Insider threats aren't always malicious: how organisations allow employees to continue to be the weakest link
Norman Shaw unpicks the innocent mistakes that employees make which, unlike cyber-security, there's no budget to reduce.
Norman Shaw, CEO and Founder, ExactTrak
Last year was the year of the data breach, so much so, that NTT's most recent Risk:Value report claims that the majority (57 percent) of businesses in the UK now expect to be breached. But despite this and the fact that human error is still the cause of most data breaches - a recent global survey by Heat Software confirmed negligent employees were the biggest threat to endpoint security – cyber-security gets the attention and budgets. Unfortunately, businesses are so focused on cyber-security and securing against malicious insider threats, they do nothing to negate the innocent mistakes of their employees, all while introducing policies that further increase the likelihood of human error.
The security risk of meeting employee expectation
Increasing consumer expectation to access information anywhere, anytime, and from any device has overflowed into today's workplace with employees now expecting their employers to have a Bring Your Own Device (BYOD) policy. This, combined with the proliferation of the Internet of Things (IoT) and remote working makes security a high priority yet employees continue to use, and lose, unapproved USBs; they are not encouraged to report lost or stolen devices; and they are forced to use encryption that has the dual effect of being user-unfriendly and mostly useless in the event of a breach.
Why is a lost device surprising to anyone?
This year, research from internet security firm Eset, asserted that 22,266 USBs are left in UK dry cleaners every year. In many ways, this is not surprising; we know people make mistakes. What is interesting, is that knowing this, businesses allow employees to use USB devices that, at worst, they've picked up at conferences and, at best, have encryption so complicated that they find a way to disable it. Either way, it's a huge security risk where the employee is an unwitting participant.
Software encryption and the issue of passwords
Software encryption is popular because it's cheap to use and easy to deploy and update but it can also be complicated and slow down devices, which can lead to it being disabled. Those that require passwords can result in users choosing easy-to-remember passwords, writing them down in easy-to-find places, and sharing them with colleagues and family. Or, for convenience, using the same passwords as they use for personal devices and accounts, which are often not subject to much or any security. This makes it easy for hackers to find a way into the corporate data secured by software encryption. And because of the issues around passwords and disabling, it's difficult to prove a device was encrypted without recovering it so on its own, encryption isn't a strong enough security solution.
In most cases, the employee is simply trying to be as quick and productive as possible. They aren't privy to the security risks their decisions have on the company they work for. And yet, complicated encryption persists and we are incredibly far away from widespread data security-focused education either in schools or companies.
I don't want to get in trouble
With all the media attention around how much data breaches cost businesses, the NTT report suggested it was £1.2 million per breach plus a 13 percent drop in revenue, it must be a frightening decision for an employee to report a breach. Whether the breach was the employee's fault or not, it's unlikely they will report it if they think they could lose their job. This culture presents an extra security risk to businesses who cannot combat a breach they don't know about it.
How to avoid your employees being your weakest link
It's clear from the examples above that businesses are relying on people not making mistakes which is an underwhelming security strategy. The key to protecting organisations is to take control away from the end user and put it firmly in the hands of the enterprise. Choosing technologies that do this and also help you if the worst should happen is paramount.
Opting for technology solutions that include location tracking means that the data on the USB can only be accessed in certain geo-zones and that the lost USB can often be found and so provide evidence that the data was always secure. Recovering lost or stolen devices and being able to show a verifiable audit trail can mean avoiding huge fines.
Avoiding software encryption as the sole solution of the IT security department's toolbox, finding user-friendly encryption, and being aware of false promises about data deletion or overwriting data are also good ideas.
And of course, an environment that includes training on how to handle corporate data and instead of a blame culture, promotes reporting a data breach to a line manager as a good thing and not a firing offence will help employees to be your greatest asset rather than your weakest link.
Contributed by Norman Shaw, CEO and founder, ExactTrak