In today’s world, most people know a bit about cyber thieves and data breaches. This being the case, why do we continue to learn of major data breaches here and worldwide? A couple of years ago, a major technology provider conducted a survey of users and IT professionals in the United States and nine other countries, including Brazil, China, France, Germany, Italy, India, Japan and the United Kingdom. The results showed alarmingly high percentages of misuse of company computers by employees and risky behavior that skirted or ignored company guidelines. These issues continue to dog companies large and small all over the world, robbing them of millions of dollars and causing them to lose the trust of customers and business partners.
Perhaps the most jarring fact is that a company’s employees statistically are its biggest security risk. Understanding why employees – knowingly or not – bypass data security rules can help businesses create better security efforts. Breeches frequently occur when the employees’ desire to ignore policies exceeds their understanding of the risks they are taking. The challenge is to effectively communicate how employees’ individual self-interest lines up with the company’s IT security goals and what each employee is expected to do. Every employer needs to be able to spell out the rewards of compliance and the very serious results of noncompliance in words that every employee can understand. IT jargon and fancy phrases won’t cut it.
Many employees simply don’t regard IT security as their concern. A business owner has to help them see it is, by showing each their role in complying with IT procedures. It is crucial that owners foster a two-way dialogue that allows employees to come to their boss with questions, concerns and observations. Nobody likes to tell tales, but employees must be encouraged to report – in confidence – breaches in IT security.
Unauthorized Downloads and Apps
Almost 70 percent of IT professionals in the international survey believed unauthorized use of applications and programs was the cause of about half of their company’s data breaches. Personal email accounts represent the most popular unauthorized apps, closely followed by paying bills online, Internet shopping and instant messaging. When employees do any of these, they risk infecting corporate networks with malware and inadvertently giving entry to hackers.
Unfortunately, in many business operations, employees believe their violations won’t be discovered; and if they are, the penalties won’t be serious. Employees need to be trained and regularly reminded that policies that restrict access to unauthorized apps and sites are not just the boss being a killjoy. They must understand what constitutes unauthorized sites, and why using unauthorized apps on company IT equipment is risky and forbidden. Although important, it is insufficient to print and issue each employee an IT Security Manual upon hiring.
Perhaps the second biggest problem area involves employees transferring files to their personal computer or devices when working remotely. In the survey, a staggering 75 percent of offsite workers admitted to not using any privacy protection when in public places. Anyone who is authorized to work remotely should be issued company equipment (armed with full and updated security/password protection etc.) that is to be used for business only. This is one area where the scofflaws are frequently top executives. The policy must be applied uniformly from the top on down, and it’s crucial that business owners and top executives lead by example.
Stopping data leakage is a worldwide business challenge. By addressing the inside threat created by careless employees and workers who don’t understand how IT policies safeguard their place of employment and their jobs, business owners can be a force for welcome change.