Barely a day goes by without breaking news of yet another cybersecurity breach.
Whether it’s a mass ransomware attack like WannaCry, withholding data for money from unlucky companies across the world, or government-linked hackers allegedly rigging elections to influence our political systems, it feels like cybersecurity stories are now a mainstay of the modern news agenda.
Trying to combat constantly evolving online threats is no simple task. Since the internet first became available to the wider public, security software and services have been sold to businesses to help them cover everything from standard antivirus to network monitoring, two-factor authentification and threat intelligence. But it’s not enough. Your business can have the best cyber security technology in the world, but it will never be truly immune from a data breach.
Your employees are the weakest link in your organisation’s information security. Cyber security professionals have long acknowledged it, and no tools or services can ensure your business is completely safe. The problem is that, regardless of whether you have the best security systems money can buy, staff still need to be able to do their jobs in the simplest and most efficient manner possible. This is where human error comes into play.
The last few years alone have not been kind to employees targeted by cybercriminals. Many have fallen victim to sophisticated phishing emails and had their login credentials stolen through social engineering. There have been cases where employees have downloaded sensitive information to their personal un-encrypted devices, which were subsequently stolen. The data was exposed to opportunistic cybercriminals who may have then used it to their advantage.
What is surprising, is that despite these accidental security mishaps, employees are not learning from their mistakes. In fact, they’re actively and knowingly breaking company security policy. Recent research we conducted, surveying over 1000 UK office workers on their use of cloud, file sharing sites and personal devices in the workplace, found that an alarming number of respondents are flouting company security policies, causing a major headache for companies trying to keep their data security in check.
Our research found that a quarter of respondents (24%) admitted to storing work information in the public cloud even though they are not permitted to do so. Just under a quarter (23%) of workers use public file sharing services for work information even though they’re not allowed to, and 31% take work home to complete despite being told otherwise. Each issue places company data security at risk, and are all the more worrying when 1 in 12 people (8%) admit to having access to confidential information that they shouldn’t have.
The buck does not stop with digital information. Just under two-thirds of workers (59%) reported that colleagues leave printed pages in the printer tray, heightening the chances of documents being seen by the wrong pair of eyes.
Mistakes are a part of life. They are what make us human, and will never be fully removed from the workplace. Businesses will forever be challenged by human error. Installing the latest cybersecurity solutions cannot help to solve people-based security issues, especially when few employees within a business will have the same level of expert security knowledge as an IT professional.
The best possible protection comes from adopting, and routinely enforcing, solid data protection policies and practices. This should be an absolute priority. Businesses need to be better at educating their employees to help reduce data security risks and stop them knowingly making bad security decisions.
Hesitation could spell big trouble in the coming months. General Data Protection Regulation (GDPR) is fast approaching, and it’s becoming more important than ever that employees are fully aware of the everyday risks they could unwittingly expose their organisation to. After all, the alternative could cost a lot more than just information. If a company is found to be in breach of GDPR it will be subject to fines of 4% of its annual global turnover or €20 million. Whichever is greater. The time to act is now.