Interns: a hidden cybersecurity threat

How an intern can be a threat to your organization’s cybersecurity and what you can do about it.

Why are interns a cybersecurity threat?

When summer rolls around, many organizations take on students for seasonal internships. This means that young, inexperienced people who probably don’t know much about cybersecurity will be involved in your business processes.

Organizations rarely spend much time thinking about the risks related to this, and they don’t take precautionary measures. They tell themselves that interns won’t be there for long and it’s unlikely that they’ll gain access to any confidential information. This is true, but it doesn’t mean you should ignore the fact that inexperienced interns without proper knowledge can severely compromise your organization just by clicking on a phishing link, setting weak passwords on their work accounts, or falling prey to social engineering. To prevent any of those things from happening, here are a few recommendations to pay special attention to.

Orientation session

Before you give your interns access to the organization’s infrastructure and equipment, it’s a good idea to familiarize them with the essentials. First and foremost, explain the organization’s accepted standards on security policies, two-factor authentication and passwords.

When you involve interns in your operations, they have to set passwords. And while password security seems to be a well-discussed topic, it might not occur to a fresher that they shouldn’t use the same password for multiple services, and they might not even know fully what “strong password” means.

Principle of least privilege

When you grant interns access to the organization’s resources, you should follow the principle of least privilege, meaning that everyone gets only the minimum access level they require to do their jobs. This is actually a good principle to follow in general, but it’s especially important when you’re working with interns.

Nondisclosure agreements

Many organizations don’t have their interns sign nondisclosure agreements, once again because they view the interns as having only a minor, temporary role. However, it’s a good idea to do so. Even if the interns won’t be getting close to any corporate secrets, signing an NDA is a great way to convey to these novice employees that they shouldn’t talk about business processes in personal conversations.

Information security on personal social media accounts

Interns are mostly young people, and the young people of today tend to chronicle their lives on social networks. It’s easy to imagine that they’ll be eager to post about something as significant to them as their first job.

On the one hand, the organization can definitely benefit if interns talk excitedly on social media about how interesting their work is. But on the other, interns might inadvertently disclose important information in their posts — for example, if they take selfies with internal documents behind them.

This is why we recommend that you clearly articulate to your interns your organization’s policy on social media use. But try not to e-mail long instructions as then the chances that they’ll be read from A to Z will be very low. A more effective approach is to give a verbal briefing.

Access to work resources after the internship ends

All good things must come to an end — including internships. Some students may stay with you beyond the internship, but some will inevitably leave. Pay special attention to the departing ones. Make sure to revoke all access to the organization’s internal resources after the intern leaves. Just having an extra account with access is a potential vulnerability.

Training interns on the basics of cybersecurity

As a rule of thumb, we recommend training all employees on the basics of cybersecurity. However, interns are rarely included in such training sessions. This is a mistake. Training interns will help mitigate risks to your own cybersecurity, and at the same time it will be an important lesson they’ll take with them when they leave your organization.

You don’t even need to invest significant resources in this training. There are quite a few online open-source materials that address the basics of cybersecurity which you can share with your interns. For example, to help organizations make their employees more resilient to cyberattacks, we recently released a free online course — part of our Kaspersky Automated Security Awareness Platform (ASAP) — on how to use social networks and avoid falling prey to social engineering.