Are Employees Still the Weakest Link?
Mike Simmonds, managing director, Axial Systems believes company culture has much to answer for when it comes to security
If a business had no staff – or clients – its security could be exemplary. Of course, the concept is nonsense. However, the thought, silly that it is, does highlight how, when humans get involved, life gets risky. And how it’s vital for a business to maintain a secure culture, as well as secure technology.
For example, breaches can occur because security patches have not been applied and tested in a timely and regular manner, or a simple protective procedure has been ignored for convenience, speed or due to ignorance. Sometimes though it’s more complex; making sure, for instance, that data transitioned to the care of a cloud service provider is encrypted whist ‘in flight’ and at the moment it lands rather than later.
While implementing the right systems is important, organisations must also instil the right culture within the business and its processes and procedures so that employees understand and respect the importance of data security and don’t put the organisation at risk with the way they manage and handle data.
In an age where easy access to data continues to be an absolute necessity, this is not straightforward. Businesses must ensure that employees never compromise security in exchange for being able to access the information they want, when they want it – however frustrating this may be. There is a need for education here. Take the manager that needs to deliver a presentation the next day and wants to store it in an accessible place. There is a “belt-and-braces” inclination to save the slides in multiple locations – on the company laptop, on a file-sharing application and on a memory stick, perhaps, with the rationale that if one location fails on the day, the others can serve as back-up.
Such an approach creates its own problems and users need to be made aware of the issues and concerns. If the laptop is left on a train, it could be easy prey for anyone with the skill and inclination to break into it. The file sharing application could potentially be compromised (or may be open as a searchable resource by nature of its terms and conditions of use) also, while USB sticks are frequently lost or shared without thought to their prior contents. Simply by taking the data outside of the corporate infrastructure, one is bypassing all the security measures and potentially putting sensitive information at risk.
It’s a clear demonstration of how so many businesses can make themselves vulnerable by effectively sleepwalking into data breaches. So, what’s the solution?
Technology should always be part of it. Data leakage protection should be put in place, providing electronic tracking of files, and putting systems in place that stop users arbitrarily dropping data out to cloud services. Adaptive authentication, in which risk-based multi-factor authentication helps ensure the protection of users accessing websites, portals, browsers or applications, also has an increasingly key role to play. All of the above should happen whilst anti-virus and anti-malware software is kept up-to-date
Businesses need to hammer home the message that employees must take a personally responsible approach and attitude to managing and protecting data. They must be aware of the potential security threats and do all they can to mitigate them - from keeping secure and responsible care of devices they use at work to ensuring their passwords are strong, unique and frequently changed.
Making sure every employee knows the consequences of non-compliance with regulations such as the General Data Protection Regulation (GDPR) is also important. If they know that penalties can be as severe as £20 million or up to 4% of total turnover – and consequently jobs could be at stake, the threat is no longer abstract but a real, personal concern.
Maintaining security is difficult enough especially with cyber criminals often being one step ahead of any solution. But employees should be on the side of the business. If they understand where the risks lie and the consequences, they are less likely to do what’s easiest for themselves regardless and instead think of the broader picture.