The biggest cybersecurity risk to businesses is employee negligence

busy office3

TechViews News   …..

Employee negligence is the main cause of data breaches, according to a state of the industry report by Shred-it, an information security company. The report found that 47 percent of business leaders said human error such as accidental loss of a device or document by an employee had caused a data breach at their organization.

Over 1,000 small business owners and third-tier executives in the United States were surveyed online in April for the report.

In 2017, data breaches cost companies an average of $3.6 million each, globally, according to a separate report from the Ponemon Institute. For smaller businesses especially, that price tag could wipe out the entire firm.

“The study’s findings clearly show that seemingly small habits can pose great security risks,” said Shred-it vice president Monu Kalsi.

Basic bad habits 

Many of the most dangerous offenses by employees are things that they might not even think about as risky behavior. A surprising number of workers surveyed by Shred-it admitted to bad security behavior at work; over 25 percent said that they leave their computer unlocked and unattended.

Even taking notes on paper, or leaving papers out on your desk, can have unintended consequences.

“When you use paper to document notes or meeting minutes it raises the risk of you leaving that information behind,” said Kalsi. A simple mistake can backfire; earlier this year, a Department of Homeland Security employee left sensitive Super Bowl security documents on a plane, which were later found by a CNN staffer in the seatback pocket.

The documents, CNN said, included an analysis of the exercises, designed to evaluate the ability of local and federal public health and law enforcement to coordinate a response if a biological attack took place in Minneapolis on Super Bowl Sunday.

Remote work

Working from Starbucks or even your living room may be nice and convenient, but it could also be opening your company up to a dangerous data breach.

Remote work is increasing. Over half of hiring managers agree that remote work is more common and a third think it is the future of work, according to a report on the future of work from Upwork, a freelancing platform.

Cybersecurity practices have not yet caught up. A majority of executives agree that the risk of a data breach is higher when an employee works remotely, yet few businesses have comprehensive off-site policies in place for those workers. Over half of small business owners said they have no policy for remote workers.

In addition, contractors or external vendors also open up companies to data breaches. The Shred-it survey found that 1 in 4 executives and 1 in 5 small business owners said that an external vendor was the cause of a data breach at their company.

This is because many businesses don’t do a thorough job of managing access when a relationship with an external vendor ends, according to Kalsi.

“There needs to be better governance around these things,” he said.

Bridging the training gap

Many companies have training and policies in place to protect data and teach their employees good cyber practices. But those efforts might not be frequent or prevalent enough to truly protect a company.

“The general assumption that a lot of companies make that if you train an employee once a year they will retain that information is a false assumption,” said Kalsi. Training and awareness should be dynamic and ongoing to foster a company culture of good security practices.

In addition, cybersecurity should extend beyond the office and into the home, especially if a company has remote workers or uses external vendors to do business.

“This isn’t just about commercial or business use anymore,” said Michael Tanenbaum, executive vice president and the head of the North America cyber practice at Chubb, a global insurance company. “We’re trying to make sure that as these trends continue, we aren’t just thinking about the commercial end.”

“The general assumption that a lot of companies make that if you train an employee once a year they will retain that information is a false assumption”-Monu Kalsi, vice president, Shred-it

What companies can do 

While transforming a company’s cybersecurity practices can take months or years, here are some actions that can be set in motion right away.

  1. Update the workplace policy. The report suggests a clean desk rule, as well as a chapter of company policy dedicated to remote workers and external vendors.
  2. Secure physical access to information. Keep sensitive information locked in desk drawers or in lockers, shred paper documents when necessary and take notes on a computer or laptop.
  3. Dispose of old hard drives correctly. A lot of companies or employees assume that information can be deleted or cleaned on a hard drive, but it’s not true. The hard drive has to be destroyed.
  4. Make sure every employee knows whom to call. An employee should feel comfortable reporting a lost or stolen device and do it as quickly as possible. And there should be no repercussions to an employee who is honest and forthright about losing sensitive equipment or information. The potential damage caused by loss can cause greater harm than the fear of telling superiors about the loss.

Be Safe – Backup Your Data Regularly!


And don’t forget to take advantage of our FREE subscription to the TechViews News Updates. You will receive all of our updates and posts the moment they are published.