, creating more security issues with working remotely.

Avoid unsecured Wi-Fi Networks

According to the 2019 State of Remote Work report from Buffer, the second most common location employees work from is coffee shops and cafes at 37%, with the first being working from home. While coffee shops and cafes can be a great environment for productivity with a change of scenery and great coffee a few feet away, it’s important to remember cybersecurity risks can be even more prominent with unsecured Wi-Fi networks.
Never trust networks that are not password-protected. If the network does request a password, you should still remain vigilant. It’s not difficult for someone to find out the network password at a local coffee shop and create a fake connection with the same password to steal personal user data. If possible, use a Virtual Private Network (VPN), which means cyber criminals can’t read your data, even if they gain access to them.
VPNs are great, but many of them have been put through recent stress with more and more remote workers using the network, slowing it down. If your policy allows it, and if you’re confident the network you’re using is secure, consider unloading the VPN and only using it when necessary.

Work from Home Security Tip #3: Support Your Team

The final way to ensure your employees are secure at home is by supporting your team. You can’t expect your team to know the ins and outs of cybersecurity (or even the basics) without learning how to maintain security for remote employees yourself. After that, you can provide support, education, and resources for your team.

IT Support

Even if you make every employee go through cybersecurity training or sign a policy, cyberattacks can still occur. You should provide vigilant IT support and make sure your company is prepared to respond to a data breach or security incident at any time.
Additionally, you should also consider investing in a cloud-based service and secure collaboration and communication channels for your team to help keep work things in one place for everyone.

Adjust Your Expectations

The COVID-19 pandemic has thrown a curveball at us all. Many people have had to give up things they love because of it. Whatever it may be, it’s essential to adjust your expectations and understand that many people are struggling right now.
According to the Mental Health Index: U.S. Worker Edition, between November and December 2020, there was a 48% increase in the risk of depression, and employees’ focus dropped 62% – a record low since the start of the research in February 2020.

 

Remember that now more than ever before, and that your role requires you to listen, be patient, and expect changes in employee performance during this time.   

The COVID-19 pandemic has required businesses to reevaluate how they approach many things, including cybersecurity. Cybersecurity in itself is a difficult topic to tackle, and even more so when you consider how to maintain security when employees work remotely. The best way you can help ensure your team’s security at home is by educating your team, ensuring device security, and providing support for your employees. 

Are you concerned about the cybersecurity of your company’s remote environment? Edge Networks can help! Take our free, self-guided IT Security Risk Assessment, or contact us today for a free, 30-minute consultation.