Why Your Employees Remain Your Greatest IT Risk
Companies worldwide are investing millions into their cybersecurity initiatives. Yet many companies remain blind to the fact that their greatest threats are within. SMBs are particularly vulnerable to internal threats, and all companies need to take action to protect themselves.
When handling company-related data, employees aren’t always following the best security practices. Employees check their email from their phone, download random attachments, and generally interact with potentially dangerous materials.
And a malicious employee can easily cut a swathe through your confidential data.
To protect your company from cybersecurity threat, you need to understand your greatest IT risk: your employees. Here’s what to know and what you should be doing about it.
Why Your Employees Remain Your Greatest IT Risk
Since 2003, we’ve been helping our clients develop proactive IT strategies to protect, maintain, and extend their infrastructure. We provide support for small businesses, accounting firms, manufacturing firms, and construction. And though these are very different industries, one thing remains the same: employee training is critical for the purposes of security.
Employees are responsible for the vast majority of cyber attacks and data breaches. Employees will share passwords with each other, download malware, and respond to requests for personal or confidential information. In an accounting firm, employees will deal with personal and financial information. In a construction company, employees may deal with intellectual property and highly confidential plans.
Even the best employees will occasionally have an off day, and may forward confidential or personal information to someone who shouldn’t have it. In order to properly manage your security, you need to manage your employees — and that can be a challenge.
47% of businesses have experienced a data breach due to negligent employees.
Nearly half of all businesses will experience a data breach due to the negligence of their employees. In fact, 81% of data breaches are due to bad password management. Businesses need to manage their employees to manage their security, and that’s easier said than done.
Employees are often negligent with their access to data. They save data on personal devices, allow their personal devices to be compromised, share passwords, and choose passwords that are easily guessed.
Today’s employee often has a wealth of information just on their phone, and that information is easily shared and breached. From company email addresses to document management, employees are responsible for protecting and interacting with tremendously important resources.
A business can invest in an extremely advanced security system, but it still needs to offer its employees access to this confidential data. Employees are the weakest link simply because they are the most common link.
Employers are finding it more difficult to control their employee security.
Soon, 50% of the workforce will be working remotely. Employees are working on their own desktops, laptops, and tablets. They are working on outdated systems and systems that are often poorly secured. Thus, the security landscape is becoming far more challenging for employers: employers are finding it difficult to control their employee’s environments.
An employer can’t ensure that an employee isn’t using their computer for both personal and business things. It can’t ensure that an employee isn’t vulnerable to viruses or malware, or that the employee has locked their device at all times. An employer can’t even ensure that employees aren’t letting their children on their computers.
That doesn’t mean it’s impossible to secure corporate data: it just means that employers need to change the way that they think about security. Rather than securing systems, they need to secure the access and transmission of their data. And they cannot assume that their employees are going to be willing or able to maintain the security of their system on their own.
Employers are increasingly moving towards cloud-based platforms, through which employees access data but do not directly download that data. These cloud-based platforms can keep data secure from external sharing, but they can still be breached if the right authentication practices aren’t used.
Better training and rigid security controls provide some risk management.
Why are employees so uneducated when it comes to security? It may simply be because companies aren’t investing in training. 45% of employees receive no security-related training from their employer. Not only do they not understand why security is so critical, but they also don’t understand what makes a system less secure.
Employee training and access-based controls can improve security for many businesses. Employees will naturally choose better passwords once they learn more about proper password hygiene. They will understand why securing their personal devices is important, and they will have better habits overall.
Rigid security controls go a step further, by disallowing access to content on a role-based or per employee basis. When there is no need for an employee to have access to content, they won’t; this prevents more significant data breaches. By authenticating employees through multi-factor authentication, employers can greatly reduce the chances of data breach.
Technology cannot protect against most social engineering attempts.
Even the most advanced technology today has difficulty identifying phishing and social engineering attempts. If someone calls an employee on the phone and requests their password, there’s no amount of technology that can prevent this from happening.
What modern technology can do is react to unusual access points and the potential for threat. Next-generation solutions can notice that a login is occurring from outside of the country, and can react accordingly to lock an account. Next-generation solutions can identify passwords being sent in an email, and prompt the user to further inquire about the need for this information.
But this isn’t foolproof. None of this can prevent an employee from letting a social engineer into a server room “for maintenance,” or verbally offering their social security number or other personally identifiable information through the phone.
True security solutions cannot rely upon employee competency.
As well-trained as an employee may be, an employee can still make mistakes. Any security method that requires employees to be competent and in control at all times will fail. Systems need to be developed to protect employees against security breaches.
New solutions, such as Microsoft’s new Information Protection suites, are geared around identifying potentially confidential and personally identifiable information. Next generation security solutions are able to flag confidential information before it is shared, thereby protecting employees from accidents and negligence.
Multi-factor authentication services insist that an employee must have both a password as well as a device in order to log in — this means that employers no longer need to rely upon employees using the right passwords.
Thee solutions don’t rely upon the employees conducting their work perfectly. Instead, the solutions react to the possibility that employees will likely make mistakes. These solutions make those mistakes impossible.
Well-trained employees can be a company’s first defense against intrusion.
For the most part, companies find themselves vulnerable because their employees aren’t properly trained or empowered. When employees are well-trained and empowered to act, they are more likely to notice potentially malicious programs and stop intrusion in its tracks. Employees are a vulnerability to companies because they regularly interact with a company’s internal systems and data. They can be a company’s most reporting vehicle, for the very same reason.
If employees know how to identify the signs of an attack and know how to escalate reports of this attack, they can take action. Companies that are able to provide thorough employee training will be able to create informed, rational actors who are able to proactively react to threats.
Are you ready to convert your employees from liability to asset?
At Levit8, we provide advanced network security and support services — designed to offer your business the training and technology needed to protect against the most pervasive of threats. Your employees handle your most sensitive of data, and any of that data could currently be vulnerable.
Beau is the co-founder of Levit8, a Managed IT Services firm that has been helping companies by providing strategic, collaborative, professional solutions and support to every SME in Australia. Learn more about Beau and Levit8 here.