Every month or so there’s a report of a major company data breach. In most cases, it’s critical customer information that is stolen, but in other instances, such as Sony, it can be embarrassing internal documents. Either way, when a breach occurs, the company’s brand can be tarnished.
While there are a lot of technology and software investments you can make to improve company security, it’s likely employees are unsuspectingly your weakest link in keeping your company’s data and infrastructure secure. In fact, a 2014 report by IBM found that human error is involved in more than 95% of the security incidents.
This two-part series focuses on employees as potential security vulnerabilities. In Part 1 (this post), we’ll look at how employees’ actions can cause security issues and how to address the issue with them. In Part 2, we’ll address what you can do to proactively reduce employee-created security risks.
Problem: Unsafe Downloads or Links
It may be business-related or it may not, but employees often don’t think twice about downloading applications and website extensions or clicking on links. Yet, downloads often pose risk – either because the download is infected with malware or a virus or because it’s a fake download created by cyber criminals to launch an attack on your computer or network. Either way, any time an employee downloads a file or application there is increased risk. Additionally, because their device is connected to the network, there is also a risk of the exposure spreading through your network.
Solution: Determine What Downloads Are Acceptable
Develop a list of company-approved software downloads and web extensions. Then, make sure your employees are aware of what is approved and what is not. Taking this a step further, administrators can use software restriction policies in Microsoft Windows to identify software programs running on computers and control whether those programs are able to execute. For businesses running on Macs, administrators can automatically download Apple’s list of malware threats daily so employees can be warned if a piece of malware is downloaded. Finally, IT can limit all software updates and downloads to network administrators who control all company-owned computers.
Problem: Unsecured Connections
With WiFi connections available everywhere these days – coffee shops, airports, airplanes and train stations, for example – employees are constantly connecting devices to public WiFi networks. However, many of these WiFi connections are not secure, making malicious attacks easier for hackers providing greater access to data sent across an unsecured connection.
Solution: Secure Employee Internet Sessions
Teach employees how to recognize what an unsecured wireless connection is (hot spots and those that say public WiFi are red flags) and why it’s critical they only use secure connections when accessing, sending, or receiving business-related information.If you’ve implemented a VPN, make sure employees use it whenever they are remotely connecting to your network.
Problem: Password Passivity
Choosing passwords is another area where employees often struggle. They may share passwords with others or reuse the same password and username on different websites, including the company intranet, network, email, and devices. What’s more, many employees use “easy to remember” passwords such as a single word or phrase that are easy to crack. Often, employee’s personal devices – which frequently contain business emails and other information – aren’t password protected at all. This makes it extremely easy for someone to get access to company data if an employee’s personal device is lost, stolen or left unattended for a few minutes.
Solution: Promote Powerful Passwords
Teach employees how to create passwords that can’t be hacked in a few short minutes – numbers, letters, and characters (not in a logical order) can greatly improve a password’s effectiveness. Give them some suggestions using mnemonic devices to help them remember more complicated passwords. Show them how to create an easily remembered sentence, and then just use the first letter of each word along with a number and a character. Educate them on the security threat of sharing passwords and reusing the same password on company and public websites.
It’s easier than you might think for employees to be duped. Phishers can be excellent imitators, making your employees believe they are being contacted by legitimate companies they naturally interact with to do their job – such as a software vendor or email provider or sometimes even other members of your staff. When asked to provide company or customer data, your employees may unwittingly do so.
Solution: Identify Imposters
Teach employees to be suspicious of any attachment or email they weren’t expecting as well as to never give out confidential information, even to trusted sources, without personal verification (pick up the phone and call the number listed on their website – not in the email, for example).
Problem: Unsecured Data
Comfortable using Dropbox, Google Docs, and other free file sharing apps in their personal lives, employees may also use these apps to share large files with internal and external clients or to provide easy access on a personal device for work-related documents – even when secure file sharing options exist. What many employees don’t realize is that these storage applications are not secure. In fact, almost 70 million users’ credentials were stolen from Dropbox in a 2012 breach.
Solution: Defend against Data Theft
Make sure your employees understand these types of file sharing applications are not appropriate for work-related information. If you’re not already doing so, provide them with a secure file sharing option, such as Egnyte – that provides secure and compliant file sharing.
Education is the Best Approach
Intel reports that 40% of security breaches come from within the company. While some employees may maliciously try to steal data or create security vulnerabilities, at least half the time the breaches were accidental.
Most of the time, employees don’t even realize a security threat exists or don’t know how to guard against it even when they do know there’s a risk. This is why security policies and education are critical. Employees can only take security risks seriously when they understand what the risks are, how to address them, and what the consequences are to the company.
Remember, your strongest security measures are only as good as your weakest link, so it’s worth investing a little time and effort in educating your employees and crafting policies that can help protect against human-related security breaches.
Interested in what you can do to circumvent employee’s bad security habits? Click here to read Part II in the series.