Employers have learned the hard way that one of the biggest security threats comes from their own staff.
A report published by Ipswitch looks at data breach causes to find out how rogue employees rank. An interesting find is that up to 75% of data breaches result from insider threats, while a separate report by Veriato suggests that 90% of cybersecurity experts feel that their company is vulnerable to insider attacks. In fact, about 50% of the 472 professionals surveyed said they had suffered these attacks in the previous 12 months.
Deliberate or not, these threats are very real and as heavily as companies might invest in data security software, they are always going to be vulnerable as they continue to ignore a huge factor: insiders.
Since employees (insiders) have access to company information, they are a bigger threat to data security than cyber-criminals who may use any number of innovative ways to gain access to the same data.
So why involve employees in implementing data security when they themselves are a weak point?
1. Social engineering trumps security tools
Human error is often the weakest link in an otherwise ideal chain. From technology to literature, social engineering is the most important vulnerability to be aware of problems.
By definition, social engineering involves the use of psychological tricks to manipulate people into revealing sensitive information about themselves. For an organization, once the hacker has an employee on the hook, they can gain access to the same data the employee can see. Through social engineering security awareness you can help your employees avoid the three commonest security scams thereby protecting your company as well: identity theft; vishing; and baiting.
Without adequate education on social engineering and closing that loophole, security tools become far less effective.
2. It’s the employee’s responsibility
Apart from preventing the catastrophic aftermath of a social engineering infiltration, data security is the responsibility of every employee in the organization. Consumers expect organizations to protect their data so it’s reasonable to expect employees to make sure the data doesn’t land in the wrong hands.
For example, Dropbox’s 2012 incident in which hackers stole data belonging from over 60 million Dropbox accounts was attributed to employee negligence.
As reported, the hackers who used the password of the employee were able to access the company portal by reusing a password from the LinkedIn breach of the same year that exposed the emails and passwords of 117 million LinkedIn users.
Such an example shows that as a company, you can still unwillingly betray the confidence of your customers. While Dropbox wasn’t entirely to blame, one of their employees reusing passwords was a great insight into the company’s internal security standards.
3. Regulatory requirements
Through internet security awareness training, organizations are required to equip their staff with knowledge about data security. Some of the laws, regulations and industry codes include HIPAA, FTC Red Flags Rule and PCI DSS among others. While many SMEs don’t do any training to remain compliant, many conduct the training to avoid cyber-attacks.
When assembling an employee training program, be sure to:
- Diversify your training methods. Have a mix of training techniques at your disposal including classrooms, videos, team discussions, newsletters, posters, etc.
- Educate often. Conduct regular training in monthly, quarterly, or annual cycles.
- There’s no one size that fits all. Different members at different levels will start learning at equally different points.
- Don’t ignore industry regulations.
Many business owners make the mistake of taking on the role of data security to themselves because it’s “too important.” The path to growth and sustainable security practices includes employees training, clearly defined responsibility and and promoting a culture of information security.