Back

People as the weak point in security

EmployeesIntroduction
Many studies have shown that the biggest threat to data security in a company isn't hackers. It's actually employees and particularly temporary employees, employees in the financial services and public servants. Some employees threaten data security accidentally. Some employees, however, deliberately set out to steal, delete or otherwise manipulate sensitive data.

Accidental data security breaches
Many of the accidental data breaches that happen occur because of poor training and poor practices.

    • Employees save data on unencrypted USB flash drives.
    • Strong password procedures are not in place in companies so employees don't follow good password practice.
    • Employees are not given sufficient training so make mistakes without realising the consequences e.g. deleting data.
    • Companies don't have robust or regularly tested back-up and archiving procedures for all data to minimise data loss.
    • Employees accidentally send emails out to the wrong people, do not use BCC to send emails to multiple people out or use Contact Groups to send emails without understanding the consequences.
    • Employees click on phishing links and install malware that way.
    • Employees use third party software to make life easy for themselves such as Dropbox, Google Drive and so on, even though some might present a security risk.
    • Employers do not actively prevent employees from installing their own, potentially infected applications.
    • Employers do not carry out any Risk Assessments on data security issues and do not educate and train staff in this area properly.
    • Employees are allowed to take data off company premises with disastrous results, e.g. leaving a laptop with unsecured data on it on a seat in a train in a forgetful moment, losing accidently a USB flash drive with unsecured data on it or having a computer with unsecured data on it stolen from home.
    • Employees communicating with a company computer using an unencrypted connection or public hotspot in a cafe, for example, in addition to using their own personal devices. Employees should be using an encrypted Virtual Private Network (VPN) when communicating like this and should only ever use company hardware for company business.
    • Employers do not take sufficent steps to ensure that each employee has access only to the data they need to do their job.

Employees will always make mistakes. Companies who acknowledge this, carry out detailed Risk Assessments in advance, have robust procedures in place and take data security training of employees seriously can minimise the impact when an accident happens.

Thief2Deliberate data security breaches
Some employees will always set out to steal data.

    • Some employees steal data or use it in unauthorised ways to make money.
    • Some employees steal data and then release it into the public domain because they feel strongly about some unethical, immoral or illegal practices of the company. These employees are known as 'whistleblowers'.
    • Some employees, who have just been sacked or made redundant or overlooked for promotion, destroy or alter or release data to get even with their employer. This is one reason why, when an employee in IT is sacked or made redundant, they are immediately escorted to their desk to collect their personal things, then escorted to the exit of their company building, and have all their rights to access company systems cancelled.

Like with accidental data loss, you cannot completely prevent employees stealing data but you can minimise the chances of it happening and the consequences when it does happen by careful Risk Assessment, strong procedures and training.

Back