Why Your Employees Remain Your Greatest IT Risk
As a part of our managed IT services, we provide complete IT security, monitoring, and maintenance. But security isn’t just about technology: it’s also about training. At Questing Hound, we believe that we’re a team, and we work hard to build relationships with each of our clients. That includes relationships with your employees.
People make mistakes. Regardless of your company’s security training and security level, someone will make a mistake at some point in time — and when they do, the results can be devastating. Our 365/24/7 monitoring and response services can help.
Here’s what you need to know about managing and mitigating the risks that employees can present.
47% of businesses have experienced a data breach due to negligent employees.
Nearly half of all businesses will experience a data breach due to the negligence of their employees. In fact, 81% of data breaches are due to bad password management. Businesses need to manage their employees to manage their security, and that’s easier said than done.
Employees are often negligent with their access to data. They save data on personal devices, allow their personal devices to be compromised, share passwords, and choose passwords that are easily guessed.
Today’s employee often has a wealth of information just on their phone, and that information is easily shared and breached. From company email addresses to document management, employees are responsible for protecting and interacting with tremendously important resources.
A business can invest in an extremely advanced security system, but it still needs to offer its employees access to this confidential data. Employees are the weakest link simply because they are the most common link.
Employers are finding it more difficult to control their employee security.
Soon, 50% of the workforce will be working remotely. Employees are working on their own desktops, laptops, and tablets. They are working on outdated systems and systems that are often poorly secured. Thus, the security landscape is becoming far more challenging for employers: employers are finding it difficult to control their employee’s environments.
An employer can’t ensure that an employee isn’t using their computer for both personal and business things. It can’t ensure that an employee isn’t vulnerable to viruses or malware, or that the employee has locked their device at all times. An employer can’t even ensure that employees aren’t letting their children on their computers.
That doesn’t mean it’s impossible to secure corporate data: it just means that employers need to change the way that they think about security. Rather than securing systems, they need to secure the access and transmission of their data. And they cannot assume that their employees are going to be willing or able to maintain the security of their system on their own.
Employers are increasingly moving towards cloud-based platforms, through which employees access data but do not directly download that data. These cloud-based platforms can keep data secure from external sharing, but they can still be breached if the right authentication practices aren’t used.
Better training and rigid security controls provide some risk management.
Why are employees so uneducated when it comes to security? It may simply be because companies aren’t investing in training. 45% of employees receive no security-related training from their employer. Not only do they not understand why security is so critical, but they also don’t understand what makes a system less secure.
Employee training and access-based controls can improve security for many businesses. Employees will naturally choose better passwords once they learn more about proper password hygiene. They will understand why securing their personal devices is important, and they will have better habits overall.
Rigid security controls go a step further, by disallowing access to content on a role-based or per employee basis. When there is no need for an employee to have access to content, they won’t; this prevents more significant data breaches. By authenticating employees through multi-factor authentication, employers can greatly reduce the chances of data breach.
Technology cannot protect against most social engineering attempts.
Even the most advanced technology today has difficulty identifying phishing and social engineering attempts. If someone calls an employee on the phone and requests their password, there’s no amount of technology that can prevent this from happening.
What modern technology can do is react to unusual access points and the potential for threat. Next-generation solutions can notice that a login is occurring from outside of the country, and can react accordingly to lock an account. Next-generation solutions can identify passwords being sent in an email, and prompt the user to further inquire about the need for this information.
But this isn’t foolproof. None of this can prevent an employee from letting a social engineer into a server room “for maintenance,” or verbally offering their social security number or other personally identifiable information through the phone.
True security solutions cannot rely upon employee competency.
As well-trained as an employee may be, an employee can still make mistakes. Any security method that requires employees to be competent and in control at all times will fail. Systems need to be developed to protect employees against security breaches.
New solutions, such as Q-Managed Email Protection Suite, are geared around identifying potentially confidential and personally identifiable information. Next generation security solutions are able to flag confidential information before it is shared, thereby protecting employees from accidents and negligence.
Multi-factor authentication services insist that an employee must have both a password as well as a device in order to log in — this means that employers no longer need to rely upon employees using the right passwords.
These solutions don’t rely upon the employees conducting their work perfectly. Instead, the solutions react to the possibility that employees will likely make mistakes. These solutions make those mistakes impossible.
Well-trained employees can be a company’s first defense against intrusion.
For the most part, companies find themselves vulnerable because their employees aren’t properly trained or empowered. When employees are well-trained and empowered to act, they are more likely to notice potentially malicious programs and stop intrusion in its tracks. Employees are a vulnerability to companies because they regularly interact with a company’s internal systems and data. They can be a company’s most reporting vehicle, for the very same reason.
If employees know how to identify the signs of an attack and know how to escalate reports of this attack, they can take action. Companies that are able to provide thorough employee training will be able to create informed, rational actors who are able to proactively react to threats.
Are you ready to convert your employees from liability to asset?
Of course, even if your employees are your greatest threat, they can hardly be avoided. Employees need to be trained and given the right tools if they are to keep your company secure.
Ready to Convert Your Employees from Liability to Asset?
If you haven't engaged in employee training or embarked upon next-generation cybersecurity solutions, your company may be at risk of intrusion. Contact QuestingHound today to learn more about securing your company against cyber attack.
John Boden is a Managing Partner at QuestingHound, Inc., a Deerfield Beach IT support company that has been helping small businesses in South Florida stop focusing on IT and getting back to doing business the past 18 years. He promotes a culture that is dedicated to the highest standard of ethics, hard work, and outstanding customer service. Connect with John on LinkedIn.