It's no secret that people overshare online — how many social media posts have you seen about what people had for breakfast or some other scrap of banal information? While the addiction to sharing is often innocuous, it can also have dire implications for cybersecurity, especially at a time when cybercriminals are actively scanning those details for footholds to infiltrate a company or organization.
Employees with access to sensitive company information need to remember that oversharing and failing to observe proper data protection protocols can lead to a devastating breach. The number one rule: If they see something suspicious, always report it immediately. Here are a few tips for ensuring your employees keep vital information safe.
1. Not Sharing Is Caring
The urge to share personal information online is understandable — we're naturally drawn to details about friends, family, and even total strangers, and we receive positive reinforcement through likes, comments, and other forms of engagement. While it's possible to share securely, the sheer amount of information that people publish on the Internet makes it much easier for hackers to leverage that information to manipulate victims and gain access to secure systems.
According to a survey conducted by Tessian, 90% of employees share personal and professional information on social media while almost one-third post business travel photos and updates. This gives cybercriminals a huge trove of information to exploit. Consider just a few examples: Employees often post pictures of their work badges, which contain serial numbers, barcodes, and other types of information that hackers can steal. They post pictures of boarding passes during business trips, which reveal passport numbers and contact information. And they make announcements about work trips and events, which tell cybercriminals where they'll be and for how long.
While public posts are a major source of exploitable information for cybercriminals, an even more pressing threat comes from hackers impersonating personnel within targeted companies to convince employees to send sensitive information voluntarily.
2. Beware "Insider" Threats
The most stubborn cybersecurity issue companies face is the consistent effectiveness of social engineering — a general type of cyberattack which works by convincing employees that they're communicating with a colleague, vendor, trusted website, or some other legitimate entity and manipulating them into divulging private information. The vast majority of successful cyberattacks use some form of social engineering, which is why employee education has become one of the most effective ways to keep companies secure.
Social engineering can take the form of either an internal or external threat. According to Verizon's "2021 Data Breach Investigations Report" (DBIR), internal cyberattacks constitute around one-fifth of breaches — a proportion that has decreased since 2018. However, the DBIR notes that external attacks "may initially resemble an internal threat … even though the call may be coming from inside the house, there is still a stranger on the line." This overlap between internal and external threats is why employees must be circumspect about any interaction that leads to a request for sensitive information — they should always ask for credentials, confirm the request is legitimate, and remember that the inconvenience of a delay is far less harmful than the consequences of a cyberattack.
Finally, if employees ever believe they have accidentally shared information with an actor who might pose a security threat, they shouldn't hesitate to report it. Doing so may be difficult and embarrassing but hoping the threat will go away on its own is far worse.
3. How to Be a Responsible Steward of Sensitive Information
The relentless success of social engineering attacks demonstrates that companies still have a long way to go to build cyber aware workforces. According to the FBI, the most common type of cybercrime is phishing, accounting for almost two and a half times more attacks than the nearest competitor. Meanwhile, by far the costliest type of attack is business email compromise (BEC) — the infiltration of an email account to either steal private information or trick employees into doing so by impersonating an authority figure.
Employees can avoid falling into these traps. First, they should remember that credential theft is among the most ubiquitous cyberattacks (according to this year's DBIR, stolen credentials were used in 61% of breaches). Second, they should avoid sending company information to outside locations such as personal email accounts. And third, they shouldn't overshare on social media or anywhere else.
Companies put a lot of faith in their employees when it comes to the management of sensitive information. While this is a weighty responsibility, it's also an empowering reminder that all employees can keep their organizations safe if they know which information needs to stay private, how to vet those they communicate with, and how to recognize a suspicious interaction. The employees who observe these guidelines will be capable of preventing cybercriminals from stealing valuable information and infiltrating their organizations.