Picture this scenario that I’m guessing you’ve experienced before: you’re typing away at your computer when your manager asks you to swing by their desk to check out something related to the project you’ve been working on.
You get up to head over – this project has been your main focus lately so keeping it moving forward is crucial - and then you pause as you are about to leave your desk. You’ve left your computer unlocked.
IT always tells you how important it is to lock your computer whenever you leave it but there’s no one visiting the office today and you’ll just be gone for a few minutes. There are plenty of other employees around, so it’s probably not a huge deal, right?
That pause and line of thinking is why I wanted to write this post.
The idea that if you don’t lock your work computer when its unattended, a hacker is going to stroll up to it, sit down, install some malicious code or swipe some important files, then sneak back out before anyone’s the wiser may seem like something out of a movie but it’s a more common threat than you think.
As a Systems Engineer in the industry for nearly 15 years, I want to share with you what I’ve seen in the field, why that unlocked and unattended computer isn’t as harmless as it may seem, how hackers try to take advantage of these situations, and how you can help stop them before they can cause potentially irreparable damage.
Cybersecurity is about sweating the small stuff
When most employees think of cybersecurity, they often think about the “Big Stuff” that the IT department does behind the scenes to keep them safe. You may even think, “Cybersecurity? That’s IT’s job. My job is to crush my work. It’s theirs to keep me safe while I’m doing it.”
All the “Big Stuff” that your IT department does to keep you protected while you work – like network configuration and protection, antivirus protection, web filtering, email filtering, and more – is quite important.
But here’s the not-so-secret secret: cybersecurity starts with you. Yes, you!
When it comes to cybersecurity, it’s every employee’s responsibility. You may not see the direct role you play in the protection of your organization and its data, but consider this fact: as an employee, you have access to your organization’s data and network.
That access alone is something that is valuable to hackers – “access” to company networks is something that is actually sold on the dark web.
So, even with all the other “Big Stuff” in place, if we aren’t all doing our part with the “small stuff”, it’s like we’re leaving our car unlocked with the keys in it waiting for someone with bad intentions to try the handle and see if the door will open.
Actual stories from the field
When I first started in the managed service provider (MSP) space - back when the Nintendo Wii launched - I went to a client to do some onsite work. While the executives knew me and knew I was there, none of the other employees on the floor knew me or knew that I’d be there to carry out some work.
I walked into the office, headed straight to the PC that needed troubleshooting, sat down, and got right to work. Since this PC wasn’t locked, I was able to do whatever I needed to do. I sat at that PC for almost 20 minutes before someone came over and asked me what I was doing and if I needed any help.
Twenty. Minutes.
Thankfully in this case, the stranger (me) was there to help. But imagine if that stranger sitting at you or your co-worker’s computer wasn’t there to help. Someone with the wrong intentions can cause a lot of damage in 20 minutes with access to an unlocked work computer. An experienced hacker could install malicious software in a matter of seconds.
Unfortunately, this wasn’t the only time I’ve seen this when visiting clients.
Almost as bad are computers with easily guessed passwords. Sure, you’ve checked the “locked my computer when leaving it” box but if your password is something easily guessed and someone has 20 minutes unbothered at your machine, it won’t do much to protect you and your organization.
Again, you might think this is something out of a Hollywood blockbuster spy movie, but I’ve walked over to locked PCs and have easily guessed passwords when the need has come up.
I was onsite once to do some work on a machine, and the end user I was to work with was at lunch. Their machine was locked but there was troubleshooting to be completed and when you’re in IT, time is a crucial resource.
So, while I waited at their computer, I wondered if I could just guess their password and start working on it. Not expecting much, after about 3 attempts, I was actually able to guess the password!
They literally used the company name and just replaced some of the letters with numbers/symbols.
I can’t make this up.
Social engineering makes this dangerous
Even after hearing these stories, you may still think that there isn’t much danger in an unlocked or poorly secured work computer. You may think that the only reason those scenarios played out is because I was already in those respective workplaces and that a would-be hacker wouldn’t be able to achieve that level of access.
I’m here to tell you that it’s not that uncommon given social engineering practices. Social engineering is, “an attack vector that relies heavily on human interaction and often involves manipulating people into breaking normal security procedures and best practices in order to gain access to systems, networks or physical locations, or for financial gain.”
Social engineering tactics can be utilized in a number of ways. If your organization offers cybersecurity training, you’ve learned about some of these but if you haven’t taken cybersecurity training, let’s discuss a hypothetical social engineering attack.
We’ll setup this example with the help of my colleague Andrew who wrote about something similar in his post about what good physical security looks like. In this scenario, a hypothetical organization has hired a pen tester to assume the role a criminal to see first-hand where vulnerabilities exist within the organization:
This hypothetical organization hires a pen tester to evaluate their physical security. The pen tester, assuming the role of a criminal, gains access to the building by dressing up as a vendor representative wearing a shirt that they purchased directly from that vendor’s website. They’re friendly and nice with the people at the front desk so they don’t think twice when the pen tester checks in as a person from the vendor they’re pretending to be from.
As you read in my stories above, once I had access to the workplace, no one thought twice about this stranger just walking up to any old computer, sitting down, and starting to “work” so we’ve already established that part of this hypothetical attack.
The only thing left would be for the hacker to carry out whatever nefarious plot they had in mind whether that’s to steal sensitive data and files, sabotage the network, install malware that will leave them an opening into the network that they can access remotely, install malware that will allow them to monitor keystrokes and activities, sabotage the network, or other terrible things.
How you can step up your defenses
In the above scenarios, the two major weaknesses we discussed were unlocked systems and systems with weak or easily guessed passwords.
When it comes to unlocked systems, the easiest way to defend them is to always lock your system when you step away from it. Even if you’re only away for a few seconds, that’s all it could take.
- If your machine is running Windows, the easiest way to lock your PC is press the “Windows” and “L” keys at the same time. Alternatively, you can press “CTRL”, “ALT”, and “Delete” all at the same time then select “Lock”.
- If you have a Mac, the easiest way is to press the “Control”, “Shift”, and “Power” keys simultaneously.
This also applies to any mobile devices like smartphones, tablets, etc. that are at your desk. If it has access to the company network and files, make sure it’s locked when unattended.
Regarding the use of strong passwords, there’s plenty of best practice guidance around about length, complexity, and more. However, that easily guessed company name password with letters, numbers, and symbols above likely met much of those criteria for length and complexity yet still failed.
Consider all of the public data available nowadays between social media, data breaches, and more run-of-the-mill public information that could make a password you perceive to be strong weaker than you believe.
For example, if you’re a fan of the Dungeons & Dragons podcast Critical Role and post about it on your public social media profiles, it may not be hard for a hacker to guess a password of “Cr1t!c@lR0l3” or “Cr!tF@1L” even though they may meet the criteria of a complex password.
Furthermore, never re-use passwords. We deal with so many different logins for websites and applications, so I understand that it can be tempting to just use the same password for everything. However, this leaves you so incredibly vulnerable.
With the number of exposed/hacked passwords regularly shared around the web, a hacked personal account password could mean the downfall of your password-protected work accounts (or vise versa). Make sure each of your passwords is unique to each account and to always change default ones.
Specific to the scenarios above where a potential hacker has access to your physical space, never write down your passwords in places that are easily seen or found. Notes attached to monitors, stuck under keyboards, or “hidden” away in drawers are easily found and give hackers the key to bypass all of your protections.
If unique, complex password management seems overwhelming, there are inexpensive tools you can use to manage your passwords. These tools securely save all of your passwords and auto populate so you don’t have to remember them.
They can even generate complex, strong, unique passwords for you. You just have to remember a single “Master Password” and let the tools do the rest of the work for you. Many even sync across desktop and mobile devices so you can have access to your passwords wherever you go.
Keep on top of cybersecurity best practices to help stay protected
I know that the tips above seem obvious, but I’ve seen them not carried out enough times to know that something terrible could’ve befallen an organization if I, their MSP, or IT team hadn’t caught it before a hacker did.
What’s more challenging is that hackers, their tactics, and best practices to defend against them are ever evolving. If your organization offers monthly cybersecurity training, make sure to take all of the trainings made available to you so you’re always up to date on what hackers are trying and how to defend against it.
If your organization doesn’t have a regular, ongoing cybersecurity training program, consider bringing it up.
Implementing and managing an ongoing employee cybersecurity training program may seem like a tall order, but MSPs like Kelser can help keep it simple by either guiding your internal IT team through it or handling it all for them. This keeps training accessible, regular, easy to complete, easy to manage, and makes for a more cybersecure organization.
Cybersecurity is everyone’s responsibility. Check out the Learning Center for more ways you can help defend yourself and your organization from persistent cyber threats and become one of the strongest links in your cybersecurity defenses.
