Are Your Employees Your Largest Cybersecurity Risk?
Regardless of the money businesses invest in cybersecurity, technology is only part of the cybersecurity puzzle. Regardless of new hardware, updated software and the best IT support team, cybersecurity is an ongoing commitment. Cybersecurity must be on the minds of every employee every hour of every day.
A Chain Is Only As Strong As Its Weakest Link.
This idiom is attributed to Thomas Reid who wrote “Essays on the Intellectual Powers of Man” in 1786. It first appeared in print in 1868 in the Cornhill Magazine. Simply put, it means that a group of people can only be as strong or successful as the weakest or least successful member.
Email is a favored method of cybercriminals – email is used to transmit ransomware, viruses and other harmful software.
Each email that each employee opens represents a cybersecurity threat. Only with a continuous and ongoing employee awareness program can you have an effective cybersecurity solution. It only takes one employee opening one email to expose your business to a cyber-attack.
Employees come and go – make sure that critical passwords are changed when an employee leaves. Be sure that new hires understand your cybersecurity policies and know to whom they should report potential risks.
What Can Businesses Do to Ensure Employees Don’t Pose a Security Risk?
First, ensure that you have a firewall, up-to-date anti-virus software and a spam filter. Always make sure that every new computer, laptop or tablet is up-to-date on these items before it is given to an employee.
Email 101. Teach email safety. These simple questions will help employees evaluate emails that originate from unknown senders.
- Who is this email from? Virtually every email should be originating from a fellow employee, a supplier or a customer.
- Why am I getting this email? Emails should relate to an employee’s job description.
- Are attachments safe to open? Have you taught your employees how to decide what types of files are safe to open?
- Does an email threaten to cancel a credit card or close an account if you don’t pay money? Employees need to understand this might be ransomware.
- Is an email really from someone known? Teach employees how to spot suspicious “look-alike” email addresses.
- Does anything just not seem right about an email? Neither the IRS nor the FBI sends emails to employees.
Continuing Education for your Employees. People are people, and they forget. Employees need ongoing training about email safety. Keep the training short and exciting to keep their attention.
- Weekly mini sessions – perhaps by the department.
- Utilize a speaker from your IT provider.
- Weekly email “Cybersecurity Tip of the Week.”
- Share actual case studies (specific to your industry is ideal).
- Monthly E-newsletter – could be part of your IT partner’s service.
- Simulated phishing attack conducted by your IT partner.
The Power of Human Error
In spite of educating your employees, human error accounts for almost 50 percent of data breaches. The accidental loss of a device or a misplaced document may be the cause of a severe security breach. Shred-It vice president Monu Kalsi observes that the smallest bad habits may result in substantial security risks. Examples include:
- Leaving a work computer unsecured while on break or in a meeting.
- Leaving sensitive documents out on a desk overnight.
- Accidentally leaving sensitive documents on an airplane (the Homeland Security Super Bowl debacle).
- Leaving sensitive documents within view of others in a public space.
- Using public Wi-Fi.
- Sharing company-issued computer with family or friends.
Draft a written policy to provide each employee who works remotely from home or when traveling.
Another potential source of human error may come from sub-contractors or vendors who have access to your facilities and/or employees. The Shred-It study showed that 20-25 percent of security breaches were caused by vendors. Ensure that when a vendor relationship ends that all ties are severed – change codes for keyed entrances when there is a vendor change.
Attention to small details may save your company lots of money.
The Bottom Line …
Employees are human. They make mistakes or commit errors in judgment. They also forget. Invest in updates for firewalls, security software and well-trained IT personnel. Regular cybersecurity training for your employees protects your business from damaging cyber-attacks.
- Update policies. Incorporate a clean desk policy to prevent unauthorized copying or theft of critical document. Develop and institute a vendor policy and a remote employee policy.
- Go paperless whenever possible. Invest in technology that scans essential documents into PDFs that are emailed to the owner of the document. Shred the document immediately after scanning.
- Hard drive disposal. Destroy obsolete hard drives. Never throw them away because even deleted information can be retrieved by smart cybercriminals.
- Lost device policy. Designate someone that employees can tell immediately if the equipment is lost or stolen.