When we say cyber security, we often immediately think of malicious hacking attempts, or worse, successful ones. Fact is, we have to practice good security habits not just to prevent any such attacks but also to become more aware of how our own negligent behavior can actually be the problem.
The global economy loses billions of dollars yearly due to stolen intellectual property, personal information theft, and ultimately, companies pay the initial price of that multiplied by a factor of a hundred due to loss of image and consumer trust.
We could basically divide data breaches in two categories based on where they come from: insider or outsider breached.
When a data breach comes from the inside, furthermore, then we consider two scenarios – was the employee causing this doing so intentionally and maliciously, or that person may be negligent and simply out, not cyber security savvy and literate. To add on that, it is estimated that more than two thirds of security breaches and data misappropriations fall under the first umbrella – the insider data breach.
Insider Negligence and What This Means for Your Business
From the point of view of security, there is no major distinction between intentional and unintentional data loss as the result is the same and your business will be taking that hit, ultimately. However, insider negligence is something that can be worked on immediately through providing your employees with sufficient educational tools to understand what the main areas of vigilance are.
You would ideally require your employees to be aware of any behavior that can cause potential problems, but for the sake of brevity, let’s outline a few key areas we will discuss further. Those are as follows:
- Desk security and cleanliness
- Sharing in person or on social media
- Your security policies
- Common sense
Desk Security and Cleanliness
It is easy to imagine that most data breaches stem from tampering with emails, databases, servers, and the like. The fact of the matter is, it is more common that a business will have something of importance physically as well – think printed documents, contracts, legal paraphernalia, even flash media like USB sticks with things of importance stored on them. Further, employees are often not trained to lock and otherwise secure their desk and work area to prevent tampering. While it is good to have trust in our coworkers and staff, we ought to remember that a lot of disasters happen on accident as well. That USB stick can be picked up by mistake and be brought somewhere unsafe and a multitude of other scenarios.
To mitigate the risk of this, a good security-aware business will require employees to lock their computers even when stepping out to use the restroom or grabbing a glass of water, and they will also be required to keep any documentation they handle organized and stored safely away unless being worked on at that very moment.
Sharing in Person or on Social Media
There is a lot that can be said about social media nowadays most of which would be things that make any business take a step back and reassess their policies. Most businesses in fact do just that and have procedures in place for all things social media. That said, it is hard to manage an oversharer – it is estimated that a not-insignificant portion of all data breaches come from someone who simply overshared online and got into contact with someone smarter and malicious.
However, this is not something limited to social media and generally the Internet as people share too much in person much more often, in fact. This is where we need to start using the “Need-To-Know” principle when communicating outside work or with someone from a department that is not meant to be in the know. Explaining this principle to any individual is a rather simple affair: Do they need to know? If there is a speck of doubt, then they do not need to know.
Your Security Policies
If a company has official security policies outlining behaviors that are obligatory for employees in order to curb the risk of data breach, then they are likely required material for onboarding and perhaps even something that is reviewed in varying cycles. In light of that, it is a healthy conclusion that everyone is aware of those, correct? Not so. It is estimated that more than half of people, when possible, will skim such documentation and trainings much like any Terms and Condition agreement online.
A good idea is to make such trainings live sessions or to provide interactive or quizzing experiences as part of your security policy briefings or any other approach a business finds preferable.
This seems like a no-brainer, but statistics indicate that a shamefully large percentage of data breaches occur because the password policy is not up to snuff. To reiterate on something that should be common sense and before actually moving on to the last segment which is about, well, common sense – a password is never good unless it contains a combination of upper and lower case letters, numbers, and special characters. While it is not criminal negligence to use one’s significant other’s name or date of birth as password by a long shot, common sense would require us to be a bit better at this. To enforce this and perhaps take it further, a good idea is to disallow using of personal accounts of any kind and simply to require such passwords in the first place.
As a final piece of this puzzle, common sense is something commonly required but frequently lacking nowadays. While this should not require further elaboration, briefly: just have common sense. Do not carry the property of the business around unless it is a must, keep your words and work area clean, and make sure to be able to recognize malicious intent (think phishing). It is very, very difficult to obtain something from someone who is smart enough to know better.