Your Challenges.
Our Solutions.
A Successful Relationship.
CONTACT US

Considering the Human Factor in Cybersecurity

Data security is on the mind of most business leaders, and may even keep them up at night worrying about how to properly protect their business from attack and secure company and client data.  Insurance products are ever evolving to address these risks and offer insurance protection to mitigate a data breach.  Unfortunately, this is reactive to an event we all wish didn’t happen to begin with.

In 2016, there have been 43 reported data breaches in the banking/credit/financial industries with 71,912 records exposed[1].  Other research revealed in 2016 30% of phishing emails are opened, and about 12% of the targets go on to click the link or attachment[2].  Another staggering piece of data indicated that 59% of employees steal proprietary corporate data when they quit or are fired[3].

Why is technology and cybersecurity professionals not enough?

The greatest risk in your business to exposing your data to a breach are your employees.  Note the statistic above about phishing scams, and how 30% of those that get through the security technology in firewalls and servers.  Therefore, where is the final line of defense for your business data?  It is clearly the employee who failed to comply with policy, procedures, or was not properly trained who clicks that link and opens the door for the invasion.

Have you ever just toured a business office, not to see the pictures, or the technology, but to observe and critique the employee offices, cubicles, and workstations?  You will see unlocked computers with data visible on the screen, personal devices such as phones and mobile laptops not secured or protected.  You may observe flash drives sitting in computers with no locks, or sticky notes on monitors with passwords and login information.  Examine a reception desk and you might find a plethora of information that would permit access to the computer system.  Further, the fact that you are walking around observing all these issues and systems without security means you might have a chance to sit at a machine and load a virus onto the decide or network.

What does this all mean for you and your business?  It is imperative to, in addition to the other protocols noted above, to establish security policies and practices for the human factor and greatest risk, your workforce.

5 Critical Components of a Cybersecurity Policy in your Employee Handbook

Here are five critical areas to cover in your cybersecurity policy to specifically, intentionally, and proactively address the risks directly related to the human factor of risk in the realm of cybersecurity.

  1. Password Security. Establish clear protocols in the selection and use of a password. The more complicated the password, the more difficult the breach will be by someone roaming around an office. The password should include a combination of Upper and Lowercase letters, a number, and a character.  Provide training on effective passwords, with guidance such as avoiding a password like Cashout1* and instead C@$h0ut1*.
  2. Locking Computer Systems. It must be mandatory for employees to lock their computers whenever they leave their workstation to prevent unauthorized use or access to the system and network. While the technology can force the automatic lockout using screen savers and other applications, it only takes moments to breach a machine, so holding the employee accountable to lock the machine enhances your protection and improves security measures.
  3. Store and Lock Devices. Any portable devices, phones, laptops, and other machines that are wirelessly connected or networked to the system should be locked and put away whenever not in use. These devices can be picked up and taken easily allowing the cyber attacked the opportunity to take their time and attempt to gain access to the system through the device. This includes any portable or flash drives that are simply sitting in a USB port waiting to be stolen.
  4. Train Employees Frequently. Provide regular cybersecurity training to the workforce to both remind employees of their obligation to protect the data, and hold them accountable for their workplace actions.
  5. Perform Frequent Testing. Management should take steps to frequently test their security practices including those controlled by the human factor, the employee. When gaps are identified, take affirmative steps to train and correct the practices to they do not become engrained in the workforce exposing your company to risk and liability.

Conclusion

Technology and cybersecurity professionals are not enough to protect your business from a data breach.  The greatest risk comes from untrained employees and organizations without strict policies and procedures to model appropriate workplace data security behaviors.

[1] Data retrieved from http://www.idtheftcenter.org/images/breach/ITRCBreachStatsReportSummary2016.pdf.

[2] Data retrieved from https://www.bitsighttech.com/blog/data-breach-statistics.

[3] Data retrieved from https://www.bitsighttech.com/blog/data-breach-statistics.