What IT won’t tell you about workplace security
From elections being hacked to a rogue ransomware that managed to infect hundreds of thousands of computers across 150 countries in a matter of days, it's hard to tune into the news these days without hearing about some form of hacking or security issue.
As we come to rely on the internet for more — for commerce, politics, and social activities — you can be assured that the bad guys will keep getting sophisticated in their attempts to compromise your security. Not that things aren't bad already — they are (as we revealed on TheBestVPN, there were 4,100 security breaches, resulting in 4.2 billion stolen and exposed personal records, in 2016 alone).
Unfortunately, the role employees play in facilitating these security issues is not small — the renowned eBay hack in which hackers stole data of 145 million eBay users was as a result of three key eBay employees being compromised, and the recent WannaCry malware that is spreading in unprecedented proportions started with just one person on a network opening the wrong attachment, which then automatically spreads to all computers on a network. IT would really love for you to play a more active role in security. They really want you to know these facts, but they don't know how to tell you:
1. Even With Your Antivirus and a Secure Password Manager, You Can Still be Hacked
To the average web user, once you have a very reliable antivirus application and a good password manager, nothing could go wrong. After all, the antivirus automatically screens everything that goes through your computer and the password manager automatically generate passwords — using a combination of strange characters — that you couldn't have imagined in a million years. IT would really like you to know that this does not make your security sacrosanct. In fact, the way things are setup to day, most malware and exploits are delivered through the web and email, and your firewall already allows these two mediums (otherwise you won't really be able to use the internet!).
Experts have also found that most password managers are not as secure as many will expect them to be. In fact, the team at TeamSIK analyzed all of the top password managers and made the following conclusion:
"The overall results were extremely worrying and revealed that password manager applications, despite their claims, do not provide enough protection mechanisms for the stored passwords and credentials. Instead, they abuse the users' confidence and expose them to high risks."
This doesn't mean you shouldn't use an antivirus and a password manager. You should, because not using them could be much more dangerous. However, you should use them alongside other security measures.
2. It Sucks to Update Your Device, but It's One of the Most Effective Forms of Protection Against Being Hacked
The most recent ransomware making the rounds now is WannaCry, a ransomware that took down hundreds of thousands of computers in 150 countries in a matter of days: the ransomware works by searching for and encrypting 176 different file types and asking users to pay $300 to have their files decrypted. If payment isn't made within three days, the amount requested will be doubled. If payment is not made within seven days, the files will be deleted.
What's interesting about WannaCry and many other types of ransomware is how they spread: WannaCry spreads by exploiting a critical vulnerability in Windows computers; it then uses this vulnerability to spread across computers on the same network — in other words, you're likely to be infected once a computer on your organization network is infected.
The interesting fact about WannaCry, as well as most other forms of malware, is that they usually target weak and vulnerable computers, and they are most effective if you haven't updated your computer in a long time. Microsoft already released a fix to the vulnerability the WannaCry ransomware exploited two months before the ransomware came out, yet hundreds of thousands of people were affected because they haven't updated their computer.
IT wants you to know that as much as you hate to update your computer, it will really save you and them a lot of worries and money.
3. Backups are Boring, Yes, But You Can't Live Without Them
The biggest threat to any organization is data loss, and IT just can't wait to emphasize this enough to you. When you really think about it, the majority of the exploits and ransomware making the rounds these days are all doing the same thing: withholding your data and threatening to delete it if you do not meet their demands. Now, it would be interesting to realize that it doesn't necessarily take a hacker to destroy your data; hard drives naturally fail, and data loss occasionally occurs naturally. In fact, research shows that hard drive crashes and hardware problems are responsible for 66 percent of data loss — in essence, your hard drive is more likely to crash than you are to be hacked. Even Google is not immune: the 2015 natural disaster, in which lightning struck one of Google's data centers in Belgium, and wiped data from some of its disks — resulting in permanent loss of some data — quickly comes to mind.
If you don't back up already, IT can't wait to tell you just how important it is to back up. More importantly, they can't wait to tell you how essential it is to back up to more than one source.
4. Bringing Your Own Device is Not As Safe as You Think it Is
IT really doesn't want to infringe on your freedom or restrict you, but bringing your own device isn't exactly as safe as you'd imagine. Going back to the point we looked at earlier on about how antiviruses and password managers are not enough for securing your computer, bringing your own devices (BYOD) automatically increases the security risks of your employer.
Research shows, that in organizations that have a BYOD policy, 80 percent of BYOD is completely unmanaged, and 77 percent of employees do not know the risks that come with using their own devices in the workplace. If your workplace has a good security team, your personal devices are not nearly as safe as the company's device. If you bring your own device, take more active measures to ensure your device is safe — better yet, reach out to someone in IT to know what you should know about accessing the company network with your device.
John Mason is a tech and internet security expert as well as partner at TheBestVPN.com, a leading portal that shares information on VPNs and online security.