Are your employees your biggest risk?
You’re only as strong as your weakest link, so the saying goes, and within an organisation that link is often an employee. Recent research from Nuix revealed that in 93 per cent of cases human behaviour is the single biggest threat to business security.
Not all threats are malicious, many are accidental, but nevertheless businesses must be aware of both types and know how to prevent security breaches.
What threat do employees pose?
Cyber security breaches happen every day, and not just to small businesses with limited budgets. Every year huge organisations are infiltrated, either by a disgruntled employee on the inside or by external threats who have managed to phish or hack their way into a system. One of the biggest breaches of 2016 put phone company Three’s nine million customers at risk, after hackers managed to access the customer upgrade system using an employee’s login details.
Think about what could happen if your organisation’s systems were infiltrated. Any leak would not just cost you financially, it would significantly damage your businesses’ reputation, which could impede its future success. Whether your employees mean to cause a leak or not, it’s safe to say the damage wouldn’t be forgotten overnight.
Malicious security breaches
In some cases, employees leak confidential data, logins and other secure information on purpose. Organisations may assume that every worker is loyal and wants the business to succeed, but the truth is that employees look out for themselves. If they are unhappy (which could be for any number of reasons), they may decide to go rogue and turn against their employer.
It’s believed that the person responsible for the huge Ashley Madison data breach was orchestrated by an ex-employee – perhaps someone who thinks they were dismissed unfairly and wanted to get their revenge. One of the biggest mistakes an organisation could make is to underestimate the potential impact a low-level employee could have on their business.
How to prevent these types of breaches:
Firstly, all new employees should undergo a vetting procedure. Anyone with a past of conducting security breaches will therefore be highlighted, but as we all know, the biggest threat is existing employees. That’s why everyone who works at your organisation should be vetted on a regular basis, especially those who have had a recent change in circumstances and may be a potential risk. For example, an employee who’s been demoted or asked to leave could be a threat to the business.
A non-obstructive monitoring system should also be in place, so that suspicious activity is reported and acted upon. Such activity may include sending large files over email, accessing secure systems at unusual times of day and using or downloading unauthorised software/files. However, your monitoring system shouldn’t make your employees feel uncomfortable or stop them from doing their jobs.
Accidental security breaches
Everybody makes mistakes – it’s what makes us human. You may be up to speed with the latest phishing scams and malware threats, but that doesn’t mean your employees are. It’s all too easy to download a file containing a virus from an email which appears to be from a legitimate source, as cyber criminals are getting smarter by the minute. Malware can be hidden in any number of places, and security software isn’t always able to pick up newer strains of viruses.
Sometimes employees increase the risk of data breaches by using security workarounds. In most cases this isn’t done on purpose, it’s simply that the employees don’t understand the risks involved and believe that the current systems in place are too cumbersome to follow. If they can find a quicker and more efficient way to work or solve a problem, they will do it, even if it means breaching the protocols you’ve put in place.
How to prevent these types of breaches:
Education is most important. All new employees should undergo extensive security training when they join the organisation and existing workers must receive refreshers on a regular basis. The training should cover what the risks are, why they should care, how to avoid data breaches, and what to do if they suspect a leak has occurred.
While you should make it clear that security is everyone’s responsibility, you must do your best to encourage employees to come forward if they believe the system has been breached. On average, data losses aren’t highlighted until 100 days after the leak or breach, so the sooner you find out, the less damage it may inflict. If employees feel afraid to come forward and admit their mistake, they won’t.
If employees aren’t following certain security protocols and procedures because they are acting as a roadblock, you should do all you can to ensure this is not the case. This may mean changing the systems you use or reducing the steps employees need to take to keep their data secure. The less human involvement, the less chance of human error.
Employees are your most valuable asset, so never estimate the impact they could have on your organisations, good or bad. Vetting both new and existing employees can greatly reduce the risk of data breaches – make sure it’s a part of your security procedures by getting in touch with us today.