I can’t tell you how many managers and business owners have told me that their employees take security seriously. They have their training and they talk about security in their organization on a regular basis. Yet before I finish my onsite visit, I invariably identify numerous security issues as part of the gap or risk assessment. Someone shares a password with someone else, or the new intern just clicked on a malware link.
Most business leaders believe that their people are secure. Everyone wants to think the best of their personnel, but the reality is that basic security best practices are broken in your organization all the time.
Your own people are your greatest threat to your company’s cybersecurity. Study after study shows it to be true, and my own experience with clients confirms it. If you don’t assume that your employees are a weak link in your security chain, you’re setting your organization up for a very costly data breach.
The good news is, you can greatly improve your security, if you know where the most common weaknesses lie. Let’s look at the common cybersecurity mistakes and how you can improve your company’s safety.
Common Ways Your Employees Are Putting Your Company at Risk
There are any number of ways that employees can put your company’s cybersecurity at risk, but here are the most common issues that I see when consulting with clients. If you’re on the lookout for these issues, you’ll be in a better position than most organizations.
- Not recognizing phishing emails. Most people don’t take the time to understand how to spot an email scam. Know the common telltale signs and slow down before taking action.
- Physical security. Holding the door for the person behind you is a common courtesy, but it can open the door (literally) to an attacker.
Sharing passwords. I can’t tell you how many times I’ve seen multiple people with access to the same account.
- Making bad password choices. For example, reusing passwords, using the same passwords for different applications, using password patterns.
- Tossing sensitive information in the trash instead of using secure shredding.
- Performing testing and not following guidelines and processes properly to close up holes opened during the process.
Most of the time, people think they’re doing the right thing. It’s rude to shut the door when someone is right behind you. It seems safe for coworkers to share passwords when they both need access to the same application. Certain processes have “always been done this way,” were previously approved by management, and no one even thinks about it anymore.
For most organizations, these kinds of security risks are happening every day. But you can protect your company with some basic best practices.
Protect Your Company from Your Employees
Do the obvious stuff
Hopefully, you’re already providing annual security awareness training. If not, start. And take security seriously in general. I’ve talked to countless organizations where everybody rolls their eyes at the idea of security awareness training. I get it — it’s boring as hell. But this kind of thing can literally save your company from an attack that puts you out of business — and that’s not an exaggeration.
Create a culture of compliance
It is absolutely necessary for your executives to breed a robust culture of compliance in your company. It has to start from the top, or it won’t happen. That means management can’t treat security activities as a cost. Rather than seeing it as a burden on the organization, treat security awareness as a vital investment. It’s a primary protection mechanism for your company — a protection that cyber liability insurance won’t provide.
Corporate security is driven by the actual culture of your organization — not the stated culture, or lip service that’s given to compliance Assessors. Consider how people really act, day-in and day-out. What’s the normative behavior for employees and managers, and what are the unspoken assumptions that people operate under?
When you breed a culture of compliance, you have more eyes and ears watching out for your company’s protection. More people are aware of risks, and they make a habit of doing the right thing.
Implement security reminders
Use a good, proactive security reminder system. I’ve seen companies that kind of whitewash it — they use a Word Art program and paste a security platitude on a sheet of paper, then post it on the back of the bathroom door a couple times a year.
Your security reminders need to be meaningful, helpful, and engaging. They should equip your people to be more effective and more aware of security issues. TCT posts quarterly security reminders on our blog, which you can pass along to your employees.
Get a risk assessment
Hire a third party to go in on a regular basis and perform a risk assessment. An outside risk assessor will see things you don’t see, simply because they aren’t as close to your daily operations as your people are. They’ll spot issues you never notice, because that’s just the way you’ve always done things.
Make it positive
While it’s important to take cybersecurity seriously, don’t become a security tyrant. You don’t want your employees to be afraid of getting caught making a mistake. Encourage reporting where improvements need to be made, but never shame anyone or call anyone out by name.
Make security practices as positive an experience as possible. Encourage collaboration and ownership of the process. Provide incentives for individual contributions.
Finally, give your security program the time it requires. You can often benefit from changes in the short term, but this won’t be an overnight process. It could take years to evolve your security culture.