Thomas Reid, a trained Scottish philosopher once said in his Essays on the Intellectual Powers of Man, 1786, “A chain is no stronger than its weakest link”. The same is true for cyber security in business, where you are only as strong as your least informed employee. Cyber-criminals will prey on the most vulnerable, and that is your employees.
The 2019 Insider Data Breach survey highlighted this, where 79% of CIOs said they believe employees have put company data at risk accidentally in the last 12 months, while 61% think employees have put company data at risk maliciously.
Businesses continue to plough resources into cyber crime prevention. However, this is little help when it comes to your biggest weakness – your employees; 90% of data breaches are caused by human error.
With this in mind, let’s take a look at some of the reasons employees pose the biggest cyber security threat to your organisation.
Password Management
Statistics show that 63% of data breaches in businesses involve weak or stolen passwords. Many people are guilty of using birthdays, simple keyboard patterns and celebrity names, but these are far too easy for a cyber-criminal to guess. Splash Data evaluated more than 5 million leaked passwords in 2018 and discovered that ‘123456’ and ‘password’ were yet again in the lead for the most commonly used passwords.
If you want to help reduce the threat your employees pose with their passwords, password management should be a priority. Some of our tips how to do improve this are below:
- Train and remind employees how to create a strong password. You can read our complete guide to creating a password that doesn’t SUCK here.
- Encourage the use of two-factor authentication (2FA) to add that extra layer.
- The PCs in your organisation should have a requirement where the password has to have uppercase letters, lowercase letters, numbers, and symbols.
- Prompt employees to change their password every 45 to 90 days.
The rise of ‘BYOD’
In 2019 work is more mobile than ever, and with that comes the rise of BYOD (Bring Your Own Device). While this has brought many benefits to employees as well as employers, the challenge of finding the most appropriate security solutions to mitigate the security risks associated with BYOD remains.
A common example of a security risk is associated with the remote working trend when employees work at coffee shops, at home, or when travelling. To do this, they often need to connect to hotspots. Unfortunately, public Wi-Fi makes it very easy for cyber criminals to access your business data. We recently heard from Dorset Police first hand of the dangers of public Wi-Fi when a hotel in Bournemouth experienced a cyber-criminal setting up their own Wi-Fi network. While people could still use this ‘duplicate’ Wi-Fi as normal, it also allowed the hacker to gain access to personal and sensitive information of guests.
In order to prevent your business data falling into the wrong hands, you will either need to train your employees on the importance of using a VPN (Virtual Private Network) or look into implementing some form of virtual environment such as a Hosted Workspace for your employees.
A VPN works by encrypting your data through a tunnel that runs between you and the VPN server, acting as a gateway to the Internet and so no one can see it. To find out more about VPNs, you can read our blog here.
A Hosted Workspace that is provided by entrustIT works by having apps and data stored in the cloud in ISO27001 data centres, rather than employees logging into their PC and having all apps and data on your local hard drive. Connecting to the Workspace is done so via the Internet through a firewall where it won’t be hacked, lost or damaged. You can find out more about the entrustIT Hosted Workspace here.
If you’re going to allow BYOD in your organisation, it is vital that a programme is built with clear policies that meet not only employee but security needs. By following the right approach, it is possible to take advantage of the benefits of BYOD without adding significant risk.
Malicious leaks
Not everyone will have your business’ best interests at heart. According to surprising new research, one in four (24 percent) UK employees have intentionally leaked confidential business information to individuals outside of their organisations.
In 2018, Tesla experienced this the hard way when an employee created false usernames in order to make direct changes to the company source code. The employee also exported large amounts of highly sensitive data to unknown third parties. Tesla believe that the employee was triggered to steal the information a month before after being reassigned to an undisclosed new role.
Because of this risk, HR has a role to ensure the workplace culture is aware of the issues around data. They should also be checking that employees only have access to information that they need to do their job to help minimise the risk of it falling into the wrong hands.
Accidental leaks
Most of the time, employees do not share data on purpose, and only realise when it’s too late. This is especially relevant in today’s fast-paced business world where employees multitask and become distracted, causing them to make mistakes such as sending a sensitive attachment to the wrong contact. You should be training your employees to double check email-addresses and contact lists before hitting the ‘send’ button and have them practice file-name standards.
In addition to accidentally sharing data, they may also unknowingly fall for phishing emails. These are sent by cyber-criminals that have been designed to look like they are sent from a legitimate company and ask for sensitive information. More often than not, phishing emails contain a link within the email which can take you to a fake website with a form for you to input your details, or the link once clicked on will begin to download malicious software.
Employees are one of the weakest links in a business’ cyber security system. By committing to the right awareness training, you can reduce the risk of your business falling victim to cybercrime. The awareness shouldn’t just stop after one training course, and should continue throughout the time an employee is with your business.
If you’re ready to take the next step, why not download our FREE cyber security White Paper >>>
