Why your staff are your biggest cyber security threat…
In his Essays on the Intellectual Powers of Man, 1786, Thomas Reid, a trained Scottish philosopher once said, “A chain is no stronger than its weakest link”. The same holds true for business cyber security, where you’re only as strong as your least informed employee. Cyber criminals are going to prey on the most vulnerable, and that is your staff.
This was revealed in the 2019 Insider Data Breach report, where 79% of CIOs said they believe that employees have unintentionally put company data at risk over the last 12 months, while 61% say that employees have maliciously put company data at risk.
Businesses tend to plough money into the prevention of cyber crime. This is however little help when it comes to your greatest weakness–your employees; 90% of data breaches are caused by human error.
With this in mind, let’s take a look at some of the reasons why employees pose your organisation’s greatest cyber security threat.
According to research, 63% of data breaches in businesses involve weak or stolen passwords. Many people are guilty of using birthdays, simple keyboard patterns and celebrity names, but these are far too easy to guess for a cyber-criminal. In 2018, Splash Data analysed more than 5 million leaked passwords and found that ‘123456’ and ‘password’ were once again at the forefront of the most widely used passwords.
If you want to help reduce the danger your workers present with their passwords, the focus should be on password management. Below are some of our tips on how to do this better:
- Train and remind employees how to create a strong password. You can read our complete guide to creating a password that doesn’t SUCK here.
- Encourage the use of two-factor authentication (2FA) to add that extra layer.
- The PCs in your organisation should have a requirement where the password has to have uppercase letters, lowercase letters, numbers, and symbols.
- Prompt employees to change their password every 45 to 90 days.
The rise of ‘BYOD’
Work these days is more mobile than ever and the rise of BYOD (Bring Your Own Device) comes with it. While this has brought numerous benefits for both employees and employers, the challenge remains to find the most appropriate security solutions to mitigate the safety risks associated with BYOD.
A common example of a security risk associated with the remote trend of working is when employees are working in coffee shops, at home or while travelling. More often than not, they will need to connect to hotspots to do this. Unfortunately, public Wi-Fi makes it easy for cyber criminals to access your business data. We heard last year from Dorset Police first-hand about the dangers of public Wi-Fi when a Bournemouth hotel found a cyber-criminal setting up of their own Wi-Fi network. While people still could use this ‘duplicate’ Wi-Fi as normal, it also enabled the hacker to gain access to personal and sensitive guest information.
To prevent your business data from falling into the wrong hands, you’ll either need to train your employees on the importance of using a VPN (Virtual Private Network) or look at implementing some form of virtual environment for your employees, such as a Hosted Desktop.
A VPN operates by encrypting the data into a tunnel running between you and the VPN server, serving as an Internet gateway and so no one can access it. To find out more about VPNs, you can read our blog here.
A Hosted Desktop that is provided by Serval IT Systems works by having apps and data stored in the cloud in one of our secure data centres, rather than all apps and data being stored on a local hard drive which employees access on their PC. This is done by connecting to the Desktop via the Internet through a firewall, where it will not be hacked, lost or damaged. You can find out more about the Serval Hosted Desktop here.
If you’re going to allow BYOD in your company, it’s important to develop a framework with clear policies that not only meet employee needs but also security needs. By adopting the right strategy, BYOD ‘s benefits can be harnessed without adding significant risk.
Not everybody will have the best interests of your company at heart. One in four (24 percent) of UK staff have intentionally leaked classified company details to people outside of their organisations, according to recent reports.
Tesla experienced this the hard way in 2018 when an employee created false usernames in order to make direct changes to the company source code. The employee also exported large quantities of highly sensitive information to unknown third parties. Tesla believes that the employee was triggered to steal the information a month after being reassigned to an undisclosed new role.
HR has a role to play in ensuring that the workplace culture is aware of the issues surrounding data due to this risk. They should also check that employees only have access to the information they need to do their job to help minimise the risk of it falling into the wrong hands.
Generally, employees do not mean to share data and then only realise when it’s too late. TIt is especially true in today’s fast-paced business world where staff are multitasking and become distracted, resulting in errors such as mailing a sensitive attachment to the wrong person. You should be training your employees on cyber security best practices, such as how they need to double-check email addresses and contact lists before hitting the ‘send’ button.
Besides exchanging data unintentionally, staff can also fall unknowingly for phishing emails. These are sent by cyber criminals who design them to look like they’re being sent by a legitimate organisation then request confidential information. More often than not, phishing emails contain a link inside the email that can take you to a fake website with a form for you to enter your details, or the link will start downloading malicious software once clicked on.
Employees still remain one of the weakest links in the cyber security chain. You can reduce the risk they pose only by committing to the right awareness training. The awareness should not just stop after one training course, it should continue to be enforced throughout the time an employee is with your business.
Please get in touch if you need assistance on improving the cyber security in your business.