The most important commodity in any business is data, and protecting that data in an increasingly global arena of information transfer and data security risk is at the forefront of modern enterprise.
The threats to data security can broadly be divided into the external, i.e. the classic depiction of hackers and phishing-type scams, and the internal, i.e. human error and poor compliance with common sense data security, and deliberate insider attacks or leaks.
All this runs on assumption that you and your online security team are maintaining a high level of basic security through maintaining up to date anti-virus and anti-spyware software and firewalls, and updating operating systems promptly – all the usual “bumph” that is touted as being the key things to help stay secure.
Here are five of the most common data risks your employees are likely to face in the workplace, everyday, and what you can do about them:
Losing control of passwords!
This can affect both physical workstations in one location, and access to external or cloud-based systems. A study conducted by Lastpass found that 95% of people share at least one password with others, and 61% admitted to being more likely to disclose work passwords than private ones (apart from Netflix… we all do that, right?). It can’t be over-stressed: employees need reminding not to jot their password down, save it in your phone, or write it on the back of their hand. And not to give it to anybody else!
Teaching basic password hygiene is a must – but not necessarily the obvious do’s and don’ts. Get your users to understand why passwords are so important – and the ramifications of failing to look after them. Oh, and where possible, we still encourage the use multi-factor authentication and password managers to reduce the likelihood of human error or indifference.
The majority of day to day online communication and data transfer in most businesses is done by email – we’re talking a whopping average of 281.1 billion emails sent per day in 2018, according to The Radicati Group. It’s estimated that 91% of major security threats come in by email, so this needs to be seriously addressed in your employee security awareness training. You’ll need to ensure you cover the basics; “If you don’t know exactly what it is, don’t open it, don’t click the link”, and to encourage employees to let people know. If there’s a way your employees can report threats and for the threats to be quickly disseminated among your staff, that’s great – the method depends on the size of your business. You can check out our #BreakingScams blogs if you need any (free) help!
Keep your staff vigilant about their own outgoing email practices, not just threats coming into the workplace. There’s nothing easier than forwarding an email to anyone you like, cc’ing the wrong person, or the ever-present threat of ‘Reply All’. Many organisations have strict email policies, and – whether they have the resources or not – the idea that someone might be occasionally checking that your emails are appropriate is enough to make your employees just a little more mindful about what they’re sending, and to whom.
The use of only trusted, secure connections such as company Wi-Fi should be mandatory, and appropriate filters should be used to ensure that only secure sites can be accessed from your workplace.
This doesn’t necessarily cover you if your organisation has employees working from home, or from a geographically diverse cyber-workplace, but it’s a definite way to mitigate certain threats. Mobile devices are particularly prone to attack; it’s all-too-easy to connect to an unsecured network, to click a suspicious link, or to give ill-considered permissions to all kinds of apps.
Mobile security is improving all the time… but so are the attempts to bypass that security. They’re also easy to just lose, so it’s essential to be sure that data can’t be accessed on a found device, and that you can remotely wipe lost devices.
Phishing, vishing, smishing
Do your employees know how to spot fraudulent emails, calls, or messages? Cyber attacks are more sophisticated and convincing all the time, and can target anyone in an organisation, so it’s vital that all your employees are vigilant against scams. Giving people examples of real-life phishing emails or other attempts on security can improve their understanding and compliance. Again, handheld devices pose a particular problem, as it’s not as easy to spot dodgy links or hidden URLs on a tiny screen without the benefit of desktop or laptop functionality, such as the classic ‘right mouse click’.
The common factor in all the above, and nearly every other conceivable risk to security in the workplace is the individual members of staff. It’s not just poor compliance with your data protection and security rules, not just natural human actions or omissions.
The best security systems in the world are still susceptible to human error, or to being deliberately bypassed by staff members.
The best way to mitigate the risk of accidental error (easy to guess passwords, laptops left on trains, getting phished, the list is endless) is by providing a robust security awareness training programme to ensure full understanding and compliance in the workplace.
To build a successful cyber security training programme, you must first understand human behaviour and how people will perceive and act upon the directions they’re given. Additionally, measures should be taken to audit the implementation of the training and update it as new threats are developed. The ever-evolving and cutting-edge nature of threats to cyber security will likely necessitate a training programme with regular, frequent, updates.
It is impossible to consider the accidental risks posed by individual employees to data security without considering the possibility of deliberate insider attacks. An employee is more likely than an outsider to be able to access sensitive information without suspicion, to know what information would be worth leaking, and to have the means or opportunity just to copy information onto a USB drive or hard copy. There’s no easy answer to this one, but making sure people only have the access they need, having a system in place where anyone’s access can be remotely and instantly revoked, and just being aware of colleagues’ activity is a good start.
Cyber security threats are a growing risk. They are varied, often sophisticated, and ever-evolving. After every security update, a new threat is developed. The role of the individual employee in mitigating these threats cannot be stressed enough; and having a well-trained, vigilant workforce of trusted employees is the single most important thing you can do to.
Want to learn more about helping secure your workforce? Why not sign up for a free demo and find out how we’re already helping organisations just like yours.