Work-related stress and mental illness now accounts for over half of work absences, according to figures released by the Health and Safety Executive (HSE). A further study from Kaspersky found that employees are also suffering high levels of ‘cyber stress’ in the workplace.
Every day, an estimated 6.3 million data records are stolen, and with GDPR now fully in force, preventing data breaches is top on the agenda for businesses of all sizes.
Employees are often encouraged to think of themselves as the first line of defence, but this places unfair pressure on staff if they’re not also equipped with the right tools and knowledge to do so effectively.
So what steps can businesses take to ease the pressure on staff, without compromising security?
Educate employees
Businesses should implement a security policy that provides guidance to employees on everything from password management, how to use your own devices securely, the dangers of public Wi-Fi and how to spot a phishing email. After all, some of the best technological defences can easily be unwound by a social engineering attack.
Where employees are often the first line of defence for an organisation, passwords are often the first line of defence for accounts, so they should be a top priority in any policy. Unfortunately, many employees still practice poor password behaviour. A recent study found that 59 per cent mostly or always use the same password, even though 91 per cent know that this is a security risk. The same study also found that lines between work and personal accounts are increasingly being blurred, with 47 per cent using the same passwords across both. Employees should be educated to combat risky password behaviour, including how to set a strong password, and the importance of using unique passwords across accounts both at work and at home.
The policy should also ensure that multi-factor authentication is introduced across all work accounts. This can be anything from biometrics, such as a fingerprint, to behavioural analytics, or a one-time code. By doing this, an attacker will still need another piece of information to gain access to an account, even if they have the password and email.
Offering security training and guidelines to employees is a great way of raising awareness of security and taking the pressure of staff. But relying solely on education is not an effective means of ensuring that systems remain secure.
Invest in technology
As well as educating employees, companies of all sizes should invest in tools that aim to improve enterprise security, including anti-virus software, endpoint management software, and enterprise password management solutions.
Employees will often do what’s more convenient, over what’s more secure, even if they’re aware of the risks. For example, a recent report found that in the UK, 10 per cent of employees were prepared to share credentials with co-workers. While this may not seem like a lot, in a 5,000 person organisation, there’s a risk that 500 are sharing passwords, in a manner that’s often unsafe unless the appropriate rules and protection mechanisms are in place. Similarly, 26 per cent of European employees are using social media credentials to sign into business accounts, and with the recent Facebook hack proving that even the biggest social media players aren’t immune to attacks, this is worrying for businesses looking to secure their data.
Roles and permissions should also be turned on, so that employees only have access to the information they need to carry out their job. After all, it’s hardly secure if a 6 week intern can access and download confidential information such as financial details of staff and customers. And for long-term employees, there’s less risk of sharing the wrong information accidentally.
There’s no magic eight ball to predict the next threat to businesses, and there’s no guarantee that something that protected a business a year ago will still keep them safe today, or in 6 months time. But businesses need to take the burden of responsibility off employees, and work to make security both easy and convenient, without compromising data. Ideally, this should involve employee education and technology working in harmony with each other. Any company that relies exclusively on one over the other will be doomed to failure, and employees will find themselves struggling to plug the gaps of weak security architecture.
CIO
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.