According to the Office of the Australian Information Commissioner, of the organisations reporting data breaches in the last quarter, more than one third of them could put those breaches down to failings in their security culture.
Among the litany of human errors that lead to data breaches, sending emails containing personal information to the wrong recipient is alarmingly common. Other all too familiar errors involve the loss or theft of paperwork, or storing data in an insecure location such as a public cloud server.
So, while ransomware, malware, and phishing grab the lion’s share of cyber security threat headlines, in reality, a large number of incidents involve the failure of employees to use well-known security best practices. Data breaches stemming from inadvertent and unintentional human error shine a light on serious failings in that organisation’s security culture.
It’s the same across the globe. For example, in the UK, a headline in The Register, said it all: “Cock-ups, rather than conspiracies, top self-reported data breaches.” There, according to the report, 2,124 incidents in 2017-18 were a result of employee mistakes or incompetence.
Any security measure your organisation deploys can be undone by employees who, knowingly or unwittingly, violate IT policies at their desks or on mobile devices.
Addressing the human factor
In fact, one of the key lessons we can learn from the UK data and the first six months of Australia’s Notifiable Data Breach scheme is that every organisation can improve its ability to stem the tide of breaches caused by employee error or negligence.
For all organisations, effective cyber security goes beyond technology. You must address the human factor through an enhanced security culture with robust data management processes, and fully trained employees.
As we mentioned in a previous post, the massive data breach at Equifax stemmed from a single employee failing to follow the company’s security protocols. In this particular case, the employee failed to implement software fixes for a system vulnerability.
Developing a security culture
Without adequate training, some potentially dangerous behaviour might not be considered risky behaviour by employees. All too often, complacency puts customer data at risk. Without training, why would an employee bother to lock their unattended PC or worry about leaving their meeting notes out on a desk?
Many employees are simply unaware of the ways in which they expose their workplaces to potential breaches, which is why education is key.
With an effective security culture, you empower employees to follow cybersecurity principles and make the “right choice” whether it’s choosing not to open an attachment from a suspect e-mail, or responding to an unauthorised request from a co-worker to patch software.
Part of developing a security culture involves setting down stringent and enforceable BYOD policies that dictate what security measures BYOD devices are required to have. In addition, it’s vital to use mobile device management (MDM) software to enable remote locating, locking and wiping lost devices.
Communicating security protocols
As part of a security culture, it’s important to communicate security protocols employees are required to follow, such as:
- Setting devices to lock automatically when not in use
- Ensuring antivirus and anti-malware software is up-to-date
- Ensuring software updates and patches are completed in a timely manner
- Helping employees recognise suspicious emails.
In addition, you can teach employees how to encrypt hard drives and USBs before they put any work-related information on them. And, enable employees to access corporate data from a central location, providing users with a simple mechanism for secure remote access.
When it comes to security policies, it’s important to simplify processes for users. If understanding a privacy statement, or authenticating a new mobile device is time-consuming or confusing, users may in all likelihood ignore the process in order to get on with their work.
Engage an expert
It’s important for employees to understand their actions could have serious security implications. For help putting security best practices in place, contact the security team at imei and find out how to enhance your security culture.