Old habits die hard. And as a consequence, trusted employees are putting organizations at risk every day by performing seemingly innocent acts on their computers.
A recent Intermedia report found 93 percent of employees engage in at least one form of poor data security. And 23 percent of respondents admitted they would take data from their company if it would benefit them. Equally alarming is the fact that IT teams, tenured employees and C-level executives all exhibit bad habits and expose organizations to security threats. The CEO of Austrian aerospace parts manufacturer FACC is all too familiar with this scenario. He was fired after a fake CEO email scam cost the company $47 million.
Before investing in new security tools and technology to protect against external threats, companies should place higher priority on identifying and fixing internal risks. Here are a few of the most common employee traits that expose businesses to potential harm.
1. They lack education and training.
When a new employee joins an organization, he or she typically gets a computer, a company email address and access to a suite of applications to carry out daily duties. But training on how best to use these resources often falls by the wayside. Businesses must provide upfront education to safeguard against sophisticated threats that prey on unsuspecting employees.
Company leaders who are serious about keeping cyber threats at bay understand that a single training session during onboarding isn't enough. Regular IT and security updates are essential. These important measures help establish good habits from the start and supplement that baseline with periodic information and training sessions.
2. They choose weak passwords.
According to SplashData, the most common passwords used in 2016 are still “123456” and “password.” It’s easy to be lured by convenience rather than opt for security. Creating and remembering new passwords undeniably is a pain, which is why so many employees stick with the same password across multiple accounts. But this, of course, makes for a wide-open target. In one fell swoop, all of an employee’s accounts can be compromised.
People working in the tech industry typically have access to more applications and services than might people working in other industries. Without a Single Sign-On (SSO) service, there are too many passwords for a normal human to remember. SSO provides users with a single portal to access all their web applications. The employee logs in to the portal, and SSO logs him or her in to all apps for which that user has permission -- no need to rely on sticky notes and Excel spreadsheets to manage all those usernames and passwords. Because users have to remember only one password, it typically can be longer and stronger than they'd normally select.
3. They share login credentials.
Here, too, employees fall victim to convenience. When colleagues want to quickly and easily access certain information, businesses often rely on sharing credentials instead of creating a unique personal login for each user. Nearly 50 percent of respondents in a recent survey of office workers have shared credentials with multiple users. This leaves the company vulnerable to a data breach.
Ideally, each employee joining the company should receive a checklist of the services and applications needed for her or his daily duties. Human Resources and IT departments should work together during onboarding to create a separate account for that user and software set.
But this is the real world, and shared accounts are almost impossible to avoid. For example, multiple people are likely to have access to the company Facebook or Twitter account. Some SSO services support secure sharing of credentials, linking the use of a shared account to an individual but hiding the actual password from these same users. In most cases, only the IT administrator knows the password. This makes it easy to revoke access as people join, move around and leave the organization.
4. They install web applications without consulting IT.
“Shadow IT” is a persistent issue in today's workforce. It happens when employees download unauthorized applications to their work computers or mobile devices. It also can occur when they subscribe to Software as a Service (SaaS) applications without IT approval.
Many employees are glued to their work computers eight hours or more a day and start to think of that workstation as their own personal device. Their intentions may be harmless -- perhaps they want to download a popular music-streaming application or a consumer file-sharing tool to store and coordinate information. But doing so without first consulting IT contributes to the problem and puts the company at risk.
There are good reasons why businesses should allow certain applications and not others. These include keeping up productivity, ensuring consistency across the office and its departments, protecting against malware or other security threats and keeping risk at an acceptable and understood level. Ultimately, people want to work the way they want to work. IT's role has changed such that teams now advise the business rather than act as technology gatekeepers. If IT decides that consumer-grade products are not secure enough, they must offer an alternative -- or a choice of alternatives -- that work across the range of devices people want to use.
5. They upload company files to personal cloud storage.
Mixing business with pleasure always has been risky. Technology issues are no different. Saving company files to personal file-sharing applications highlights a more recent concern in the age of cloud computing. While file-sharing applications such as Dropbox and Google Drive have helped streamline communication and version-control of shared documents, these services often lack security protocols or audit and compliance features. In short, they were created with consumer convenience front and center.
A dedicated employee might upload work files to a personal file-sharing application so he or she can work remotely after hours or over the weekend. Despite the individual's commendable motives, this is a high-risk behavior. Making a spur-of-the-moment choice to use a consumer-centered solution might save them a few extra seconds but could cost the business much more. Employees must keep the company's best interests in mind and be cognizant of potential consequences.
6. They access company data after changing jobs.
When an employee resigns or is terminated, the very first step the business should take to protect itself is identifying and immediately revoking the employee's access to all platforms and web applications. Research has shown that after leaving a company, 89 percent of employees still have access to at least one application or to proprietary corporate data.
People also will need access to different applications as they move around within organizations and fill different roles. Companies must develop a strong Joiners, Movers & Leavers (JML) process to ensure company data is safe from unauthorized access.
7. They're not careful enough with email.
Most people have experienced a close call or a heart-stopping "reply all" horror story, even if they don't want to admit it. One wrong click of a mouse can share information with an undesired receiver and -- even worse -- jeopardize an entire organization by putting highly confidential information in the wrong person’s hands. This type of mistake now extends to file sharing services as well. The modern faux pas is granting access or accidentally sharing files with the wrong people through services such as Dropbox and Google Drive.
Not all data breaches or cyber threats are preventable. But a business that arms its workforce with the education and resources to break bad computer habits can operate with greater confidence that the company and its data are safer.