Why Your Employees Remain Your Greatest IT Risk
As our client Colling Gilbert Wright & Carter said, “Preventing a fire is easier than extinguishing one.”
In terms of security, this is always true. For the Colling Gilbert Wright & Carter Law Firm, we were able to enact security policies to protect their infrastructure. And in order to do that, we had to address the company’s most substantial IT risk its: employees.
Most companies are going to experience a data breach or cyber security attack at some point. For many, the primary cause isn’t going to be a failure of technology or training: it’s going to be an employee accident. This is especially true for legal firms, accounting firms, and other companies in which employees need to manage large volumes of confidential data.
Modern employers need a complete, comprehensive security solution if they are to protect themselves from employee mistakes and negligence. Here’s what you need to know.
47% of businesses have experienced a data breach due to negligent employees.
Nearly half of all businesses will experience a data breach due to the negligence of their employees. In fact, 81% of data breaches are due to bad password management. Businesses need to manage their employees to manage their security, and that’s easier said than done.
Employees are often negligent with their access to data. They save data on personal devices, allow their personal devices to be compromised, share passwords, and choose passwords that are easily guessed.
Today’s employee often has a wealth of information just on their phone, and that information is easily shared and breached. From company email addresses to document management, employees are responsible for protecting and interacting with tremendously important resources.
A business can invest in an extremely advanced security system, but it still needs to offer its employees access to this confidential data. Employees are the weakest link simply because they are the most common link.
Employers are finding it more difficult to control their employee security.
Soon, 50% of the workforce will be working remotely. Employees are working on their own desktops, laptops, and tablets. They are working on outdated systems and systems that are often poorly secured. Thus, the security landscape is becoming far more challenging for employers: employers are finding it difficult to control their employee’s environments.
An employer can’t ensure that an employee isn’t using their computer for both personal and business things. It can’t ensure that an employee isn’t vulnerable to viruses or malware, or that the employee has locked their device at all times. An employer can’t even ensure that employees aren’t letting their children on their computers.
That doesn’t mean it’s impossible to secure corporate data: it just means that employers need to change the way that they think about security. Rather than securing systems, they need to secure the access and transmission of their data. And they cannot assume that their employees are going to be willing or able to maintain the security of their system on their own.
Employers are increasingly moving towards cloud-based platforms, through which employees access data but do not directly download that data. These cloud-based platforms can keep data secure from external sharing, but they can still be breached if the right authentication practices aren’t used.
Better training and rigid security controls provide some risk management.
Why are employees so uneducated when it comes to security? It may simply be because companies aren’t investing in training. 45% of employees receive no security-related training from their employer. Not only do they not understand why security is so critical, but they also don’t understand what makes a system less secure.
Employee training and access-based controls can improve security for many businesses. Employees will naturally choose better passwords once they learn more about proper password hygiene. They will understand why securing their personal devices is important, and they will have better habits overall.
Rigid security controls go a step further, by disallowing access to content on a role-based or per employee basis. When there is no need for an employee to have access to content, they won’t; this prevents more significant data breaches. By authenticating employees through multi-factor authentication, employers can greatly reduce the chances of data breach.
Technology cannot protect against most social engineering attempts.
Even the most advanced technology today has difficulty identifying phishing and social engineering attempts. If someone calls an employee on the phone and requests their password, there’s no amount of technology that can prevent this from happening.
What modern technology can do is react to unusual access points and the potential for threat. Next-generation solutions can notice that a login is occurring from outside of the country, and can react accordingly to lock an account. Next-generation solutions can identify passwords being sent in an email, and prompt the user to further inquire about the need for this information.
But this isn’t foolproof. None of this can prevent an employee from letting a social engineer into a server room “for maintenance,” or verbally offering their social security number or other personally identifiable information through the phone.
True security solutions cannot rely upon employee competency.
As well-trained as an employee may be, an employee can still make mistakes. Any security method that requires employees to be competent and in control at all times will fail. Systems need to be developed to protect employees against security breaches.
New solutions, such as Microsoft’s new Information Protection suites, are geared around identifying potentially confidential and personally identifiable information. Next generation security solutions are able to flag confidential information before it is shared, thereby protecting employees from accidents and negligence.
Multi-factor authentication services insist that an employee must have both a password as well as a device in order to log in — this means that employers no longer need to rely upon employees using the right passwords.
Thee solutions don’t rely upon the employees conducting their work perfectly. Instead, the solutions react to the possibility that employees will likely make mistakes. These solutions make those mistakes impossible.
Well-trained employees can be a company’s first defense against intrusion.
For the most part, companies find themselves vulnerable because their employees aren’t properly trained or empowered. When employees are well-trained and empowered to act, they are more likely to notice potentially malicious programs and stop intrusion in its tracks. Employees are a vulnerability to companies because they regularly interact with a company’s internal systems and data. They can be a company’s most reporting vehicle, for the very same reason.
If employees know how to identify the signs of an attack and know how to escalate reports of this attack, they can take action. Companies that are able to provide thorough employee training will be able to create informed, rational actors who are able to proactively react to threats.
Ready to Convert Your Employees from Liability to Asset?
If you haven't engaged in employee training or embarked upon next-generation cybersecurity solutions, your company may be at risk of intrusion. Contact LAN Masters today to learn more about securing your company against cyber attack.
Mike Della Pia is the President of LAN Masters, Inc., an Orlando IT support company that has been helping small businesses stop focusing on IT and getting back to doing business the past 15 years. Connect with Mike on LinkedIn.