Employees are your biggest risk: Data hygiene needs to start at the top
It’s beginning to feel like we’re hearing about big cyber security incidents every day.
From the recent WannaCry malware attack, which affected organisations across the globe, to the ongoing allegations of nation state cyber espionage, cyber security is never out of the news.
To help tackle this ever-evolving threat landscape, there’s a whole host of tools and services available to businesses that offer everything from antivirus software to network monitoring, threat intelligence and authentication systems. But even with the best cyber security system in the world, is any business truly immune from a data breach?
Cyber security professionals have long acknowledged that employees are the weakest link in an organisation’s information security. After all, even with the greatest security systems money can buy in place, staff still need to be able to carry out their jobs in an easy and efficient manner. This leaves room for human error to creep in.
In the last few years, there’s been a host of data breaches which have been the result of employee ignorance when it comes to security. There have been cases of employees falling victim to phishing emails, login credentials being stolen through social engineering, and even instances where employees have downloaded sensitive data to their personal devices, which aren’t encrypted and have then been stolen, exposing confidential information to criminals who may seek to use it to their advantage.
Recent research we conducted uncovered that it’s not just unconscious actions which could be causing these employee security slip-ups. We surveyed over 1,000 UK office workers on their use of the cloud, file sharing sites, and personal devices in the workplace – areas which have historically fallen outside of the remit of information security systems – and found that a number of respondents are knowingly breaking company security policy. This is a huge problem for organisations trying to maintain data security.
Our research revealed that a quarter of respondents admit to storing work information in the public cloud even though they are not permitted to. Just under the same figure of workers use public file sharing services for work information even though they’re not allowed to, while 31 some per cent ignore office protocol and take work home to complete. All of them knowingly flout company security procedures and put their organisation at risk. Additionally, one in 12 people have had access to confidential information that they should not have had.
However, security risks from employees are not just limited to digital information; two thirds of workers reported that colleagues leave printed pages in the printer tray, significantly increasing the chances of documents being seen by the wrong person in the office.
Human error like this will always be a challenge within businesses. Mistakes are a part of life. But simply installing a raft of cyber security tools isn’t going to help tackle these people-based security issues. After all, not all employees in a business can be expected to have the same level of cyber security awareness as an IT professional.
The adoption of new robust data protection policies and practices needs to be a priority. Organisations need to be better at educating their employees to help minimise this risk and stop them consciously making bad security decisions.
Failure to act now could spell big trouble in the coming years. Thanks to the incoming General Data Protection Regulation (GDPR), it’s critical that employees are educated on everyday risks they could be inadvertently opening their organisation up to. The alternative could cost more than just the loss of information. If a company is found in breach of GDPR it will be subject to fines of four per cent of annual global turnover or €20m – whichever is greater. Probably best to avoid that.
Stuart Sykes is managing director at Sharp Business Systems UK.