Mike Simmonds, managing director, Axial Systems believes employee attitude is as important as technology when securing data
Despite the glaring headlines about data breaches and the loss of confidential information, the more we use technology, the more careless we become about security. Yet, when things do go wrong, we tend to blame the technology itself. But time after time, it’s only when humans get involved that technology gets risky.
The UK Government’s 2017 Cyber Security Breach survey note that: “Breaches were often linked to human factors, highlighting the importance of staff awareness and vigilance. However, few businesses currently provide staff with cyber security training (20%) or have formal policies in this area (33%).”
A US study found a similar result. In the Kaspersky Lab Corporate IT Security Risks survey, 59% of those polled said that the most serious data breach they’d experienced was down to careless or uninformed employee actions. It also revealed that the most frequent point of vulnerability was inappropriate usage or sharing data via mobile devices. Mobiles are not just part of the furniture of our lives, they are almost an extension of ourselves. Is it a case that the easier and more intuitive they are to use, the more likely we are to forget the dangers?
Mobile apps are another target, especially those which enable users to store personal details. Increasingly, apps are being used to make life easier in business, particularly by workers in the field such as insurance risk assessors, sales reps and customer service agents. They can store significant amounts of data – often customer information and personal details – and are extremely vulnerable to hackers without the right protection.
We’ve also become accustomed to being able to work from home or other offices and access all but the most confidential of company information. We see it is as a necessity – a right even – to enable us to do our jobs properly and become frustrated if it’s not possible.
But then we get lackadaisical. We need to give a presentation the following day and want to store it in an accessible place. We don’t want to take any risks – with our performance that is – and take a ‘belt and braces’ approach by saving the slides in multiple locations; on our company laptop, on a file-sharing application and on a memory stick. After all, if one fails on the day, the others can act as a back-up.
Such an approach creates its own problems. If a laptop is left on a train it could be easy prey to anyone wanting to break in. The file sharing app could potentially be compromised or may be open as a searchable resource by nature of its terms and conditions), USB sticks are frequently lost or shared without any thought as to their prior use. Simply by taking the data outside the corporate infrastructure we are bypassing all the security measures and putting corporate data at risk.
Despite headlines telling us that names such as Uber and Deloitte (a supposed expert in cyber security) have succumbed to major data breaches, many have the attitude that ‘it won’t happen to us’. This is particularly the case in the workplace where ‘somebody else’ is thought to be responsible for security.
But even IT teams are human. Breaches sometime occur because security patches have not been applied and tested in a timely and regular manner, or a simple protective procedure has been ignored, perhaps through lack of time. It can also be more complex, making sure for example, that data transitioned to the care of a cloud service provider is encrypted whilst in flight and at the moment it lands rather than later.
So, what’s the solution? Technology has to be part of it. Data leakage protection should be put in place, providing electronic tracking of files, and putting systems in place that stop users arbitrarily dropping data out to cloud services. Adaptive authentication, in which risk-based multi-factor authentication helps ensure the protection of users accessing websites, portals, browsers or applications, also has an increasingly key role to play. All of the above should happen whilst anti-virus and anti-malware software is kept up-to-date.
Businesses need to hammer home the message that employees must take a personally responsible approach and attitude to managing and protecting data. They must be aware of the potential security threats and do all they can to mitigate them – from keeping secure and responsible care of devices they use at work to ensuring their passwords are strong, unique and frequently changed.
Making sure every employee knows the consequences of non-compliance with regulations such as the General Data Protection Regulation (GDPR) is also important. If they know that penalties can be as severe as £20 million or up to 4% of total turnover – and consequently jobs could be at stake, the threat is no longer abstract but a real, personal concern.
It’s a case of getting employees on the side of the business and making them aware that what might make life easy for them, can put much more at risk in the long run.
