Believe it or not, your staff are the biggest risk to your data security. It doesn’t matter how big or how small your business is, the weakest link in any security system is always the intended user – the person with all the passwords is the person with the power to let people in, however accidentally it may be. With this in mind, the importance of getting your staff up to date with the latest I.T. security measures simply cannot be understated.
Recent figures published by the UK Government state that 81 percent of large organisations claimed that there was “an element of staff involvement” in the breaches that they suffered. Simple carelessness is often the biggest problem here. We live in a time where there is almost unlimited access to a world of data, right at our fingertips – something we’re all starting to take for granted.
With every device becoming increasingly connected to the world around us, we’re now able to access our work emails on everything from our desktop PCs at the office to the MP3 players in our pockets.
This ease of instant access means that more and more devices can be connected to your network at any given time – more so if you operate a BYOD (bring your own device) policy at your office. While this may keep your overhead costs down, every device you connect is another doorway into your BYOD security, opening a whole new level of access for people targeting you with phishing scams.
Phishing is still one of the most common security scams around, even though it’s something we’re all generally aware of. A recent study by Quartet shows that a phishing scam received by 10 of your employees will gain access to your data more than 90 per cent of the time. This is because 23 percent of the recipients will open the phishing emails and 11 percent of them will actually go so far as to click on the attachments within.
This level of carelessness can be costly, yet can be easy avoided by teaching your staff about internet security. There are a number of places to whom you can count on for the purpose of getting your staff security trained, 360gsp.com, staysafeonline.org, cpni.gov.uk and sophos.com are some of the recommended ones.
Moving on, due to the huge rise of BYOD culture in the workplace over the last few years, Quartet reported that an astonishing 68 per cent of organisations surveyed had experienced mobile security breaches through phishing scams.
Of course, there are ways around this issue, such as RSA tokens which can protect you from phishing attempts such as these, which is where the next issue comes in.
You may have seen RSA tokens in the form of USB dongles or a piece of tamper-resistant software which authenticates whichever user is sitting in front of the device. While this is a fantastic defense against phishing scams, it becomes an issue when people lose their devices.
Despite the obvious importance of the RSA token when it comes to your company’s security, many people fall into the habit of leaving their dongles in the same bag as their device.
This is understandable – it’s convenience being first. Unfortunately, this means that when you forget your laptop at a hotel or on the train, you’ve kindly left your dongle for whoever picks up your machine.
This renders your security efforts as a company null and void, leading to huge costs for the recovery of the device, the dongle, the data and any legal fees which are incurred along the way.
A study by the Ponemon Institute showed that 43 percent of lost business devices were lost off-site, incurring an average cost of more than $56,000 per device where proper data security was neglected. The importance of installing remote-wipe software never looked quite so important as when you look at those figures.
This brings us to what many people assume to be the number one reason for I.T. security breaches – weak and unreliable passwords. Because most people only tend to use two or three passwords in rotation across all of their devices and accounts, breaching data, once you have access to a single password you generally have access to several accounts. Implementing a strong set of passwords which are updated regularly is the easiest way to strengthen your I.T. security.
This is especially important when you consider how much easier it is to steal passwords these days. Interestingly, the security behind resetting passwords is often weaker than the passwords themselves.
The proliferation of public social media profiles means that if someone were to try to reset your password, finding your mother’s maiden name, the name of your pet or the answer to any other of your security questions is easier than it has ever been.
So what can be done to get your staff up to date with the latest I.T security? First things first, change all of your business passwords to something unique and make sure that they are updated at least every 90 days – more frequently if it’s sensitive information. Tell your staff that complacency isn’t worth the thousands it could cost because they opened what was obviously a phishing scam.
Also be sure to remind them that size doesn’t matter – SME’s accounted for 31 percent of cyber-attacks in 2012 according to the NCSA. Finally, make sure you reinforce the importance of shutting down your computer. Locking it overnight or putting it on sleep mode isn’t enough – shutting down allows your PC to install the security updates it needs, it uses less power too, saving both the environment and your bottom line.
Top/Featured Image: By Chris Amelung / Flickr