Pop Quiz, hot shot: What or who is the weakest link in your company’s data security? Is it your database that hasn’t been updated in years? Or that vengeful ex-employee with a grudge?
The correct answer is: It’s you. Or more appropriately, everyone in your company. All you well-meaning employees who love your jobs and wouldn’t do anything to harm your company. True, you’re not walking into your competitors and handing over files and secrets. But if you aren’t taking precaution with sensitive information online, you might as well be. Each time you automatically store a password on any website at work, or give your smartphone with your work information on it to your four year old, you’re putting your employer, and yourself, at risk of losing and exposing data.
Ipswitch File Transfer’s 2014 study Are Your Employees Putting Your Company’s Data At Risk? found that 84% of employees used personal email accounts to send work files or information, 50% stored sensitive information on cloud-based services like Dropbox and YouSendIt and more than 30% had lost a USB containing sensitive work information! Employees with risky habits basically unlock your office doors to hackers, saying “C’mon in guys, free money and trade secrets here!”
Company Education Policies are Key
Company-wide education plays a key role in helping workers understand that they can change their habits. A 2014 study conducted by Enterprise Management Associates of 600 random workers from over 100 random companies, concluded that 56% of employees received no Security Awareness Training (dubbed SAT). They weren’t educated in proper online security measures and took little precautions with sensitive information. Employees aren’t educated on proper provisions when opening links in emails and are careless with mobile devices.
Companies need to create their own SAT guides covering the following issues:
Creating strong passwords: According to consulting firm Deloitte, 90% of passwords can be easily hacked. People use easy to think of, and therefore crack, passwords – a hackers dream come true. Never use kids or pet name, dates of birth or any other accessible information. The best idea is to use a string of random characters but this gets messy easily. Take a band or food you’ll remember and throw in some numbers and characters – gratefuL2109Dead34 or PBJ746for!lunch247. These are a much harder crack.
Using mobile devices with caution: You don’t go anywhere without your smartphone, right? If you’re average, according to vbridges.com, your company allows, perhaps even encourages, you to work on your own devices. Assuming you’re average, you’re the proud owner of four mobile devices containing sensitive work information.That’s an alarming amount of devices to be stolen or lost. Since there’s no stopping the BYOD trend, focus on understanding preference settings and dangers that apps and downloads often present. Really, why should apps like Angry Birds access your contacts anyway?
Keeping far away from malware and bundleware: Did you know every time you download free software there’s a good chance that you’re getting more than you expected? And not in the good “oh wow, a present for me” way either. Often times apps or freeware come bundled with other programs that you were unaware of. This is why the last time you installed a free meal planner app, all of the sudden you had a new, unwanted browser (think Babylon Search) instead of your usual Chrome or Safari. Scarier still, is malware that infects your company computers when you visit a site that has been infected. The reality of this danger was made abundantly clear this fall with the rise of trojans like Cryptowall and Cryptolocker which can actually encrypt entire servers and wash away years of information. Lucky for you, you can download Reason Core Security bundleware and malware blocker and make sure this doesn’t happen to you and your company.
Staying (cyber) street smart: Follow the same street smart practices you (hopefully) do in non-cyber life. Don’t share passwords, log out of website when you’re finished, don’t connect with strangers, be careful with thumb drives that have sensitive information (whose idea was it to make something the size of a pinky that could hold so much information anyway?!) When a website prompts you to automatically save your password, don’t.
Creating an environment of education and accountability: Being savvy about safety shouldn’t be hard once people know what they need to be savvy about. According to the Associated Press, companies like Twitter and Pinnacle Financial Partners send fake phishing emails to employees to see who gets caught. At Pinnacle, the results are reported to the company’s board of directors. Chief Information Officer Randy Withrow says since they started the program, successful phishing attempts have dropped by 25%. “Workers take it very personally. They become apologetic and wonder, ‘How did I miss it?’” Joe Ferrara of Wombat Security, who created the program used by Pinnacle says “The right approach to change user behavior is not difficult to implement but requires a consistent model of education and training to keep employees away from the pitfalls.”
So the next time you get an emailed link promising the funniest joke about Obamacare or give your tablet to your kid to play Candy Crush, think “Is this worth it?” Chances are, it’s not.