If someone told you your computer’s security was at risk or was being threatened, what would you think of? Most of us would think of scary terms like viruses, botnets, ransomware, etc.
But your biggest security threat of all is most likely sitting right next to you, across from you, or on the other side of the room.
Surveys show that at least half of data breaches are the result of careless actions by users that put your systems at risk. Simply put it’s not malicious thieves…it’s operator error!
This is just one of the network and data security issues every SMB owner (and employee!) needs to understand.
How IT Operator Error Happens
Most secure systems are setup where users gain access through passwords. The problem is that most passwords are short and only consist of letters and numbers, which means they’re extremely insecure.
And when users do choose a more secure password, they usually write them down – making it really easy for someone to gain user access (especially when written on a sticky note attached to their monitor).
In an effort to help get work done, employees will also share their passwords with other team members (or if you’re Jimmy Kimmel you can just ask and random people will give you their passwords).
Insecure Networks and Devices:
Most businesses (almost three-quarters to be exact) have a bring-your-own-device policy, which means that employees have the option to use their own smartphones, tablets, and/or laptops for work.
Unfortunately, losing these devices is easy and when a user does lose one, they lose all the sensitive data stored on it.
Users also use public Wi-Fi, usually at a local coffee shop or library. Public Wi-Fi is always insecure, and allows others to view the traffic or place malware on the device.
Downloading Infected Files:
Infected files lurk in plain sight, making them a security nightmare especially when it comes to employees. Most malware enters a computer system by being downloaded from the Internet.
So every time users open an attachment in an email from an unknown sender, download files from a website, or insert a random USB stick into their device – which CompTIA, an industry association, found that 17% actually would – they put the company’s data and network at risk.
Evading Security Controls:
Most users care way more about convenience then security.
They set up accounts with excess privileges because it’s easier than identifying the specific permissions needed. They disable antivirus software because when it kicks in, it slows down the computer and gets in the way of doing work. And they create short, easy-to-remember passwords so that it’s easier to type in.
How to Overcome Employee’s Bad Security Habits
Accidental or malicious, your employees could lose data or expose yourself to a virus or a hacker. The following tips will help to keep your network – and information – safe.
Make sure you educate your employees on the importance of security. You don’t know what you don’t know, right?
Teach them about:
- VPN (virtual private network). Ideally your company data could only be accessed when employees were connected to the VPN. But, if that’s not an option and they’re working at home or Starbucks, be sure they know how to connect to the corporate VPN. Or, if you don’t have a VPN, at the very least instruct employees NOT to use public Wi-Fi to access company information.
- Strong Passwords. Create guidelines and implement requirements for password length and complexity. Apply expiration dates to passwords (every six months for example) so that users are notified when it’s time to change them. Also provide best practices for keeping passwords secure (not on a sticky note attached to the side of a monitor or on a desk). And use multiple passwords for different devices and applications.
- Spam and phishing attacks. It’s best to implement defenses system-wide, but encourage workers to contact IT if they think they accidentally opened a spam email.
- Set the tone. Many industries, such as legal or finance, have executive management who believe they are too busy to deal with bothersome password changes. It’s critical for companies – starting with the company leadership – to all agree that taking five minutes every few months for a more secure environment is worth the “nuisance.”
Monitor and Track System Use
Tracking how employees use the network is key to compliance and can help prevent security leaks, especially in industries that are heavily regulated,
- Logs - Keep track of activity logs and check for abnormalities
- Restrict Content - Block access to websites to prevent unauthorized distribution of data.
Always update virus and security patches immediately. If you have remote workers, be sure they’re keeping their devices updated as well. And scan computers and other devices for malware, bugs, and viruses periodically.
Keep It Simple
There’s a reason employees create short passwords and have a tendency to share them – it makes their lives easier. So, regardless of the steps you take to improve data security, make it as simple and easy as possible for your employees. Explain the importance of information security and what they can do to help keep company information safe – most employees will do their best to help as long as they know how.
Now when you complete your company’s risk assessment, you’ll know not to solely focus on technology issues like firewalls and cloud storage, you’ll remember to put that person next to you at the top of the list.