Why Your Employees Remain Your Greatest IT Risk
When Todd Keeney at Omni Services came to us, his company had been hit twice by ransomware. Ransomware is an extraordinarily devastating form of malicious attack, and it had cost Omni Services tends of thousands of dollars in damages. Yet we were able to help Omni Services avoid future ransomware attacks through our security services.
Monitoring solutions and technology aren’t enough. The greatest threat to a company’s security is its own employees. Employees form the basis of most data breaches, either through negligence or through outright malicious intent. And it isn’t always an issue of training: even conscientious employees can occasionally make mistakes. If you want to protect your business, you need to address employee error first. But that’s easier said than done.
Employees threaten security in a number of ways, from leaving their devices unsecured to sharing passwords with other employees. Ransomware can infect a system as easily as clicking on a link. To address this IT risk, you need to rethink your entire IT strategy from the ground up.
47% of businesses have experienced a data breach due to negligent employees.
Nearly half of all businesses will experience a data breach due to the negligence of their employees. In fact, 81% of data breaches are due to bad password management. Businesses need to manage their employees to manage their security, and that’s easier said than done.
Employees are often negligent with their access to data. They save data on personal devices, allow their personal devices to be compromised, share passwords, and choose passwords that are easily guessed.
Today’s employee often has a wealth of information just on their phone, and that information is easily shared and breached. From company email addresses to document management, employees are responsible for protecting and interacting with tremendously important resources.
A business can invest in an extremely advanced security system, but it still needs to offer its employees access to this confidential data. Employees are the weakest link simply because they are the most common link.
Employers are finding it more difficult to control their employee security.
Soon, 50% of the workforce will be working remotely. Employees are working on their own desktops, laptops, and tablets. They are working on outdated systems and systems that are often poorly secured. Thus, the security landscape is becoming far more challenging for employers: employers are finding it difficult to control their employee’s environments.
An employer can’t ensure that an employee isn’t using their computer for both personal and business things. It can’t ensure that an employee isn’t vulnerable to viruses or malware, or that the employee has locked their device at all times. An employer can’t even ensure that employees aren’t letting their children on their computers.
That doesn’t mean it’s impossible to secure corporate data: it just means that employers need to change the way that they think about security. Rather than securing systems, they need to secure the access and transmission of their data. And they cannot assume that their employees are going to be willing or able to maintain the security of their system on their own.
Employers are increasingly moving towards cloud-based platforms, through which employees access data but do not directly download that data. These cloud-based platforms can keep data secure from external sharing, but they can still be breached if the right authentication practices aren’t used.
Better training and rigid security controls provide some risk management.
Why are employees so uneducated when it comes to security? It may simply be because companies aren’t investing in training. 45% of employees receive no security-related training from their employer. Not only do they not understand why security is so critical, but they also don’t understand what makes a system less secure.
Employee training and access-based controls can improve security for many businesses. Employees will naturally choose better passwords once they learn more about proper password hygiene. They will understand why securing their personal devices is important, and they will have better habits overall.
Rigid security controls go a step further, by disallowing access to content on a role-based or per employee basis. When there is no need for an employee to have access to content, they won’t; this prevents more significant data breaches. By authenticating employees through multi-factor authentication, employers can greatly reduce the chances of data breach.
Technology cannot protect against most social engineering attempts.
Even the most advanced technology today has difficulty identifying phishing and social engineering attempts. If someone calls an employee on the phone and requests their password, there’s no amount of technology that can prevent this from happening.
What modern technology can do is react to unusual access points and the potential for threat. Next-generation solutions can notice that a login is occurring from outside of the country, and can react accordingly to lock an account. Next-generation solutions can identify passwords being sent in an email, and prompt the user to further inquire about the need for this information.
But this isn’t foolproof. None of this can prevent an employee from letting a social engineer into a server room “for maintenance,” or verbally offering their social security number or other personally identifiable information through the phone.
True security solutions cannot rely upon employee competency.
As well-trained as an employee may be, an employee can still make mistakes. Any security method that requires employees to be competent and in control at all times will fail. Systems need to be developed to protect employees against security breaches.
New solutions, such as Microsoft’s new Information Protection suites, are geared around identifying potentially confidential and personally identifiable information. Next generation security solutions are able to flag confidential information before it is shared, thereby protecting employees from accidents and negligence.
Multi-factor authentication services insist that an employee must have both a password as well as a device in order to log in — this means that employers no longer need to rely upon employees using the right passwords.
Thee solutions don’t rely upon the employees conducting their work perfectly. Instead, the solutions react to the possibility that employees will likely make mistakes. These solutions make those mistakes impossible.
Well-trained employees can be a company’s first defense against intrusion.
For the most part, companies find themselves vulnerable because their employees aren’t properly trained or empowered. When employees are well-trained and empowered to act, they are more likely to notice potentially malicious programs and stop intrusion in its tracks. Employees are a vulnerability to companies because they regularly interact with a company’s internal systems and data. They can be a company’s most reporting vehicle, for the very same reason.
If employees know how to identify the signs of an attack and know how to escalate reports of this attack, they can take action. Companies that are able to provide thorough employee training will be able to create informed, rational actors who are able to proactively react to threats.
Are you ready to convert your employees from liability to asset?
Do you want to protect your business against both internal and external threats? You need the help of a knowledgeable partner. At NetLogix, you can connect with a team of highly experienced professionals and specialists.
Ready to Convert Your Employees from Liability to Asset?
If you haven't engaged in employee training or embarked upon next-generation cybersecurity solutions, your company may be at risk of intrusion. Contact NetLogix today to learn more about securing your company against cyber attack.
Marco is the owner and founder of NetLogix, Inc. a Managed IT Security Services firm that has been helping small businesses by providing an innovative and unique blend of managed IT services throughout New England with expertise in Insurance, Legal, Medical & Professional Services. Learn more about Marco and NetLogix here.