It’s less than a year until the General Data Protection Regulation (GDPR) comes into force, which is by far one of the most important pieces of European business legislation ever to be implemented. The point of this new regulation is to aggressively push organisations into taking appropriate steps to protect the data they hold. If a company is found in breach of GDPR it will be subject to fines of 4 per cent of annual global turnover or €20 million. Whichever is greater.
To comply with these regulations, organisations of all sizes are investing heavily in new cyber security tools. Businesses are now clambering to adopt the latest software, including everything from antivirus software to network monitoring, threat intelligence and authentication systems. But even with the best cyber security system in the world, is any business truly immune from a data breach?
The commonly-held view that a data breach will only happen if you are specifically targeted by cyber criminals is simply not true. In fact, cyber security professionals have long acknowledged that employees are the weakest link in an organisation’s information security chain. Even with the greatest security systems money can buy, staff still need to be able to carry out their jobs in an easy and efficient manner. This leaves room for human error to creep in.
In the last few years, there’s been a host of data breaches which have been the result of employee ignorance when it comes to security. There have been cases of employees falling victim to phishing emails and login credentials being stolen through social engineering. There have even been instances where employees have downloaded sensitive data to their personal devices – which aren’t encrypted and have then been stolen – exposing the data to criminals who may seek to use it to their advantage.
To better understand these employee security slips-ups, we surveyed over 1000 UK office workers on their use of cloud, file sharing sites and personal devices in the workplace – areas which have historically fallen outside the remit of information security systems but will need to be carefully considered in the coming age of GDPR.
Worryingly we found that a number of respondents are knowingly breaking company security policy, which is a huge problem for organisations trying to maintain data security.
We discovered that a quarter of respondents (24 per cent) store work information in the public cloud even though they are not permitted to. Just under a quarter (23 per cent) of workers use public file sharing services for work information even though they’re not allowed to, and 31 per cent ignore office protocol and take work home to complete. All of them knowingly ignoring company security procedures and are putting their organisation at risk.
Additionally, 1 in 12 people (8 per cent) have had access to confidential information that they should not have had – a concerning thought given the number of employee apparently flouting company data policies.
However, security risks from employees are not just limited to digital information; two-thirds of workers (59 per cent) reported that colleagues leave printed pages in the printer tray, significantly increasing the chances of documents being seen by the wrong person in the office.
The challenge of human error
Dealing with human error like this will always be a challenge within businesses. But with GDPR on the way, staying compliant is going to be even harder when employees are behaving in this way. After all, installing a new cyber security system isn’t going to tackle these people-based security issues on its own. Technology can only get you so far and you cannot expect all employees in a business to have the same level of cyber security awareness as an IT professional.
So how will companies address their employees’ behaviour? As the saying goes ‘you can never change some people’, and there is an element of truth to this. Fundamentally and permanently altering the way people think and behave in the workplace and at home is no mean feat. Changing the way staff approach their working lives can be extremely tricky territory.
We’ve seen many small businesses make timid steps into tackling their data security by simply getting employees to sign a security policy. This thinking is completely unrealistic, simply providing people with a list of instructions is highly unlikely to generate positive and tangible results. These documents are often ignored, or read and quickly forgotten about. The issue with staff knowingly flouting company policies is reinforced by an innate and misguided notion that a security breach will never happen to them. When storing work in public clouds, taking work home or even choosing poor passwords, any consequences are rarely immediate. This makes it easier to assume that they have ‘gotten away with it’ and the behaviour continues. When a data breach does occur, it’s often a nasty surprise.
Behaviour change needs to come from a continuous building of a security culture within businesses. People are creatures of habit. We’re emulators and learn by watching others. With this in mind, businesses can start with regular, varied training that emphasises the risks to data security and continuously promotes a company-wide ‘security-first’ perspective. Senior staff within the company must practice what is preached from these sessions, and also look at ways of changing work processes that may encourage risky security behaviour in the workplace. Senior decision makers need to ask whether they are truly making it easier for their employees to do their jobs effectively without taking hazardous shortcuts.
Shiny new cyber tools are important, but the adoption of new robust data protection policies and behaviours needs to be a priority. Those who not only better educate their employees but also instil a true ‘security-first culture’ will be able to minimise employee risk and help to stop them consciously making bad security decisions. In turn, they keep their company GDPR compliant.
Sharp has produced a free guide including advice from security and privacy expert Dr Karen Renaud on improving data security, which is available now at www.sharp.co.uk/unlock
Stuart Sykes, Managing Director, Sharp Business Systems UK
Image Credit: Den Rise/Shutterstock