Managers who bemoan employees’ use of the internet for purposes other than work might have more to worry about than just a lack of productivity or efficiency.
The things employees do during business hours could pose serious risks of exposure to cyberattack.
At the Nonprofit Risk Management Center 2016 Risk Summit, Jim Jackson and Paul Henry, director of campus operations and IT and network administrator/engineer, respectively, of Momentous Institute, outlined the risky behaviors of people that could provide methods of outside access.
- Office (LAN/WLAN) connection. Location: employee office, cubicle, public space on company/organization property: Writing down passwords and storing them in an easily accessible location; and, Giving guests login credentials for an organization’s private WLAN.
- Public wireless (WLAN) and VPN connection. Location: public facility off organization property (coffee shop, airport, hotel, etc.): Connecting to an open unencrypted network; Connecting to a public network with a shared password; Man-in-the-Middle (MITM) attack/Evil Twin AP/SSID spoofing; Eavesdropping/sniffing; and, Session hijacking.
- Mobile connection (cellular) network. Location: anywhere and everywhere. They are vulnerable to attack; There are actually people with the specialized equipment necessary; and, The SS7 hack.
- Private personal computer. Location: home: The computer is completely outside the organization’s control; There is no way of knowing of a computer is secure; End-to-end encryption does no good if the computer is infected with a virus; and, Keyloggers can steal login credentials, even those that are being sent over an encrypted connection.