Employees are still the weakest link in IT security

A new type of crime has captured headlines over the past several years: data theft. As data and personal information move from file cabinets to the cloud, companies now face an ever-growing threat from cybercriminals with a desire to steal and use personal and confidential information.

A recent Bloomberg Technology article documents an increase in security spending on hardware and software, as companies invest in protecting their information and systems.1 Unfortunately, this increase in spending is unlikely to significantly decrease threats related to the most vulnerable part of a company’s IT security — their employees. While the public’s knowledge of IT security is improving, a large percentage of Americans still lack IT security knowledge in crucial areas. A recent study on Americans’ IT security knowledge by Pew Research highlighted several topics on which Americans lack knowledge related to IT security.2 According to the survey:

  • Only 54 percent of Americans were able to correctly identify multiple forms of phishing attacks.
  • 54 percent were unaware that email is NOT encrypted by default.
  • Only 48 percent were able to correctly define ransomware, one of the greatest current IT security risks.

While the threat of an employee accidentally giving access to cybercriminals is always present, there are preventative measures companies can put in place to mitigate this risk.

Prevention and protection

One way companies mitigate security risks is educating employees on social engineering tactics. With social engineering, criminals use deception and take advantage of people’s curiosity and inclination to trust others. Common uses of social engineering to gain access to information include:

  • phishing emails — malicious emails intended to trick employees into divulging sensitive information and/or credentials
  • spoofing emails — malicious emails wherein the criminal disguises an email so it appears to be from someone the recipient trusts (such as the CEO) in order to deceive employees into divulging sensitive information, credentials, etc.
  • USB drop — a criminal drops a USB device with malicious content hoping a curious employee picks it up and inserts it into their computer
  • pretexting — when a criminal researches an employee/company to identify someone they can effectively establish trust with to obtain sensitive information

To protect themselves from these attacks, companies should implement mandatory information security awareness training for all employees. This training should be ongoing, cover current social engineering tactics, and be a dynamic process. Training could include a combination of face-to-face presentations, slide or video presentations, and timely, periodic email updates on social engineering trends.

Companies also need to be aware of how employee social media use can make them susceptible to social engineering attacks. Employees who use social media without caution or monitoring may be unaware of how their behavior on social networks could create security risks. Any mention of company clients or vendors in their social posts might provide criminals with information that can be used for impersonation or pretexting. Adept criminals can utilize this information to create phishing or spoofing attacks to deceive employees scanning their email inboxes. It only takes one employee clicking a malicious link or giving out company or client information to create a security risk or legal issue. As part of employee security awareness training, companies should educate their workforce on how social media use can make them susceptible to social engineering attacks.

In addition to dynamic, ongoing security training, effective information backup strategies help ensure that a company’s data can be restored. To reduce risk of data loss, data backups should be periodically tested for validity, which can be done by periodically restoring from data backups. Backups can also protect companies from ransomware, a malicious software installed frequently through phishing and pretext attacks. Ransomware works by encrypting an infected user’s information and then holding it for ransom, requiring payment from the infected user to regain access to their information. By implementing an effective backup strategy, companies that fall victim to ransomware attacks can restore their information without acknowledging the ransom request — saving time and money, not to mention a potential hit to the company’s reputation.

While these measures can help safeguard a company from criminal behavior, an independent social engineering test can provide companies with valuable insight into possible risks presented by their employees.

How KraftCPAs can help

For companies wanting to learn more about their system’s vulnerabilities and cyber risks, engaging in a penetration test (pen test) or social engineering testing are good options. Pen tests can help identify both external and internal vulnerabilities in a network. They also provide companies insight into their employees’ resistance to common methods of logical social engineering such as phishing and spoofing. Physical social engineering tests can also be performed for companies with multiple locations or physical security concerns. While companies can set up controls to protect their information and their systems, it is ultimately up to their employees to keep confidential and sensitive information safe.

KraftCPAs has an in-house team of IT security professionals that performs external and internal pen tests, social engineering services, wireless and web application pen testing, as well as cybersecurity assessment services. Our professionals have various relevant credentials, including the GIAC Certified Penetration Tester (GPEN), Certified Ethical Hacker (C|EH), GIAC Security Essentials Certification (GSEC), Certified Information Systems Security Professional (CISSP), and the Certified in Risk and Information Systems Control (CRISC) certification. Call us today to learn more about these services.

1 Olga Kharif, “2016 Was a Record Year for Data Breaches,” Bloomberg Technology, accessed June 20, 2017,
2 Kenneth Olmstead and Aaron Smith, “What the Public Knows About Cybersecurity,” Pew Research Center, accessed June 20, 2017,

KraftCPAs can help.

Call us at 615-242-7351 or complete the form below to connect with an advisor.

  • Should be Empty:
  • Topic Name:

Search Site

Search Team

Search Articles