Lessons from tax season: 4 tips for preventing cyberattacks on the workforce
Connecting state and local government leaders
Scams targeting employees during this recent tax season serve as a sobering reminder of the significant security risks workers unknowingly pose to their organizations.
Effective, ongoing security operations depend on technology, process and people working together. And of these three factors, people are most often cited as the source of an enterprise’s greatest risk. The scams targeting employees during this recent tax season serve as a sobering reminder of the significant security risks workers unknowingly pose to their organizations.
Many data breaches are the result of phishing scams. According to the 2016 Verizon Data Breach Report, 30 percent of phishing emails were opened, up from 23 percent reported last year. Over the past year, the IRS has seen a 400 percent uptick in phishing and malware scams that use social engineering to trick users into giving away valuable personal information to scammers often posing as government or tax officials.
In one common tax-related phishing attacks, scammers created fake emails that appear to be coming from the Taxpayer Advocacy Panel regarding a tax refund. The messages request detailed personal information, such as Social Security numbers or W-2 forms. Other scams target the human resources or payroll department with, for example, an email asking for employees’ information that appears to come from a company executive. Both of these scams prey on workers’ lack of awareness of ever-evolving cyber threats.
Unfortunately, clicking on links in phishing emails isn’t the only risky behavior in which employees engage. They download cloud apps to increase productivity without knowing the risks and without the IT department’s knowledge (this is also known as shadow IT). And the risk of browsing the Internet has expanded; an organization isn’t just at risk when the employee visits a “shady” website; now, ad networks even on reputable sites may try to install malicious code. These issues are especially troublesome for the public sector because government employees have insider knowledge and access to valuable data.
How can government agencies protect themselves from the increasing security risks targeting staff? Here are four best practices for supporting employees’ technology choices while mitigating security risks:
1. Leverage two-factor authentication.
Eliminate the risk of hijacked credentials with multifactor authentication, which layers a password, security token and biometrics to confirm identity. This is becoming a popular best practice for enterprise cloud applications such as Office 365, Salesforce and ServiceNow, and is increasingly built into many consumer cloud applications.
2. Adopt insider threat detection and response programs.
Agencies must be able to leverage a baseline of normal versus abnormal user behavior. By tapping into technologies that can deliver advanced user behavior analytics, security professionals can continuously monitor accounts and block threatening activity.
3. Don’t ignore shadow IT.
Shadow IT is rapidly growing and has the potential to introduce serious risk to the organization. A recent Blue Coat report found that 1 in 10 broadly shared files in cloud apps expose sensitive and regulated data, creating significant financial risk. For the second half of 2015, the company calculated a potential financial impact of $1.9 million on the average organization from the leakage of its sensitive cloud data.
In order to stay on top of shadow IT, enterprises should introduce cloud security capabilities that give them insight into the cloud applications used within their agencies. Further, line-of-business leaders should proactively support security measures as they adopt cloud applications.
4. Educate the workforce.
In many security breaches, victims do not grasp the possibility for exploitation the technology they use presents. Basic education on the identification of phishing messages, the risks of cloud applications, responsible Wi-Fi usage and credential protection can reduce incident exposure.