If your business has a data security policy, it might include things like a strong firewall, enterprise antivirus packages, encrypted Intranet, regular updates and restricted access to important folders.
But have you considered the biggest threat of all? Increasingly, it’s your employees’ behaviour that can make or break your business’s e-security.
So-called ‘insider threats’ can be just as destructive, if not moreso, than an outsider breaking in.
In a recent Market Pulse Survey by SailPoint, a rather alarming statistic showed that of the 1,000 office workers who were interviewed at large organisations (>3,000 employees), 1 in 7 confessed that they would sell their company login. Some of them would even do it for as little as $150.
In light of this, you’d almost have to count ‘low staff remuneration’ as a security threat!
The survey also found that 20% of the employees also regularly share their login details with coworkers. Together, these results show that some of the world’s biggest companies are on the verge of disaster.
(You can check to see if any of your employees’ email addresses and passwords have appeared in a recent data breach here.)
There’s some good news about all this bad news. These problems aren’t hard to combat. The two issues could be effectively prevented with what I like to call a simple “brain vaccine”: education. (No sharp, pointy objects here).
Here are some pointers that your employees need to know.
##1. Blind trust equals bust. A very common way for leaks to occur is through something that often forms the backbone of a business: email. Employees need to learn that even intra-company emails aren’t to be trusted blindly. A hacker can easily spoof a company domain, or even a particular employee’s address if it’s listed publicly.
The content of every email should be considered carefully, with only attachments about relevant and current business to be downloaded. Many times, dubious emails can make it through corporate spam filters, sneaking in malware and other threats.
As well, social media can be a threat to information security. Links clicked through Facebook or Twitter can lead to malicious sites that might jeopardize a company’s security measures, for example: exploits hidden in Java applets or embedded Flash.
Teach employees not to blindly trust everything they come across at work, and implement guidelines for the sort of sites they should be visiting whilst on the clock.
##2. Put convenience last. So, the antivirus software wants to update again? Employees should know that ignoring it is putting the whole company at risk.
Teach employees to act immediately on notifications like these, even if it means putting a bit of a damper on their workflow. In the long run, it’s well worth it.
New malware is created daily, and having old definitions on any single company computer creates a security weak point – even if only for an afternoon.
All it takes is a single hole on a network for trouble to begin, and data thieves don’t take days off.
##3. Patch-at-‘em. If you’re a company that delivers OS patches for your computer network centrally, awesome! You’re in good stead.
If, however, computers on your network need to be updated one-by-one, your employees have the responsibility of not ignoring system update requests.
Other software, like Adobe Flash Player, Java Runtime, Office, email clients and other utilities should also be kept up to date. If this isn’t done centrally, teach your employees how to keep these programs updated, and to check for new versions regularly.
##4. Bad passwords are a capital offence. No matter their role, it’s everybody’s job to keep information secure within the company. Strong passwords are often the only thing standing between a hacker and your data.
If they don’t know any better, it’s highly likely that one of your employees could well and truly drop the ball, opting for something woeful like ‘12345’ or ‘password’. It needs to be made clear that such password laziness is unacceptable on a corporate computer.
Employees must learn how to make strong and unique passwords, and a great way to accomplish this is to set out a list of password Best Practices for your employees. Ensure they’re using a variety of numbers, letters and symbols (our guide to strong passwords is a good place to start).
Also let them know that if they don’t, they’re violating company security policy.
##5. Consider encryption. If employee laptops become lost or stolen while there’s work-related information inside, it’s a serious security threat. Within your company network, there are also documents you don’t want just anyone to see.
Encryption is the gold standard of ensuring private files stay private. You and your employees need to know what it is, as well as how to use it. It’s too important to pass up. Our guide to encryption is a great starting point.
##6. Make the point. Simply giving your employees a bunch of rules to follow is a poor long-term strategy. They also need to know the stakes – exactly why these guidelines are so important.
What could happen to your company in the event of a breach or cyber-attack? What might be the consequences for the company, both legal and social? What about an individual employee involved in neglectful or malicious conduct?
These questions should be answered, making it clear that your business’s data security is a serious issue. Jobs, livelihoods and many years of hard work are on the line.
While ignorance might be bliss, knowledge is power. With some basic awareness, your employees can become your data’s greatest ally, rather than its doom.