Just listen to the news and it’s obvious that data security is a top concern of companies and individuals everywhere – and rightly so. While there are many ways that data can be compromised, often the greatest threat to information security comes from within, from an organization’s very own employees.
According to a recent PwC report, “incidents attributed to hackers, competitors and other outsiders have declined. However, those attributed to insiders, such as third parties—including suppliers, consultants and contractors—and employees, have stayed about the same or increased.”
Employees, or business end users, are increasingly more and more connected, accessing many different applications and websites as part of their work requirements, as well as for communication, personal uses and entertainment. They’re also traveling more and working from different locations that are not always providing the same security levels that the corporate network would require.
Take, for example, an employee who connects to the Internet over an untrusted and unencrypted wireless network from an airport. He clicks on a link from the captive portal web page and inadvertently installs malware on to his corporate device, which is undetected by the anti-virus software. When the user is back to the office and connects his laptop to the corporate network, the malware activates itself on hundreds of workstations, deleting or encrypting data on the local file systems and shared drives. The impact of such a scenario is huge, causing a major disruption to business, requiring huge IT resources and costs to fix, and ultimately creating irremediable damages in the event that a robust backup policy is not in place.
This disaster could have been avoided if the end user was aware of the risks associated with using non-trusted wireless networks and was trained on corporate security best practices for mobile usage, such as using secure and trusted networks or avoiding clicking on suspicious links or sites
End-users are the last mile of the security chain. If they don’t apply security best practices in their digital travels – as well as physical travel – they can seriously jeopardize the security and health of the complete IT infrastructure.
And, when data security issues occur as a result of employee activities, they’re not the only ones to blame. Often employees are not provided with adequate training and education, nor made aware of corporate security protocols – if such protocols even exist. To address this, companies should take a targeted, user-centric approach to ensure that knowledge and security awareness are delivered to the right user, at the right time.
This type of user-centric approach includes the following activities:
Monitoring Employee Behavior
It’s important to identify employee behaviors that pose risk to the organization. For example: are employees accessing dangerous websites? It’s not only the activities that employees undertake that cause risk, but it’s also the measures they don’t take because of improper training.
Assessing Employee Awareness
Are employees aware of phishing attacks? Do they understand what ransomware is? Organizations need to assess the level of security awareness by asking these questions and identifying weaknesses. Other questions may include whether or not employees understand what a phishing email is, can they determine whether a website can be trusted? Are they aware of the security tools they can use; or how to react to a security breach?
Once enterprises have a clear assessment of employee behavior as it relates to security, they should segment high-risk users and target them for security awareness training, which may require continuous updates. In addition to high-risk employees, companies must communicate their corporate security governance protocols with all employees, and it should become part of new employee orientation programs enterprise-wide. The key to making the training stick is to make it short, frequent and in clear terms so that everyone understands the requirements.
Improving Security Measures
The key to ensuring that employees are aligned with data security protocols is by strengthening communication between employees and IT. For example, the CIO or CISO should encourage users to ask questions or notify IT immediately when they suspect security breaches.
Likewise, IT should notify users about results of spear phishing tests launched across the organization. IT pros have realized that simulated phishing tests are urgently needed as an additional security layer.
Today, employee awareness is just as important as every other security control put in place at enterprises. IT administrators must proactively prompt users to adhere to security best practices, such as using complex and different passwords for applications and services, and prompt users to routinely review administrative privileges. Luckily, as users progress through security awareness training programs they are more likely to interact with and report more attacks.
Today’s mobile, Internet-focused employee is a prime target for cyber criminals, yet with proper vigilance on the part of both employees and IT, even the simplest safety measures can go a long way to thwarting attacks. Employees may be the last mile in the IT security chain, but the first step in ensuring a secure IT environment.