Data breaches are one the rise and every year 60 per cent of organisations have experienced a serious security breach with over 200 million records exposed.
While the cause for such breaches can be numerous, including malicious or criminal attacks, stolen credentials, weak passwords and system malfunctions, many times employees are cited as the number one culprit. According to an industry report by Shred-it, 47 per cent of business leaders cited human error, such as accidental loss of a device or document by an employee, as the cause of a data breach at their organisation.
Our industry is quick to point the finger at employee mistakes as the root of the breach, but is this really the case?
Employee-friendly system in place
The concept that information security is a shared responsibility is hardly a new one. Even if your company has a crack security team of ninja professionals, many of the most pernicious attacks are those that target the individual humans and not the network or other infrastructure. Making it harder for attackers to hack your organisation's humans depends in large part on ingraining the idea that responsibility for security and maintaining a high level of security hygiene is a shared responsibility. Sure your security team can put in place measures to filter out attackers, but employees are the last and most important line of defence in deciding whether or not an attack is successful. Remember that security is more about a set of regular good practices than any one product or measures being run by even the best of security teams.
The Aberdeen Group found that by using security awareness training you can reduce the risk of socially engineered cyberthreats by up to 70 per cent. However, they emphasised the importance of ongoing training to counter the different methods of cyberattacks.
Implementing a quarterly cybersecurity training strategy that is well-designed and engaging is an essential step in this effort. This precise strategy should not simply consist of long documentation and best practices presentations.
Instead, it should be interactive and engaging with relevant real-life examples. If employees see the value and effort put into security training and policies, they’ll be more likely to consume the information and put it into practice. For example, training about how to identify the difference between malicious emails and genuine ones could be crucial when presenting the organisation's best practices.
Clear security communication
When a new vulnerability comes to light, the organisation’s security team should present the details of this threat to their fellow employees. Often, these communications may be too technical for all employees to understand. When these details are more complicated than they need to be, employees will lose interest in learning about the vulnerability and how it may have affected their day to day responsibilities. Providing clear messaging is essential when it comes to communicating to employees about vulnerabilities. The clearer the communication is, the more likely employees are to avoid missteps that might lead to a future attack.
When organisations are lacking clear and open communication between employees and security teams this can lead to additional security issues. Kaspersky Lab revealed that 45 per cent of employees are hiding security incidents from their organisations. If employees are not reporting a security incident, there must be a reason why. In some cases employees are afraid of reporting a security incident fearing they will be held responsible if something goes wrong. Instead of presenting the fear tactic, an organisation’s security culture should be positive and based on an educational approach instead of a restrictive one.
When employees don’t report security incidents, it can hurt their organisation image and potentially hurt their employers financially. By not reporting an internal security threat, it could severely lead to a massive data breach.
Information security risks are not just for employees taking care of network, systems or technology. Any kind of breach that exploits vulnerabilities can impact every department of an organisation. Every employee can be affected; just a simple click on suspicious links or emails from a fellow employee in the organisation can lead to disaster. Due to this, clear communication needs to be a priority — not an afterthought.
Shortcuts: Don’t play with fire
A current common theme is that employees are the weakest link in your organisation's security. While this might be true, they are also the best defence if they are provided with the proper security policies in place which are easy to follow and not too complex. Employee security awareness training and best practices need to be simple and user-friendly in order to be effective.
One of the main reasons why security policies often don’t work is because they tend to be puzzling, which drives employees to take shortcuts, defeating the purpose of implementing the company-wide policies. For example, employees are told to change passwords frequently which makes their passwords more secure. Being creative gets exhausting when it’s required so frequently, yet most companies force this on employees for the sake of security.
Another example of a self-defeating security policy is the need for long and complicated passwords. We’re constantly being told to come up with longer passwords that incorporate numerals, uppercase letters, and symbols. When presented with this task, many employees will simply ignore the implemented policy. Instead, they will create long passwords that can’t easily be memorised and often they will write it on a post-it note attached to their monitor. While these are quick shortcuts for the employees, this common practice does not provide a sense of security for the organisation.
User-centric solutions provide better employee security
One of the most effective ways for organisations to ensure a seamless security strategy for its employees is to implement strong security solutions protocols across the company.
Traditional, outdated security solutions were designed for technical employees. For the less technical employees, security tools were simply frustrating to implement and use in their daily work routine. This has led to the idea that security slows down employee productivity. By implementing complex technical solutions, employees find ways around their security solution, which in the end defeats the entire purpose of enforcing company-wide security solutions.
This is why security solutions need to be more user-friendly, which will generate a positive experience. The user interface should be intuitive, straightforward, and fit in with employees’ daily routines and optimised for the device they are using. If they are blocked from accessing apps, connecting devices or sending data, explaining to them the reason behind this is less likely to infuriate them.
This user-centric approach is about empowering workers to work more securely, no matter where and when they are working. Ultimately, security is about keeping employees safe but we shouldn’t ignore the role that usability plays in this. Therefore, we need to build in an experience that works for the people who are interacting with it day in and day out.
In the world of big security threats, organisations are making a stronger emphasis on finding the right tools to combat their eternal security problems. While it’s important to keep looking out of the window and see what’s happening outside, companies must also keep the house in check internally. If you don’t pay attention to the vulnerabilities inside the company, you will increase the risk of cyberattacks.
For complete internal security, you will need to make the protocols as easy as possible to apply if you want employees to implement them. By enforcing more user-centric tools, your organisation's security will become automated and the idea that employees are the biggest security risks in your organisation will become a thing of the past.
Sivan Tehila, Director of Solution Architecture, Perimeter 81