Why your employees are the weak link in data protection
There are so many reasons why a business’s security may be compromised today that it’s easy to see how the topic of data protection can soon feel overwhelming. As we find more ways to stop the hackers from infiltrating our internal systems, it seems that they too are finding new ways to wreak havoc.
Data protection breaches seem to be becoming more and more commonplace; we hear about them a lot in the media, and while they often target bigger corporations no business should take cyber security lightly because, should a breach occur, the effects can be extremely damaging. With the arrival of GDPR comes larger fines for non-compliance and this can have a devastating impact on your business’s finances.
What’s more, the ICO (Information Commissioner’s Office) carried out a YouGov survey last year which showed that 20% of people would definitely stop using a company's services after hearing news of a data breach, whilst 57% would consider stopping - and who could blame them?
Identifying the threats
While it’s true that most data security breaches originate from external sources, the biggest threat to your IT infrastructure is your employees. Occasionally this may be intentional - as was the case with Lennon Ray Brown, a disgruntled Citybank computer engineer who caused 90% of the company’s networks across the US to lose connectivity - but most of the time breaches happen completely unwittingly.
Security software is ever evolving, with firewalls, anti-virus and email scanners among the software solutions organisations put in place to protect themselves, but this alone is not enough. Social engineering is just one of the ways in which hackers gain access to confidential material; they capitalise on the errors in judgement of individuals to gain access to personal details which can be used to login to various services and access confidential information.
Social engineering can take many forms, and while you may think you’d never be tricked into giving people your bank details or passwords, it’s surprising how many people do fall victim to this! Many hackers also rely on employees having the same passwords for multiple different sites and may create fake login pages, which then give them access to all kinds of sensitive information. Social networking sites are often exploited by hackers too, with some willing to be brasher still and use methods of bribery or intimidation to get what they want.
‘Man-in-the-middle’ attacks are also commonplace, whereby a hacker gains access to your network, or intercepts communications so that they can eavesdrop, collect data, and interfere with your employees’ transmissions. Valuable information may include payment card information, legal documents and company secrets. Whilst much of this comes down to organisations having weak internal infrastructures, employees play a part too, especially in an age where agile/flexible working is so popular. Something as simple as working on company laptops or phones from unsecured, public Wi-Fi networks, or accessing sites without the secure ‘https’ protocol can pose a risk.
The importance of continuous training
It’s unlikely that a business will become a victim to a data security breach without warning bells going off first. Understanding what data breaches are and how and why they occur can help companies devise comprehensive training plans for their staff. It may look like you’re teaching your teams how to suck eggs, but poor password skills are a real problem and remain one of the top threats to data security. Too many passwords contain personal information - such as the name of a partner, child or pet, which can be too easy to guess, especially in a world when so much of our personal information is available on social networking sites. Passwords should be changed regularly to limit the risk of hacking.
As an outcome, employees should be able to spot the warning signs of cyber-attacks themselves, and know who to speak to should they suspect a data breach has occurred. Under the new GDPR legislation, breaches must be reported to the ICO within 72 hours of an organisation becoming aware of it.
Cyber security is a complex topic, which is why it’s recommended that businesses tackle one area at a time, and make it as interesting as possible by creating engaging learner experiences (e.g.through interactive sessions). Training material should be readily available to staff to refresh their knowledge and this should be continually updated to reflect updates to legislations, and new regulations coming into force.