How does each employee constitute a security threat?
A large part of the security breaches in companies are carried out by employees according to the Norwegian survey “Mørketallsundersøkelsen 2018.” Lack of security awareness is one of the reasons for this. I got a real awakening when my colleagues took charge – thankfully!
Command Windows + L
Entering a colleague’s computer without permission and invite everyone in the company for a break with homemade cake, is a relatively innocent way of illustrating the importance of locking your screen. I was the one who had to bake a cake for my colleagues in Cloudworks a while ago. Even a few steps over to the coffee machine for a refill, and a colleague would check if I had locked my screen. This was repeated until I became an active user of Windows + L. It is the command to lock the screen. If you didn’t already know that.
Responsibility as an employee
A lot of information is being processed in a company that must not go astray. This includes both personal information, health information, stock exchange sensitive information and business secrets. Some companies go to the length of firing the employee if he or she has been warned to lock his screen more than twice. It is a relatively good indication of the seriousness of it.
Each employee has a responsibility for the company’s information security. Locking their screen is just one of the security routines that are important to a business, and repeated awareness of such routines reduces the threat each employee poses.
Security breaches are caused by the employees
The survey “Mørketallsundersøkelsen 2018,” which was developed by Næringslivets Sikkerhetsråd (a member organization whose purpose is to prevent crime against businesses), conclude that a large part of the security breaches are carried out by the employees. The report shows that among the Norwegian companies that participated in the survey, the causes of security breaches were mainly:
- coincidence or bad luck
- human error
- lack of security awareness
- insufficient processes
- existing processes that were not followed
There were also cases where systems were abused deliberately and disloyal employees got access to the information.
An easy target
Often, employees regard security as an obstacle to having their work done satisfactorily, and lack understanding of the reasons for the safety rules. They are considered the weakest link in a business and an easy target for attacks such as social hacking, identity theft and abuse of access. Yet the employees have traditionally not been part of the priority in the company’s security strategy. Thus, management does not know how employees will relate to any attacks, which in itself constitutes a significant threat.
The requirements for control have increased
It is crucial for a company to have good communication about safety requirements for employees and management, as well as to carry out and verify training on a regular basis. Control of information security is necessary. In worst case scenario, the opposite can have major financial and legal consequences. The introduction of the GDPR has also increased the requirements a company has for control, and the government’s more frequent use of sanctions for breaches further reinforces the need.
Our security experts can help your business
We have security experts who can help your company identify the current situation and suggest specific actions. We can keep the process of safety training among the employees, as well as present to the board their responsibilities regarding the company’s security controls.
Isn’t it about time to get this under control?