Employee attitude is as important as technology when securing data

The UK Government’s 2017 Cyber Security Breach survey notes that: “Breaches are often linked to human factors, highlighting the importance of staff awareness and vigilance. However, few businesses currently provide staff with cyber security training (20%) or have formal policies in this area (33%).”

A US study found a similar result. In the Kaspersky Lab Corporate IT Security Risks survey, 59% of those polled said that the most serious data breach they’d experienced was down to careless or uninformed employee actions.

>See also: Have millennials turned us all into mobile workers? 

It also revealed that the most frequent point of vulnerability was inappropriate usage or sharing data via mobile devices. Mobiles are not just part of the furniture of our lives, they are almost an extension of ourselves. Is it a case that the easier and more intuitive they are to use, the more likely we are to forget the dangers?

Mobile apps are another target, especially those which enable users to store personal details. Increasingly, apps are being used to make life easier in business, particularly by workers in the field such as insurance risk assessors, sales reps and customer service agents. They can store significant amounts of data – often customer information and personal details – and are extremely vulnerable to hackers without the right protection.

People have also become accustomed to being able to work from home or other offices and access all but the most confidential of company information. They see it is as a necessity – a right even – to enable people to do their jobs properly and become frustrated if it’s not possible.

But then employees get lackadaisical. They need to give a presentation the following day and want to store it in an accessible place. Employees don’t want to take any risks – with their performance that is – and take a ‘belt and braces’ approach by saving the slides in multiple locations; on our company laptop, on a file-sharing application and on a memory stick. After all, if one fails on the day, the others can act as a back-up.

>See also: Forget cybercriminals: How to protect data from disgruntled employees

Such an approach creates its own problems. If a laptop is left on a train it could be easy prey to anyone wanting to break in. The file sharing app could potentially be compromised or may be open as a searchable resource by nature of its terms and conditions), USB sticks are frequently lost or shared without any thought as to their prior use. Simply by taking the data outside the corporate infrastructure we are bypassing all the security measures and putting corporate data at risk.

Despite headlines revealing that names such as Uber and Deloitte (a supposed expert in cyber security) have succumbed to major data breaches, many have the attitude that ‘it won’t happen to us’. This is particularly the case in the workplace where ‘somebody else’ is thought to be responsible for security.

But even IT teams are human. Breaches sometime occur because security patches have not been applied and tested in a timely and regular manner, or a simple protective procedure has been ignored, perhaps through lack of time. It can also be more complex, making sure for example, that data transitioned to the care of a cloud service provider is encrypted whilst in flight and at the moment it lands rather than later.

The solution?

Technology has to be part of it. Data leakage protection should be put in place, providing electronic tracking of files, and putting systems in place that stop users arbitrarily dropping data out to cloud services.

Adaptive authentication, in which risk-based multi-factor authentication helps ensure the protection of users accessing websites, portals, browsers or applications, also has an increasingly key role to play. All of the above should happen whilst anti-virus and anti-malware software is kept up-to-date.

>See also: UK businesses as anti-social networks?

Businesses need to hammer home the message that employees must take a personally responsible approach and attitude to managing and protecting data. They must be aware of the potential security threats and do all they can to mitigate them – from keeping secure and responsible care of devices they use at work to ensuring their passwords are strong, unique and frequently changed.

Making sure every employee knows the consequences of non-compliance with regulations such as the General Data Protection Regulation (GDPR) is also important. If they know that penalties can be as severe as £20 million or up to 4% of total turnover – and consequently jobs could be at stake, the threat is no longer abstract but a real, personal concern.

It’s a case of getting employees on the side of the business and making them aware that what might make life easy for them, can put much more at risk in the long run.

 

Sourced by Mike Simmonds, managing director, Axial Systems

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...