Employees Who Put Company Security at Risk

We live in a world in which technology is a critical part of nearly everything we do. The rapid advances in technology are a tremendous boon, but with those advances come risks that can be catastrophic to organizations. Just in the last few months, two major cyberattacks (WannaCry and a variation of the Peyta virus) have spread around the world, costing targeted companies billions of dollars.

In this environment, it is critical for companies to employ stronger cybersecurity measures, but it is also important to look at the primary causes of breaches and develop strong strategies to counter them. Undoubtedly, the most difficult obstacle to adequately and appropriately tackle is internal, human error. Unfortunately, human error is the cause of far more issues than most business leaders realize. This difficulty arises from many factors: loyalty, employees morale, re-hiring and re-training costs,  etc.

None of these factors, however, justify ignoring common, easily avoidable and repeated actions that put your company at grave risk. According to the  Verizon 2017 Data Breach Investigations Report, four of the major findings focus on the issue of employee accountability. Of the data breaches that were analyzed:

  • 73 percent were financially motivated. Although disruption alone causes financial damage, and can be the sole motivation, most attacks are intended to make money for the attackers, whether directly or by ransom.
  • 75 percent of data breaches were perpetrated by outsiders. With the exception of the healthcare industry the large percentage of breaches were attacks from outside the organization. This means that lax policies and practices (company-wide or at the individual level) were responsible for the majority of breaches.
  • 81 percent of hacking-related breaches (50 percent of all breaches) leveraged weak or  stolen passwords [LINK TO BLOG 1]. Weak passwords can be eliminated by using basic password creation protocols, but stolen passwords often are the result of individual actions that are not in line with best practices. Using the same password across multiple accounts is the most common issue, especially when work usernames and passwords are used for personal, online accounts where the security levels are unknown. But writing down usernames and passwords and storing them in obvious, easily accessible places also occurs far too often.
  • 93 percent of malware is delivered via email. This is the report finding that is the most troublesome and alarming for businesses. Too many employees either do not understand or simply ignore basic email and web security measures while using their work computers. They open attachments or click email links that are obvious risks, and they browse the internet without basic restrictions while connected to the company network.

All of these issues can and must be addressed through extensive, detailed, regular training and professional development to make your employees your first line of defense. The difficulty arises when employees have been trained adequately – when there is no reasonable excuse for their risky actions. In those situations, it is important to have specific, clear accountability policies in place, and it is critical that they be followed regardless of who the offender is. From the hourly employee to the CEO, basic security measures must be enforced evenly, particularly since the tendency is to downplay the actions of the highest executives while ignoring the increased threat posed by breaches of the information to which they have access. This is one policy that must be applied and enforced comprehensively across an organization.   

When dealing with cybersecurity, there are obvious differences in the severity of human error, as well as the frequency of those mistakes. These differences must be considered when creating a cybersecurity plan that includes progressive consequences of improper actions (including one or more actions that result in immediate termination). The issue of employee cybersecurity accountability cannot be ignored in our modern technological environment, since even one successful breach can cripple many businesses. The potential damages simply are too significant to avoid serious accountability consequences.

At thinkCSC, we believe that in order to achieve maximum success, regardless of the size or type of organization, you must make IT an integral part of your overall business strategy and partner with IT professionals who not only understand how to leverage technology to their advantage but who are also committed to understanding your business goals and aligning your IT strategy to theirs. We pride ourselves on having the best business-savvy technical experts in the industry. If you would like to learn how to create an IT security strategy aligned with your organizational goalscontact thinkCSC for more information.