Employees – The best asset and the biggest risk to an organisation

 

I recently attended the Cloud Expo Asia in Hong Kong which was co-branded as Cyber Security Expo.  Well apart from it looking more like Data Centre World than anything else there were very few Cyber Security exhibitors.  Those that were there were only offer “plug and play” hardware to solve all your Cyber Security Issues.

Cyber Security, in some form or another, has been around since 1972 when the first worm and anti-virus were created.  Interesting to note that both the problem and the solution were created by the same person.  One sometimes wonders if that still happens, call me a cynic or conspiracy theorist but sometimes in this industry it does feel that is the case.

Anyway back to the Expo.  What amazed me was this concept that in this day and age business people still believe that they can make Cyber Security someone elses issue and that if they pay enough for a piece of hardware or software then they are secure and all their problems have gone away.

This could not be further from the truth.  The biggest risk that any organization faces in terms of Cyber Security is employee negligence.

A survey, by information security company Shred-it, of over 1,000 small business owners and c-suite executive in the USofA found that almost half of these business leaders stated that human error had caused a data breach at their company.

Such human error could be accidental loss of a device or document but it does not stop there in where employees pose a risk to organizational security.  

  • Below are the 10 biggest employee risk areas:-

    1. Malicious or Disgruntled Employees

    An unhappy employee who is planning to leave could steal data, code or Intellectual Property without the company knowing.  This can be particularly easy for IT Staff.

    2. Accidental Misuse of IT Assets

    Employees try to find ways to make their life easier so they can do their job.  Often this means they bypass basic security by doing things such as, copying data to external USB devices, using remote solutions to access corporate email or accessing questionable websites.

    3. BYO Devices

    BYO devices often do not have the required encryption or protection on them that the company hardware has and therefore if lost or hacked into and the employee uses it for corporate use the company data can be exposed.

    4. Email Phishing and Social Engineering Attacks.

    One misdirected click on a link in an email can have catastrophic impact on a business from encryption of the entire corporate data to the disclosure of usernames and passwords.

    5. Weak Passwords

    Many companies still do not implement complex passwords and statistically 35% of all passwords are known to existing password lists meaning they are weak.

    6. Browsing Unsafe Websites

    Unless a company implements some form of website monitoring an employee can easily access unsafe websites.  These may be genuine sites needed for business purposes but they still can be a risk to the business.

    7. Installing Unapproved Software.

    Unless restricted employees can often install anything they want on a company computer meaning that they can install dangerous software that can expose the business to risks.

    8. Social Media

    Not only when at work but whatever an employee posts about a company on their social media can be used to generate an attack against the company.

    9. Third Party Vendors

    Any third party vendor who has been appointed by an employee should be vetted to ensure they pose no risk to the business.  Whether it is a renovation contractor or a new technology vendor the vetting should be done.

    10. Complacency

    It is important that employees know that they have to report any strange or unusual activity so it can be checked.  Many issues go unreported by employees leaving the attacker free to do what they want.

Most of the above 10 things cannot be resolved by implementing a bit of hardware or software alone.  Employee training is critical in the process of protecting an organization from Cyber Security.  In my opinion employee training if nothing else is done is an absolute essential requirement.

If you want to enhance the Cyber Awareness of your employees please contact FunctionEight for more details.

Written by Phil Aldridge.  Director and Partner of FunctionEight Limited