The Most Common Cybersecurity Risks Employees Face At Work

In most cybersecurity matters, hackers tend to target employers. However, what are the threats employees face, and what can they do to prevent themselves from becoming victims?

According to a Clark School study at the University of Maryland, an attack by hackers on computers with internet access occurs once every 39 seconds. These attacks affect one in three Americans every year, with 43 per cent of these attacks targeting small businesses.

The study also found that 95 per cent of security breaches are due to human error and cyber criminals and hackers tend to look for the weakest link in employees. In 2020 and 2021, the healthcare industry was a prime target for hackers because of the high demand for patient data.

On the black market, such data can fetch a high amount of money, and there have been occurrences where hackers would attempt to sell stolen patient data information back to the hospitals.

The impact of these attacks is so significant, IBM’s executive chairman Ginni Rometty called cybercrime the greatest threat to every company in the world.

Regardless of the industry, employees and companies everywhere can be targeted for cybersecurity attacks, which makes cybersecurity education extremely important.

Through this article, we’ll share;

  • What counts as a cybersecurity risk;
  • Examples of different cybersecurity risks;
  • How employees can protect themselves;
  • What businesses can do to protect employees.

What counts as a cybersecurity risk?

Any incident counts as a cybersecurity risk for a company if it leads to the loss of sensitive information such as employee and customer data, reputational harm, and the loss of assets such as funds or stocks.

Improve your employee engagement

Improve your employee engagement in less than two minutes

Get started for free today.

Free sign up

Cybersecurity risks generally involve corporate devices, but hackers can also target employees’ personal devices.

Examples of cybersecurity risks

There are multiple types of cybersecurity risks. Here are some which affect companies and their employees.

Social engineering attacks

A social engineering attack occurs when a scammer employs psychological manipulation to force their victims into revealing information about themselves or the people around them.

There are many types of social engineering attacks. These attacks include using social media, phishing, and impersonations. These scammers often use cyberbullying tactics to pressure their victims into giving up information.

Employees need to protect themselves from cyberbullying and social engineering attacks on social media by making their accounts private and reporting all cyberbullying attacks when they occur. Do not engage with the hacker to avoid further complications.

Ransomware attacks

As its name suggests, ransomware attacks involve a hacker stealing an employee’s files or data and holding it ransom. To do this, an attacker infiltrates a device and locks it, so users have to pay if they want to access their files.

Earlier this year, one of the most prominent ransomware groups in the world, Conti, announced they were shutting down. In their heyday, the group allegedly stole over 700 GB worth of unencrypted files, including patient information, financial statements, and contracts, from Ireland’s Health Services in two weeks.

Distributed denial of service (DDoS)

A DDoS occurs when thousands or even millions of machines, known as botnets, flood a server with requests to prevent users from being able to use their devices properly.

Security company Cisco predicts that DDoS attacks will double from 7.9 million in 2018 to over 15 million by the end of 2023. The company also expects hackers will create more giant botnets, making it easier for them to take down large companies and enterprises.

Man-in-the-middle attacks (MiTM)

A MiTM involves attackers positioning themselves between a user and an internet server. Each time a user enters an address, password, or other personal information, they share that data with the attacker instead. For example, a hacker might create a fake Wi-Fi network that’s free to access to try and bait people into using them.

Software-as-a-service (SaaS) applications like messaging tools, cloud servers, and remote work applications can also serve as entryways for MiTM attacks, as they’re commonly used by employees—especially those who work remotely.

Compromised passwords

Passwords and other essential credentials are some of the hackers’ most sought-after types of information. The Verizon 2021 Data Breach Investigations Report revealed that leaked passwords are the main reasons behind company hacks. The report shared that 61 per cent of data breaches in 2021 were accredited to compromised passwords.

One of the most popular ways hackers steal passwords is through phishing scams that can occur through email, text messages, and social media. Through phishing, hackers will send a link or attachment to their victims and, if clicked on, will lead victims to a website where they’ll have to key in their personal details.

Insider attacks

While insider attacks are not as common as other forms of cybersecurity threats, they could still occur, and their effects could be brutal.

Through insider attacks, the perpetrator has leverage because they’re from the company and readily have access to information. The attacker then leaks information about the company to a competitor or reveals damning information that could ruin the company’s reputation to the press.

A report from Cybersecurity Insiders in 2021 showed that incidents occurring through insider threats have increased by 47 per cent between 2018 and 2020. The information also shared that 57 per cent of organisations feel that insider attacks became more frequent in the past 12 months.

Lack of cybersecurity training

Some companies and organisations might be too small to afford basic cybersecurity training for their employees. As such, employees won’t be fully aware of what to do should they encounter a cybersecurity threat.

Without proper training, employees risk jeopardising their personal information and putting their employers are risk.

Workplace surveillance

Last year, Pollfish and ExpressVPN ran a study that surveyed 2,000 employers and 2,000 employees who work in remote or hybrid environments. The survey found that 69 per cent of employers felt uneasy about allowing employees to work remotely because they can’t observe them and their work in person. Additionally, 59 per cent of employers say they don’t trust their employees to work without digital supervision.

While some level of workplace surveillance might be acceptable, over-surveillance could signal a negative corporate culture and lead to workplace unhappiness.

How can employees protect themselves

While businesses can take precautions to protect their employees and their work, it’s also essential for employees to understand they have a pivotal role to play in a cybersecurity strategy. Employees, too, are at risk of having their data and personal information compromised if they don’t play their part in protecting themselves.

Back up all your files

Backing up your data and files on an online cloud server or an external hard drive could be a lifesaver should you become a victim of a data breach or hack.

Ideally, you should back up your data regularly. If you’re using an online cloud storage service, check if the service offers automatic backups. Alternatively, set calendar reminders to update passwords manually every few weeks.

Avoid accessing company accounts on public Wi-Fi

Public Wi-Fi is often insecure, making it a hotbed for nefarious threat actors to attempt MiTM and phishing attacks that can result in your credit card info being stolen.

A survey conducted by BullGuard revealed that over a third of public Wi-Fi users log into personal accounts that require passwords. At the same time, over 22 per cent made credit card transactions, and 31 per cent logged into their online banking accounts. These are the types of information hackers on public Wi-Fi are looking to steal.

Limit personal information on work devices

Employees should generally refrain from sharing personal information and data with their colleagues and managers on work and third-party applications.

Employees could consider purchasing a secondary phone for work to protect their privacy. With an additional phone, employees can better distinguish between their work and personal life. Plus, they’ll be able to avoid giving away their personal numbers to others.

Stay vigilant

Encourage employees to be vigilant and aware of cybersecurity news that may affect the company. A workforce with a healthy level of skepticism will more likely report cybersecurity threats and lower the likelihood of scammers breaching defences.

Always report suspicious interactions

If you’ve received a suspicious email, call, or text message, always report it to your company’s IT or cybersecurity department – if one exists. Otherwise, report it directly on the platform you’ve received the threatening or suspicious message.

How businesses can protect employees from cybersecurity risks

How can businesses protect themselves and their employees without a huge IT department or an experienced third-party contractor? Here are a few manageable steps businesses can take:

Provide basic cybersecurity training

Giving employees a crash course on the basics of cybersecurity could improve their confidence in managing technology. Some basic training topics typically include recognising phishing and spam emails, creating strong passwords, and equipping employees with the right tools to handle suspicious emails and interactions. Companies could integrate such training during the onboarding process for new hires to take it one step further.

Alternatively, there are plenty of online courses from providers like Coursera and Udemy that companies could sign up for to educate employees on the basics of cybersecurity.

For remote workers, companies could also create a digital guide on ways they could keep themselves safe from cybercriminals while working anywhere in the world. They could refer them to cybersecurity awareness articles.

Enable multi-factor authentication

Multi-factor authentication (MFA) is a program that strengthens an account’s security measures. Instead of simply keying in their passwords, users will need to verify their identity by entering an additional code sent via text or email, using a third-party authentication application, or scanning their biometric features like their fingerprint or face.

Manage access for employees better

Services like Okta and 1Password make it easier for businesses to grant systems access and applications to authorised users only. These identity management services generally require a subscription, and depending on the subscription tier, companies can set specific permissions per employee, too.

Many tips and software could make project management, time tracking, and scheduling more accessible for a remote team. Companies could benefit from researching these tools to determine what’s best for them.

Engage employees better

The COVID-19 pandemic has stressed the importance for businesses to communicate better with their employees.

While companies might fear that productivity and quality of work might suffer when employees work remotely, it’s worth thinking about employee happiness and the importance of implementing better cybersecurity measures.

In Summary

Cybersecurity and IT risks may seem daunting and challenging to manage, but it’s not impossible to do so. Both companies and employees have a role to play in safeguarding their cybersecurity and ensuring their cybersecurity strategy is dynamic enough to handle different security threats.

Ultimately, companies will need to stress the importance of cybersecurity and cybersecurity training for their employees. On the other hand, employees will need to apply their learnings from such training in the workplace and always report suspicious activity if they spot it.

About the Author

Jane C is a content marketer and freelance writer. Previously, she worked in various publications before moving into content marketing. Now, she writes about privacy, technology, and virtual private networks.

Team 6Q

Team 6Q