Data security breaches seem to be popping up almost daily. From the 2015 IRS breach, to the hacking of federal government employees’ data by China, it’s clear much of our most important data are at risk. Yet, one of the most obvious frontline defenses is often overlooked.
When people think of hacking attempts, Hollywood makes it seem that it’s a matter of overcoming a computer system or firewall through some brilliant algorithm or brute force attack. But in reality, the easiest way to hack into an organization is through its employees.
Statistically, most data breaches are inadvertent rather than malicious. This is because many of the most common breaches happen when an uninformed employee, or one not following policies, accidentally exposes company data. It’s significantly easier to fool a person by putting together a nice looking email and website that asks them to verify their credentials because of a reported breach with their bank (ironic, isn’t it?). What’s hard is hacking into a network running systems with end point protection, next-generation firewalls, and servers with the latest security patches. Cybercriminals and other hackers send phishing emails to large groups of people, and it only takes a single mouse click from an employee to accidentally expose a company to malware. An untrained employee is an easy mark, and he or she is a risk that needs addressing.
Putting your data security practices to policy
Before you can begin training your employees on data security, it’s important to have your own data security policy defined. Companies should first try to understand the digital assets they’re trying to protect – is it medical or personal information? Is it financial data or intellectual property? Is the organization required by law or regulation to protect certain information? Classifying data is an excellent first step towards understanding what kind of information a firm may want to protect, as well as which data requires a more secure process when shared outside the organization.
Regardless of industry, there are many general practices a business should consider incorporating into their data security policies. Here’s a quick hit list:
- Power down or lock your computer when you’re away
- Always lock laptops and other small and mobile devices in a drawer when you leave work
- Create complex, unique passwords for accounts, and change them frequently
- Ensure compliance with any security requirements related to your organization’s industry
- Use the appropriate tools and methods to share information – non-sensitive messages may be sent through email, but confidential data or files should be sent through a secure messaging or sharing solution.
To make use of policy, it needs to be second nature for employees. But reading a policy and understanding it are often two different things. Training and education are the best ways to instill a culture of security in employees, and should be a priority starting on day one. During employee onboarding or orientation sessions, companies should take time not only to explain the policies, but to provide concrete examples as well. This means showing employees how to detect suspicious emails, how to determine if a website’s URL is dangerous, as well as reminding people that no Nigerian princes actually need help wiring money.
Oftentimes, training is a one-time event, but it really should be performed on a regular basis to both remind employees of possible security issues, as well as educate them on new hacking methods and attacks that are being discovered every day. The best training is hands-on when possible, and continual reminders – like newsletters or warnings for particular current or ongoing attacks – can help keep employees’ awareness levels high.
The mobile dilemma
As employees increasingly work remotely and go mobile, companies benefit from the boosted productivity that comes with greater access to corporate resources such as email, CRM, and other internal systems. But that broader accessibility comes with a new set of security concerns. Mobile devices are occasionally lost or stolen, with the device’s data going with it. And as personal and company data comingle, privacy concerns begin to surface. The risks are only growing as workforces become more mobile, so it’s essential to update policies and training to incorporate the use of these devices.
Many employees scoff at the idea of carrying two mobile phones, or having to use an ancient corporate device when they have access to a shiny new smartphone, tablet, or laptop. Some companies accept this as the reality of a more mobile workforce, and allow employees to use their own devices. It’s known as the “bring your own device” (BYOD) movement, and it’s a hotly debated topic for IT professionals. An employee’s smartphone, for example, can serve as both a personal device, and as a way to access and share confidential corporate information such as email, files, and texts. An employee could easily install a file syncing app that exfiltrates corporate data onto a personal device or computer. And if they accidentally lose their device, both personal and company data are now in danger.
While remedies like company-owned devices and Enterprise Mobile Management systems are available to reduce the risk, your employees can be your first and best way to combat these threats. With the increasing number of breaches and the continued BYOD and mobile workforce trends, data security concerns aren’t going away.
To support a secure infrastructure, it’s clear that organizations need the hardware and software-based protection that firewalls, intrusion detection and prevention software, DLP, and malware detection provide. But just as important are the people who operate within those safe corporate walls and ensuring that they understand the risks and know how to avoid falling victim to external threats.