In the fight to avoid security breaches, one area has proven over and over to be the weakest link. It’s the human factor. A survey done by CompTIA shows that human errors are responsible for 52 percent of all security breaches. Each day employees open emails; it’s part of their job. Often there are links in these emails, and most of them are legitimate. But then there’s that one link that downloads a virus into the computer system, and suddenly thieves have access to all company files.
A growing number of cybersecurity breaches come as a result of malicious email links. Educating employees about the various types of viruses has become a full-time job for many companies. In spite of regular meetings, webinars, and conferences, careless employees still open suspicious emails and click on links that open the door for cyberthieves. A recent report from Experian says that most employee training seminars are insufficient to alter employee behavior.
One study from MeriTalk reports that employees sometimes bypass security measures on purpose, then download a malicious virus without realizing it. That same report reveals that many employees view security measures as restrictive. They say it takes longer to get their work done each day. Employees can sometimes view security measures as cumbersome and annoying.
In spite of continuing education about data breaches, employees simply forget. They get busy working on something, then absent-mindedly open an email and click on a link that downloads spyware, ransomware and other malicious programs. Employee training about security threats has ramped up considerably over the past decade. And yet one study shows that 57 percent of company employees aren’t even aware of the current security protocols where they work.
Lack of communication
Another issue that was recently exposed is the lack of communication between the IT department and CEO. Some CEOs simply don’t want to spend the money to update their cybersecurity. They fail to equate a cyber breach with a monetary loss. Human beings seem to function under the fallacy that bad things only happen to other people. Cross-departmental communication is critical for everyone to understand what’s at risk.
With so many companies now employing remote workers, this lack of communication can quickly escalate. Remote workers should not be given access to any areas of the company’s network that aren’t necessary. A remote worker could accidentally leave their laptop in a restaurant or hotel. The IT department must be more vigilant about these matters. With greater control over who has access to what data, a company can better manage their risks.
In just the last few years, massive data breaches at well-known stores like Target have everyone rethinking their data security. The federal government isn’t immune either. In 2015, the Office of Personnel Management (OPM) publicly disclosed that a data breach had occurred exposing the personnel records of over four million federal employees. Before this investigation was completed, the public learned that there were two separate breaches and that over 21 million records had been stolen. Most of these records included names, dates, social security numbers and even fingerprints.
This breach should have been a wake-up call for everyone. If the government can’t protect its data, then what chance do small business owners have? As unsettling as these types of breaches are, they have not resulted in dramatic changes to data security. Though businesses are taking the threat more seriously, most are not willing to spend the time and money to protect their data from intrusion.
Another factor that isn’t spoken of much is the growing number of angry employees who expose a company’s network on purpose. These may be people currently working for the company or those who have recently been fired. When an employee is about to be fired, the IT department should make sure all their credentials are canceled before the employee leaves the building. Management can step in and try to mitigate the situation if they feel an employee may try to retaliate against the company. For everyone’s sake, it’s best to try to mend fences before allowing an angry employee to leave for the last time.
The ongoing cost of data breaches
For those who have already experienced a data breach, the lessons learned came at a high cost. Many of them are still dealing with the repercussions. A certain number of shoppers may never visit a Target store again. It sometimes takes years before consumers forget. The average cost of a data breach in monetary terms is $154 per record. If a company loses six million records, this is a significant amount of money. The cost is rising rapidly.
Also, a company’s reputation can suffer serious damage. Retail stores may not see customers returning to shop with them for months or even years after a cyber intrusion. Data breaches cause embarrassment for the business as well. Customers may not feel like they can trust a business anymore with their personal information. Customer trust is difficult to rebuild.
It’s time for companies of every size to take data breaches more seriously. Every company’s sensitive data deserves the best protection available. Employees should participate in regular monthly security awareness training. The IT department must have a solid system of checks and balances. The CEO should make it a priority to regularly communicate with the IT department.
Every business should strive to install the very best security programs they can afford. They must examine their weaknesses at every level and ensure IT professionals conduct annual vulnerability assessments. System-wide encryption, password management, and multi-factor authentication are strong measures that can help. When each enterprise, corporation, and company does its best to stop data breaches, we may see a decline in security gaps. Until then, a greater degree of diligence on everyone’s part can stem the tide of the growing number of data security leaks.
Published on 1st February 2018 by Ian Brady.