Why Your Employees Remain Your Greatest IT Risk
In the past, we’ve written about the importance of taking away employee privileges once they are fired. And there’s a reason for that. Employees can easily become a company’s most significant vulnerability, and it isn’t just malicious former employees who are risks.
Modern employees are managing more data than ever — and it’s everywhere. From the data on their personal phone to the data on their laptop hard drive, employees are being forced to track confidential information, intellectual property, and vendor and customer data. For many businesses, this ultimately leads to costly security breaches.
This is why employee privileges need to be carefully controlled, and why they need to be taken away once employees leave. For the most part, employees can’t be expected to understand the true security needs of a business. Employees need to be fortified through technology, business processes, and ongoing training.
47% of businesses have experienced a data breach due to negligent employees.
Nearly half of all businesses will experience a data breach due to the negligence of their employees. In fact, 81% of data breaches are due to bad password management. Businesses need to manage their employees to manage their security, and that’s easier said than done.
Employees are often negligent with their access to data. They save data on personal devices, allow their personal devices to be compromised, share passwords, and choose passwords that are easily guessed.
Today’s employee often has a wealth of information just on their phone, and that information is easily shared and breached. From company email addresses to document management, employees are responsible for protecting and interacting with tremendously important resources.
A business can invest in an extremely advanced security system, but it still needs to offer its employees access to this confidential data. Employees are the weakest link simply because they are the most common link.
Employers are finding it more difficult to control their employee security.
Soon, 50% of the workforce will be working remotely. Employees are working on their own desktops, laptops, and tablets. They are working on outdated systems and systems that are often poorly secured. Thus, the security landscape is becoming far more challenging for employers: employers are finding it difficult to control their employee’s environments.
An employer can’t ensure that an employee isn’t using their computer for both personal and business things. It can’t ensure that an employee isn’t vulnerable to viruses or malware, or that the employee has locked their device at all times. An employer can’t even ensure that employees aren’t letting their children on their computers.
That doesn’t mean it’s impossible to secure corporate data: it just means that employers need to change the way that they think about security. Rather than securing systems, they need to secure the access and transmission of their data. And they cannot assume that their employees are going to be willing or able to maintain the security of their system on their own.
Employers are increasingly moving towards cloud-based platforms, through which employees access data but do not directly download that data. These cloud-based platforms can keep data secure from external sharing, but they can still be breached if the right authentication practices aren’t used.
Better training and rigid security controls provide some risk management.
Why are employees so uneducated when it comes to security? It may simply be because companies aren’t investing in training. 45% of employees receive no security-related training from their employer. Not only do they not understand why security is so critical, but they also don’t understand what makes a system less secure.
Employee training and access-based controls can improve security for many businesses. Employees will naturally choose better passwords once they learn more about proper password hygiene. They will understand why securing their personal devices is important, and they will have better habits overall.
Rigid security controls go a step further, by disallowing access to content on a role-based or per employee basis. When there is no need for an employee to have access to content, they won’t; this prevents more significant data breaches. By authenticating employees through multi-factor authentication, employers can greatly reduce the chances of data breach.
Technology cannot protect against most social engineering attempts.
Even the most advanced technology today has difficulty identifying phishing and social engineering attempts. If someone calls an employee on the phone and requests their password, there’s no amount of technology that can prevent this from happening.
What modern technology can do is react to unusual access points and the potential for threat. Next-generation solutions can notice that a login is occurring from outside of the country, and can react accordingly to lock an account. Next-generation solutions can identify passwords being sent in an email, and prompt the user to further inquire about the need for this information.
But this isn’t foolproof. None of this can prevent an employee from letting a social engineer into a server room “for maintenance,” or verbally offering their social security number or other personally identifiable information through the phone.
True security solutions cannot rely upon employee competency.
As well-trained as an employee may be, an employee can still make mistakes. Any security method that requires employees to be competent and in control at all times will fail. Systems need to be developed to protect employees against security breaches.
New solutions, such as Microsoft’s new Information Protection suites, are geared around identifying potentially confidential and personally identifiable information. Next generation security solutions are able to flag confidential information before it is shared, thereby protecting employees from accidents and negligence.
Multi-factor authentication services insist that an employee must have both a password as well as a device in order to log in — this means that employers no longer need to rely upon employees using the right passwords.
These solutions don’t rely upon the employees conducting their work perfectly. Instead, the solutions react to the possibility that employees will likely make mistakes. These solutions make those mistakes impossible.
Well-trained employees can be a company’s first defense against intrusion.
For the most part, companies find themselves vulnerable because their employees aren’t properly trained or empowered. When employees are well-trained and empowered to act, they are more likely to notice potentially malicious programs and stop intrusion in its tracks. Employees are a vulnerability to companies because they regularly interact with a company’s internal systems and data. They can be a company’s best detection vehicle, for the very same reason.
If employees know how to identify the signs of an attack and know how to escalate reports of this attack, they can take action. Companies that are able to provide thorough employee training will be able to create informed, rational actors who are able to proactively react to threats.
Are you ready to convert your employees from liability to asset?
At Inside Out Networking, we focus on building your security from within. If you don’t have a strong foundation, your company cannot protect its most important digital assets.
Ready to Convert Your Employees from Liability to Asset?
If you haven't engaged in employee training or embarked upon next-generation cybersecurity solutions, your company may be at risk of intrusion. Contact InsideOut Networking today to learn more about securing your company against cyber attack.
I’m Dave Goodenough. I started InsideOut Networking in 2004 with the idea that if we could cut through all the jargon and tech speak and just have real conversations about computers and technology, we could help a lot of people out and develop long-term relationships with our clients.
Today, we have over 2,500 clients who trust us to make sure their computers are always up to date and protected from security threats, allowing them to do exactly what they need. If you’d like to find out if we can help your business, please contact us today.