Employees are the most important asset to your business, but they also create the most risk. According to Cybint, 95% of security breaches are due to human error. And the solution to this problem isn’t as simple as providing more training. In order to combat employee risk, you need to create a security-centered environment. Learn about the most common types of employee risk so you can be prepared to address and manage the problem.
1. Connecting to an Unsecure Network
With the influx of mobile devices—like laptops and cell phones—working remotely is becoming a lot more common. While this offers convenience and flexibility, it can create security issues if employees aren’t careful.
Connecting to public wifi, for example, allows anyone to access the information you send.
This can lead to security issues like man-in-the-middle attacks, distributed malware, and rogue hotspots. Many public networks also leave your data un-encrypted, making it easier to retrieve.
When working in a remote location, avoid using open wifi connections or wifi that isn’t password-protected. Additionally, adjust your device settings so you don’t auto-connect to networks. Don’t leave wifi on if you aren’t using it.
If you need to connect to public wifi, disable file sharing, and avoid accessing Personally Identifiable Information (PII). The best option for protecting your data is to connect to a Virtual Private Network (VPN).
2. Failing to Recognize Email Phishing
Another area of employee risk is email phishing. Phishing attacks are growing in volume and sophistication, and email phishing is one of the most common types.
Criminals can use email phishing to obtain data and sensitive information, or to trick employees into downloading malware. Some even try to impersonate management or another employee.
Phishers are also getting better at crafting emails that look legitimate, leaving untrained employees vulnerable to an attack.
Regularly train employees on how to detect email phishing. We offer this to our clients as an education so that employees are truly assets and not liabilities.
How to Spot a Phishing Email
The following features generally indicate a phishing email:
- Spelling or grammar errors
- The lack of a personal greeting
- A questionable email address or subject line
- URLs and email domains that appear legit but are one letter off
- Sub-domains that aren’t officially owned by trusted brands and companies
If you suspect a phishing email, call the sender directly. Even if the email looks legitimate, be cautious about clicking links or giving out personal information.
It’s never a bad idea to verify the legitimacy of the email over the phone or in person.
Many products and managed service providers offer the ability to test your employees with a staged phishing campaign that shows you which employees have clicked on emails designed to phish you.
We have offered this service to many of our clients and many have accepted, learning quickly how vulnerable their employees made them to attacks. With that knowledge, we were able to go in and educate staff and employees on best practices for email behavior.
3. Inappropriate Sharing of Information
Some employees grow casual when it comes to sharing sensitive information with other people. This includes sharing information with those who shouldn’t have access or sharing files inappropriately via email.
According to Verizon, 54% of employees use personal emails for business transfers.
Some companies even allow the sharing of credentials, instead of creating a unique user login and password for each person. Such practices leave companies vulnerable to theft or data loss.
The first step to improving data security is establishing policies that reflect security best practices.
Train employees on how to share information securely, and establish regular communication to develop appropriate information-sharing relationships. Create separate credentials for each employee, and restrict employee access to information that isn’t relevant to their unique role.
4. Password Behavior
While we are on the subject of sharing information inappropriately, I thought it would be good to mention that passwords are also in the category of being shared wrongfully.
It can be easy for employees to become complacent, often placing productivity and convenience above security.
Cisco estimates that 18% of employees share passwords with their coworkers. And a Softchoice survey revealed that 20% of employees keep passwords in plain sight, such as on a Post-It note.
We saw a prime example of this in the 2018 Steven Spielberg movie, “Ready Player One,” where the protagonist saw the mega-corporate villain’s password on a scribbled sheet of paper and used it to hack his VR account.
Likewise, in almost every Star Wars film, the empire or first order is constantly attacked by the rebels via their infrastructure vulnerabilities. 😊
Not all complacency is intentional, but it can still create a lot of problems for your company.
Keep Employees Security-Minded
Another alarming reality is that many employees don’t take security seriously, instead viewing it as someone else’s responsibility.
In a recent survey conducted by Cisco, they found that 58% of employees were aware of the risks their behavior posed to the company, while 48% didn’t believe that security policies applied to their role.
Develop concise, formal policies regarding security and the sharing of information, and provide staff with regular cyber security training.
Focus on security awareness from the beginning, especially throughout the recruitment, hiring, and on-boarding process. When you prioritize security, you will be more likely to hire employees who also value security.
Require employees to use different passwords for each account. By choosing to not to cut corners, you make your network more secure for everyone in the workplace.
5. Dangerous Storage Habits
In an effort to make data transfer easier, some employees will store sensitive data on a personal hard drive or upload company files to personal storage. While this might be more convenient for the employee, these personal storage options generally lack the security features of a company network.
This leaves company data vulnerable to identity theft and data breaches.
We often-times teach our client’s staff how to store and delete data properly and follow best practices when it comes to data storage.
To make it easier for employees working remotely, we have provided services and products offering external access to company files by installing a private cloud.
Additionally, utilizing the cloud will give you the flexibility you need, without compromising security. It’s also important to back up all of your data, in case of a security breach.
6. Off-Site and Remote Work Habits
Allowing your employees to work remotely offers more convenience, but it also comes with a number of security risks.
Remote work can lead to employee complacency and poor security measures. If you regularly work from home, you might be tempted to treat a company device like your own personal computer. It can lead to any number of serious security problems, especially if you allow other people to use your work device.
Conversely, working on a personal computer can jeopardize company data, since your computer likely doesn’t have the same protection as your company’s devices.
Be as responsible working from home as you would be working in an office. Keep work and personal devices separate and use each for their respective purposes.
If you are working in a public location, be aware of who has visibility of your computer, whether that be through the network or physical visibility from someone sitting nearby.
Even if you have the proper security measures in place, a lack of awareness about your personal surroundings can make it easier for another person to identify confidential information on your screen.
Always keep your device with you in public places, and never leave your work device accessible to other people, whether you’re hanging out at Starbucks or at home.
7. Inappropriate Device Use
Just as you would care for your personal devices, it’s important to maintain smart habits when working from a company device.
According to Shred-it’s State of the Industry Report, 26% of US workers leave their computers unlocked when they leave work for the day. This means any sensitive information will be immediately accessible to anyone nearby the computer.
Many employees will also install web applications without informing IT, which could potentially lead to malware downloads.
Furthermore, as the bring your own device (BYOD) movement becomes more popular, a number of additional risks are introduced. This can include lost devices, lack of security updates, connections to unsecured wifi, and company information remaining on an employee’s device after they leave the company.
Create a BYOD policy, detailing which employees are allowed to use a personal device, what they can use it for, and which security obligations each employee will be required to follow.
Utilize data encryption on all devices, and back up any data stored on company devices. You can also provide further protection for your devices with an antivirus software.
8. Social Media
Social media can be a great way to connect with partners and clients, as well as allowing for meaningful engagement between coworkers.
However, accessing social media for personal use can affect an employee’s productivity, as well as the company’s security. According to Blue Coat, 41% of employees access social media accounts at work.
Using a company account irresponsibly can lead to malware attacks and the hijacking of websites and social media accounts.
Even more professional sites, like LinkedIn, can create security problems for companies. An Intel Security Survey revealed that two-thirds of respondents never questioned the authenticity of contacts on LinkedIn, and 24% connected with someone they didn’t know.
Any link from a stranger on social media could serve as a phishing attack.
Create a social media policy for your company, and train employees on how to detect scams and phishing on social media. To avoid the inappropriate use of company accounts, only use company devices for company social media accounts, and restrict access to these accounts.
9. Adult Content
Many employees spend time surfing the web while at work, but some websites can be harmful to the network, especially websites with explicit content.
Obviously, the viewing of adult conduct is inappropriate and most likely against any and all traditional HR policies. Yet it also slows productivity, creates risk for sexual harassment, and presents a number of security risks for your business. High-risk website can scan your device to steal credentials, and many will infect computers with malware.
Yet despite the risks associated with these sites, Risky Online Behavior found that at least 29% of businesses failed to monitor employees’ use of high-risk websites.
Develop policies regarding which websites are safe to use, and train employees on best practices. It’s also a good idea to use firewalls and proxy servers to block potentially harmful sites.
If you notice problems developing as a result of improper site use, employee monitoring will help you identify unsafe users so you can more quickly address the problem.
10. Employee Fraud and Abuse
Employee fraud and abuse might be more common than you think. Even seemingly trustworthy employees can feel motivated to commit fraud if the opportunity presents itself.
Most people associate fraud with embezzlement, but it can include any form of deception, like theft of business property.
According to the Association of Certified Fraud Examiners, businesses lose 5% of their annual income to employee fraud.
You cannot change an employee’s reasons for committing fraud, but you can eliminate their opportunity to do so.
We perform fraud risk assessments and teach clientele employees how to recognize fraud and respond to fraud allegations:
- Keep detailed records
- Frequently monitor your accounts, especially the following:
- Sales information
- Customer contact information
- Corporate credit cards
Protect Your Business and its Employees
While employees have the potential to create a security risk for businesses, every member of the company can play a part in forming solutions.
Establish an environment of security, where every employee receives necessary training and is familiar with workplace policies.
By recognizing the gaps in your security measures, you can better train your employees to promote security at the front lines, instead of allowing it to fall through the cracks.
Here at CR-T, we take pride in providing enterprise-level IT services at prices that work for small businesses. Our team of experts can become your IT support department or we can be that extra hand needed, responding to issues quickly, often before you even know about them. Covering everything from your servers and network infrastructure, to your computers, workstations and mobile devices, we provide end-to-end solutions for all your technology needs.
Time and experience have helped us develop best practices and workflow procedures designed to keep your focus on your business, not your technology.
Blog & Media
Managed IT Support
Amazon Web Services