Your company may not be a hot target for ransomware, but data is critical to your business operations. Keeping client, employee, and proprietary information confidential is key to managing your company, but businesses often overlook the risk their own employees pose to data security.
As more companies have shifted to remote or hybrid work, the risk increases. In-house systems may be easier to protect with checks and anti-virus software. Employees who utilize their own tech to access work and databases may provide a roadmap for incursion to bad actors. Insider risk — risk posed by employees who don’t secure data or are victims of phishing — is considered the highest threat an organization has for a data breach. Training employees to secure data and setting up systems to assure they do is crucial to protecting your company.
How high is the risk?
94% of companies experienced some form of data breach in the past year: 84% the result of employee errors.
A 2021 report
from Egress cites 94% of companies experienced some form of data breach in the past year: 84% the result of employee errors. Whether the breach is accidental or a deliberate attempt to access company systems, the results can be catastrophic. Employee training is critical to minimize that risk.
A study from IBM categorized
risk in 2 ways: decision-based errors and skills-based errors. Employees who make decision-based errors may not have been properly trained on how to keep data secure. Skill-based errors occur when the employee knows the proper procedure, but fails to use it due to a mistake, lapse, or negligence. For companies to keep their data secure, they must take into account both types of errors when training workers on company security measures.
Where is the risk?
There are several ways malicious attacks on your company can occur. A breach can happen with hardware or over the internet. Recognizing where you may be susceptible is a first step in securing data.
For many businesses smartphones pose the highest risk. In a 2020 survey
, more than half of the organizations polled believed employee smartphones posed their most vulnerable endpoint for a data breach. The 24/7 access employees have to email and databases makes work easier and riskier. Employees who don’t use screen-locks or 2-step verifications can create problems if they lose their phone or leave it unattended.
Even in the office, employees can create access points. Workers may think it’s safe to leave their desk unattended during lunch and breaks. This can be a way for delivery personnel, clients, or even other employees to take advantage of open tabs and/or automatic logins.
When employees work from home, their laptop may be as secure as possible, but for those who venture to the nearest coffee shop to work risk levels rise. Few workers will take their laptop into the rest room or to the counter for a refill: those short minutes could be all that’s necessary to find an access point to the company’s data.
25% of workers admitted they clicked on a phishing scam at work.
Another high risk area for data incursion is phishing. Emails that look authentic prompt the user to “click here,” leading them to a site that may install viruses spyware, ransomware, or malware. Other phishing emails ask the recipient for personal information, passwords, or company information. Many look legitimate, with hackers carefully mimicking logos and signatures to add gravitas.
from a Stanford University professor and security firm Tessian found 25% of workers admitted they clicked on a phishing scam at work. When asked why:
- 45% admitted distraction was the reason
- 43% thought it looked legitimate
- 41% believed it came from a senior executive
As phishing continues to become more sophisticated, those numbers will keep increasing.
An ounce of prevention
If you don’t have a data security policy in place, create one. A data security policy can be as basic as defining who is included and what their responsibilities are. If you have advanced IT systems or staff members in place, policies can be detailed and complex with regard to security, proprietary information, and work product. For these employees, non-disclosure and work-product agreements may be necessary. At minimum, basic policies, guidelines and training are necessary to keep data secure.
Securing data in-house must also be a priority. Assure information access is limited to those who need it, and not company-wide. Make sure logins require 2-step authentication and/or don’t allow auto-fill of passwords. Keep anti-virus programs current and require employees update them on office and personal devices. If possible, don’t share Wi-Fi networks with customers — set up separate access and passwords.
Creating a policy
Explain the need for the policy: outline the risk unsecured equipment, databases, and systems pose to employee, customer, and proprietary data. Emphasize specific procedures employees must follow, whether they work in-house or remotely. The policy should cover all equipment used to access company information — either owned by the business or the worker’s own laptops, tablets, or smartphones. Communicate the policy widely and expect questions when it’s distributed.
Train staff on security
Once your policy is in place, require training sessions to give employees specifics on how to keep their personal and work devices and data safe. You can create a video employees have to watch or do departmental or company-wide training. There are online courses available for everything — from the basics to high-level security training.
Training should be for everyone who uses tech and required for all new hires. Annual refresher courses should be part of your routine, as well. Whenever systems receive an update, new training may also be necessary. Keep data security top of mind to assure your staff and systems are current ad protected.
What security topics should include
Keeping physical equipment secure,
including two-step authentication; making sure smartphones have a locked screen; never leaving equipment unattended.
including checking email return addresses to verify the source or asking for assistance when unsure if the email is legitimate.
Securing removable media,
like thumb drives or other portable storage that contains company data. Attaching a thumb drive to a key ring could make it easy for valet services, for example, to copy the information it contains.
Assuring public Wi-Fi networks are legitimate.
A new way hackers are accessing data is by setting up fake public Wi-Fi networks in coffee shops or other areas. Remind remote and hybrid employees to ask the businesses’ employees only for network names and passwords.
Not duplicating passwords across accounts.
Employees should be required to use different passwords for different access points. Single-use passwords, including those employees use for their personal accounts, make it easier for hackers to access company data.
Avoiding unauthorized or unauthenticated software.
It may be easier to control the types of software employees place on their work computer, but encourage staff to avoid downloading software that may come from an unreliable source. It could contain viruses or malware.
Make reporting safe
At some point an employee will lose their phone or click on something that causes problems. A fast response can help mitigate risk, but it hinges on employees feeling confident they can report a problem without fear of repercussions. We all make mistakes. Securing data as quickly as possible following a mistake is critical to minimize the loss of customer, employee, or company information. Make sure employees know it’s better to report the problem quickly, while there may be time to avoid a breach and that it’s safe to do so.
Data security is everyone’s responsibility. The company must work hard to assure it’s physical, cloud, and in-house equipment and data is safe from incursion. Employees play a key role in maintaining that safety. Make sure they understand how to keep equipment and data secure for everyone’s protection.