Whilst working from home during the festive period represents a well-meaning attempt by staff to maintain productivity, it can also expose a business to considerable risk, much to the delight of cyber criminals looking to exploit the Christmas holidays for their own gain. Without due consideration for the security of what they are doing, a careless employee could compromise corporate data and information and, in the worst-case scenario, create a data breach.
Likewise, outside of normal working environments, unsuspecting employees are an easy target for phishing and other forms of attacks during holiday times. Cyber criminals are increasingly exploiting the noise created by Black Friday and Cyber Monday, where unsuspecting shoppers are often more concerned with the latest bargains from retailers, rather than worrying about the safety of their personal information. Furthermore, with colleagues covering busy holiday workloads, less familiar with procedures and controls, it is easy for an email to end up in the wrong hands.
With employees’ intentions in the right place, it is up to organisations to stay one step ahead to ensure that security is not being compromised. A lot of the time this comes down to education and training, because all too often employees are blissfully unaware of the scale of the problem and how they may be compounding it.
To this point we recently obtained, via a Freedom of Information (FOI) request, statistics from the Information Commissioner’s Office (ICO) on human error, which today remains the main cause of personal data breaches (PDBs). The figures showed that, of the 4856 PDBs reported to the ICO between January and June this year, 60 per cent were the result of human error. Of these nearly half (43 per cent) were the result of incorrect disclosure. Nearly a fifth (18 per cent) were attributed to emailing information to incorrect recipients or failing to use Bcc, and 5 per cent were caused by providing data in a response to a phishing attack.
Adopting a people-centric approach
These statistics show how easily this can happen in the day-to-day working environment, so imagine how this could be amplified when you have employees remotely ‘dipping in and out of work’ whilst on holiday.
Likewise, we commissioned research earlier in the year that explored the reasons why insider data breaches occur. In the research we asked employees if they had accidentally shared data and why they thought this had happened. Of those who had accidentally shared data, almost half (48 per cent) said they had been rushing, and 29 per cent said it happened because they were tired. The most frequently cited employee error was accidentally sending data to the wrong person (45 per cent), while 27 per cent had been caught out by phishing emails. Sending data to the wrong person can be as simple as mis-typing or auto-complete of an email address, a mistake when sending to a distribution list, or simply using the wrong attachment.
However, rather than discouraging employees from keeping up to date with work – because it is inevitable in our 24/7 always-on world – what holiday tips can employers give their employees and what should organisations be thinking about?
Taking organisations first, we recommend that they adopt a people-centric approach. By focusing on people as part of their data security strategy, organisations can build a safety net for users’ behaviour to prevent accidental, as well as malicious, data breaches. This means putting in place solutions that surround the user, providing them with simple and easy-to-use tools so that they can protect sensitive information.
Additionally, comprehensive data analytics and e-discovery can help security administrators establish a baseline of normal behaviours and therefore provide the ability to spot anomalies. Here at Egress we provide a people-centric data security platform that protects and supports users, helping them to make the ‘right’ decisions when sharing sensitive data. By building machine learning into everything we do, we help detect threats and provide a wide range of insights into behavioural patterns to identify anomalies across the organisation. So, for example, if you take the mistyping of email addresses and accidental sends, our platform detects and alerts even on Cc and Bcc recipients that may not belong in a certain message.
But what tips should employers pass onto their employees? Here are my top five recommendations, all quite simple, but combined with an organisation taking a people-centric approach, should help keep data safe and hackers at bay during the holiday season.
- Use unique passwords and change them often
Don’t make it easy for them! Birthdays, nicknames, pet and children’s names – these make for terribly insecure passwords that are constantly exploited by even the most amateur of hackers.
- Log out when you have finished
It’s not just something we need to worry about at internet cafes; Wi-Fi, Bluetooth, and network technology have advanced far enough that people accessing your devices is the real concern. That’s why it’s always a good idea to log out of any account if you have finished using it, or if you will be away from the device for an extended period of time.
- Only send sensitive information over email if it is encrypted
Whenever possible, it’s a good idea to only send sensitive information via email that is encrypted. It is never a good idea to send credit card numbers, bank details, passwords, and so on if you haven’t encrypted this data, even if you are sending to a family member or close friend. The fact remains that any critical information sits waiting in their inbox or archives for the day it is accidentally forwarded, phished, or stolen.
- Check any link before clicking
Even if an email looks like it is from a credible source, there is nothing guaranteeing that any links contained within the message lead back to a legitimate source. It’s important that you know where a link is going to take you before you click it. Otherwise, you may unintentionally reveal sensitive information. If an email asks you to click on a link, button, or other hyperlink elements, you should first hover over (or preview) that link to see its address. If in doubt, seek advice from your IT team.
- Never download something in an email from an unknown sender
It’s common for hackers to use attachments and downloads in emails to introduce malicious programmes into user’s devices. More often than not the user remains completely unaware that they have downloaded these scripts which can do anything from slowing their device’s performance to stealing their sensitive information. That is why you should never open or download anything inside an email from a sender you don’t recognise or know.
Now, go and enjoy your Christmas festivities!
Tony Pepper, CEO and Co-Founder, Egress