If you’re invested in the cyber security field you’ll likely have come across many an article discussing the risk employees pose to an organisation’s security – without even meaning to.
Bad practice can usually be overcome with simple policy changes, technical developments and employee education. In this article we’ll highlight a few different ways in which employee habits can lead to a security breach but also how they can be overcome.
Remote and Flexible Working
Flexible and remote working options are becoming increasingly available. It’s no secret this comes with its challenges for IT departments. Cyber security practices are still lagging behind in many situations.
When out and about, employees will sometimes connect to public WiFi, they will often be of the belief that if it has a password it’s secure. This is only really of benefit to the establishment offering the WiFi, if they password protect it they can limit the number of users and so protect their bandwidth.
Personal devices used in a remote or flexible working context also won’t always have the same level of security protection as company issued devices. There may be a substandard firewall or no antivirus. This is very relevant when working with contractors or freelancers who will need to access your network on an adhoc basis.
There’s always a chance an employee could lose or forget a device when out of the office. If it’s not appropriately secured or managed this could leave company data wide open to theft.
How to overcome this:
To protect your network from public WiFi you could use a VPN or a cloud based solution that maintains security levels wherever a connection is made from. As freelancers are less likely to need to access to the most sensitive of company data, this could be ring-fenced on the network to only allow access to those on approved connections.
A mobile device management (MDM) solution can be added to both company and employee owned endpoints so they can be remotely protected, and locked or wiped in the event of loss or theft.
On top of all of this, employee training and conduct policies are essential to explain why protection measures must be put in place and encourage willing adoption.
Removable Media and Cloud Storage
Circumventing security protocols isn’t something employees are necessarily looking to do with malicious intent. In many cases they’re simply trying to do their jobs.
The employee who puts company data on a USB stick to do some extra work at home that evening probably didn’t intend to lose it on their commute. The new employee who wasn’t yet authorised for remote access, so saved documents to their personal Dropbox to close a huge deal, wouldn’t have realised her ‘usual’ password got stolen in the latest major corporation data breach.
How to overcome this:
Technical solutions come into play here. Device restrictions can be enforced to stop the use of removable media on the company network or unauthorised app installation can be disallowed.
In the case of personal devices, contextual policies can be added, such as apps blocked when accessing the company network. Additional restrictions can be added or lifted depending on a wide range of factors, such as time of day, location, employee role and more. Building a solution to suit your organisation’s needs is key.
Paper Still Carries a Risk
There are some very basic ways employees act irresponsibly with your company data without ever touching a device. Most of us will have grown up in a time where we didn’t have a tablet attached to our fingertips and still wrote on paper. Added to this, the post-it is still an office staple and showing no signs of going away.
These mediums can be as big a security threat as your trusty password protected laptop. A printed document or a quick hand-written note could contain highly sensitive information. If not safely locked away, a break in or even just a quick glance by a cleaning contractor could have that information distributed outside your company before you know it.
How to overcome this:
Software is available to restrict printing of sensitive documents and a desk policy where no paper may be left out can be enforced by communication and a company culture shift.
Unattended Devices
Employees get quite comfortable in their environments – the office is meant to be a safe and secure place to work. This doesn’t mean risk isn’t still lurking. That newly hired employee may not be as trustworthy as initially thought, the air conditioning engineer is free to wander the office, or the loyal employee facing redundancy may be feeling reckless.
Screen locking can’t be stressed enough. When a device is left unlocked and unattended, far worse could happen than just a silly screensaver installed as a joke by a colleague.
How to overcome this:
Policies can be devised to enforce screen locking if a device is idle for a certain number of minutes. There are many software tools available which can roll this out network wide to both desktop and mobile devices. On top of this, employees should be encouraged to form the habit of locking their screen manually whenever they leave their device unattended.
Email Susceptibility
An incredibly common way to launch an attack is through the employee email system. An erroneous click on a malicious link can unleash a company-wide virus.
A further trick being used is impersonation. An email from ‘the CEO’ can convincingly be sent to the finance department asking for an urgent payment. Issues such as these can lead to unrecoverable financial losses, irreparable damage to the company image and exposure of private data.
How to overcome this:
With email being increasingly under attack there are measures you can take to integrate enhanced security into your messaging service. Secure messaging enforces granular message controls, delivering protection from the sender to the receiver. Targeted threat protection prevents impersonation with a combination of key indicators. Content control blocks the sending of sensitive information tailored to your organisation.
Awareness Can’t Be Stressed Enough
In all likelihood, employees won’t realise the risk they’re bringing to your organisation. Education into security best practices, highlighting the realistic consequences of a breach, combined with the latest technical solutions are the steps you should be taking.
If you need assistance or guidance in choosing the right security measures for your organisation, we’ll happily chat through this with you.