Opinion

Your own employees are the biggest security risk

6 min read

30 March 2018

Paul Rosenthal, founder of Appstractor, takes a closer look at the security risk to businesses caused by employees side-stepping cyber protocols, failing to configure or install software correctly.

Cybersecurity has risen to the top of the agenda for businesses thanks to increasingly common headlines about malware attacks, like the WannaCry incident and the modern reliance on mobile working and flexibility.

At the same time, increasingly strict data protection laws, like the forthcoming General Data Protection Regulation (GDPR) has raised the stakes, with companies in breach facing punitive fines.

Despite increasing awareness among SME owners around cyber attacks, many companies are unaware of a threat much closer to home: their employees.

The rise of cyber threats

Business spend on cybersecurity is growing around 11 per cent a year, according to Cybersecurity Ventures, and between now and 2021, spend is expected to reach close to £780m. However, small business bosses often suffer from a perception problem that they are not likely to be the victim of cyber crime – or that security software will protect them.

In reality, the threat is very real, in part because employers are complicit in their own vulnerability not by lack of investment in software, but in lack of education among employees who just don’t know how to implement software properly.

Far too many employees are unaware of the security policies they should follow to keep data safe – an issue that is becoming critical given the increasing popularity of using personal equipment for work or flexible working using public WiFi.

The security risk from flexible and mobile working

A major and more recent security risk is brought about by the rise of mobile technology and flexible working. While flexible working has been a great benefit to many businesses and employees, the increasing number of employees accessing, sharing and working on sensitive company data while hooked up to a public WiFi network, is concerning.

There is a serious misunderstanding when it comes to public WiFi, and many employees are simply not aware of the security risk of using these networks for sensitive communication and file sharing – even if the Wi-Fi has a password.

The misconception among employees is that because the public WiFi is password protected, that means they are safe from attack, but anyone with that password and the right software can intercept information. If an individual is not using online encryption, it is possible for criminals to access information that could be used to gain access to the business’ corporate systems.

Even worse, a criminal could impersonate a company’s CEO via email and manipulate employees to transfer money into a criminal’s account.

The biggest employee risk? Apathy

Bringing in business software and security tools is just one step to improving data safety. The systems still need to be implemented and regularly updated, and used correctly. Unfortunately for many business owners, employees often overlook critical aspects of the overall security model, simply because they are not aware of the security risk.

If employees fail to implement the required technology correctly the business is at risk. Just one individual failing to use online encryption correctly, or using an unsecured laptop from home, can create a hole in the business’ security and leave it vulnerable to attack. So, more needs to be done to educate the wider workforce. More also needs to be done to make systems and tools simpler to use.

Unlike HR policies or auditing functions, which have largely remained the same for decades, the rapid change of pace in technology and cybersecurity means it is impossible for the average employee – and even some IT experts – to keep up with developments. For an employee who is likely concerned with more pressing personal or work matters, another complex IT upgrade will most likely be pushed to the back of the to-do list.

Creating a security first culture needs to be among any business’ top priority if it is to ensure its data and IT systems are secure.

Enforcing more robust policies should also rise up the agenda, whether this is ensuring employees using a laptop from home have company issued anti-virus and online encryption software installed, along with the adoption of two factor authentication.

Data and online communications security is essential; as fast as technology is developing, so too are the risks posed from cyber attacks. From the new wave of mass automation attacks, to the vulnerability created by modern working practices, organisations need to reconsider how to keep sensitive information secure.

Security is becoming more sophisticated to deal with threats but however advanced the defences, they are worthless if the workforce is not using them properly. It is an inherent misunderstanding amongst employees that means workers are posing a serious security risk to their employer, mostly without their knowledge.

Business owners can spend all the money and time they want buying and installing the latest security software, but if they fail to educate their employees, or ensure that protocols are being followed properly, their own employees will continue to remain the biggest cyber security threat.

Paul Rosenthal is founder of cyber security solutions provider at Appstractor