Why are Employees a Risk to Businesses?
It's true that more and more business activities are moving online. With the level of ease and accessibly digitalisation has provided to businesses and their customers, and with internet connection becoming faster and easier to use (think free WiFi spots and mobile devices), it's more important than ever that we raise employee awareness as to cyber security risks.
What many employers don't realise is that the biggest risk to the organisation's cyber security is closer than they think; it's their employees. Although employee intentions are rarely malicious, a general lack of awareness and gaps in knowledge around the topic of cyber security could put the whole business in danger of a breach. Cyber criminals know that all they have to do is find one employee who may lack some knowledge or be otherwise distracted and exploit this in order to create an entry-point to the organisation's network and databases.
Fines introduced by the GDPR in 2018 threaten to take a huge toll on organisations who ignore their data protection and cyber security responsibilities (up to 4% of annual turnover or €20M – whichever is bigger). Paired with the negative effect that data breaches can have on the reputation of the business, these fines could mean serious trouble, particularly for SMEs and start-up organisations (with over 80% of SME business owners agreeing that online technology is vital to their business growth).
Cyber-security is not a one-off, box-ticking endeavour. Since both software and hardware are constantly developing, organisations need to remain constantly vigilant and instil behavioural best practices as a firm part of the workplace culture.
Some Common Risks from Employees:
According to the Ponemon Institute's '2016 State of Cybersecurity for SMEs', negligent employees are the number-one cause of data breaches, highlighting how organisations are failing both themselves and their workers when it comes to cyber security training.
Malware, like the WannaCry attack that infected NHS systems in 2017, can be introduced to organisations in many ways – most of which are entirely preventable if staff are vigilant, informed, and empowered to act on suspicion. One of the easiest ways for hackers to gain access to organisational systems and networks is by sending malicious links/attachments via email – usually disguised as something harmless or otherwise interesting. The same is true of Phishing attacks, which target victims by asking for personal data under the guise of legitimacy (e.g. a bank or online retailer requesting security details). Remember, cyber criminals can easily send tens of thousands of emails on the off chance that one will come to fruition; it only takes one employee in hundreds to make a mistake.
Another common risk from employees comes in the form of social media platforms. The average person can spend up to two hours on social media every day, so it's very likely that most of your employees will check out at least one of their accounts during break-times, possibly using a work computer. It's important to remind your employees that clicking on the wrong link or connecting with the wrong person on social media could lead to a cybersecurity breach for the entire company (not to mention their list of friends and connections on the platform). The more relaxed attitude we tend to have when using social media (compared to, say, communicating in an official capacity for work) can lead to lapses in judgement, which is precisely why social media awareness training should be included in any organisation's cyber security programme.
No one likes to waste time, especially at work, but it's important to remind your employees to install software updates regularly and to avoid putting them off whilst 'waiting for the right time'. Although network updates can more easily be scheduled overnight or by IT departments, employees should also be aware to update any mobile devices, such as laptops and tablet PCs, in a timely manner too. Out of date software doesn't just restrict the usability and operation of software – it leaves holes in security and anti-virus protection that hackers may already be aware of and be ready to exploit.
The Benefits of Educating Through Training
If you expect your employees to take cyber-security seriously, it's important that the influence starts closer to home, from the top down. Creating a culture where compliance is part of everyday work practices and behaviour is the best way to instil good practice as standard when it comes to cyber security, and compliance in general.
Employers should look to foster cultures wherein regular awareness training, personal accountability, and good standards of security are communicated fluidly and transparently throughout the organisation. Doing so can significantly reduce the risk of employees unwittingly breaching cyber-security.