How does each employee constitute a security threat?
A large part of the security breaches in companies are carried out by employees according to the Norwegian survey “Mørketallsundersøkelsen 2018.” Lack of security awareness is one of the reasons for this. I got a real awakening when my colleagues took charge – thankfully!
Command Windows + L
Entering a colleague’s computer without permission and invite everyone in the company for a break with homemade cake, is a relatively innocent way of illustrating the importance of locking your screen. I was the one who had to bake a cake for my colleagues in Cloudworks a while ago. Even a few steps over to the coffee machine for a refill, and a colleague would check if I had locked my screen. This repeated itself until I became a diligent user of Windows + L. It is the command to lock the screen. If you didn’t already know that.
Responsibility as an employee
A lot of information is being processed in a company and must not get astray. This includes both personal information, health information, stock exchange sensitive information, and business secrets. In some companies, one goes to that step, that the employee loses his job if he or she has been warned to lock his screen more than twice. It is a relatively good indication of the seriousness of it.
Each employee has a responsibility for the company’s information security. Locking their screen is just one of the security routines that is important to a business, and recurring awareness of such practices reduces the threat each employee makes.
Security breaches are caused by the employees
The survey “Mørketallsundersøkelsen 2018,” which was developed by the Confederation of Norwegian Business Security, Næringslivets Sikkerhetsråd, indicates that a large part of the security breaches are carried out by the employees. The report shows that among Norwegian companies that participated in the survey, the causes of security breaches in large parts were:
- coincidence or bad luck
- human error
- lack of security awareness
- insufficient processes
- existing processes that were not followed
There were also cases where systems were abused deliberately, and where disloyal employees had access to the information.
An easy target
Often, employees regard security as an obstacle to having their work done satisfactorily, and lack understanding of the background to the safety rules. They are considered the weakest link in a business and a simple target for attacks such as social hacking, identity theft, abuse of access and such. Nevertheless, the employees have traditionally not been part of the priority in the company’s security strategy. Thus, management does not know how employees will deal with any attacks, which in itself constitutes a significant threat.
The requirements for control have increased
It is crucial for a company to have good communication about safety requirements for employees and management, as well as to carry out and verify training on a regular basis. Control of information security is necessary. In worst case scenario, the opposite can have major financial and legal consequences. The introduction of the GDPR has also increased the requirements a company has for control, and the authorities’ more frequent use of sanctions in cases of violations, further reinforces the need.
Our security experts can help your business
In Cloudworks, we have security experts who can help your company map out the current situation and make suggestions for concrete measures. We can keep the process of employee safety training, and present to the board their responsibilities around corporate security controls.