October 17, 2018 By Kacy Zurkus 3 min read

Between bring-your-own-device (BYOD) policies, shadow IT and an increasingly mobile workforce, companies today are wrapped up in broad potential attack surfaces from employee negligence. When it comes to information security, offsite and remote workers, vulnerable paper trails, unmanned computers, and a host of other forms of employee negligence pose increasing risks to U.S. companies.

“Risky employee behavior and bad habits, coupled with a lack of employer-led training, is not only breeding a culture of lax information security, but is posing serious legal, financial and reputational risks to U.S. businesses of all sizes,” said Monu Kalsi, vice president of Shred-it.

How Can Companies Train Out Employee Negligence?

Many of the riskiest offenses are ones that employees might not even consider potentially negligent or dangerous behavior, such as leaving a computer unlocked or unattended when leaving the office for the day. These might seem like small oversights, but they can have dire consequences.

Many enterprises now include security training in their onboarding process to teach end users about data protection and cybersecurity best practices. Unfortunately, those efforts often do not extend beyond the first month or so of work.

When training programs occur infrequently, employees are less likely to retain essential information, leaving them unprepared to act in accordance with the security guidelines in place. A lot changes in a year’s time, and you’ll need your employees to know about those changes in order to fix their habits.

Establishing Remote Control Over Mobile Security

Despite the ongoing increase in remote workers, as reported in Gallup’s “State of the American Workplace Report,” security training and best cyber hygiene practices are still not a priority among U.S. businesses, according to Shred-it’s “2018 State of the Industry Report.” The latter survey found that over half of small business owners have no policy in place for remote workers.

“Training needs to address the evolving status of your business and the industry in general, which means it needs to be frequent and ongoing,” Kalsi said.

How to Create a Security-Focused Culture

Forty-seven percent of C-Suite executives and 42 percent of small business owners reported internal human error as the source of data compromise in Shred-it’s study, reinforcing the critical need to increase employee awareness around data security.

“In order to establish a culture that is committed to data security, training must be continuous,” Kalsi said.

The problem is that so many organizations don’t really understand what continuous training entails. What does the curriculum even look like?

“Conducting regular information sessions and providing accessible training opportunities for staffers both old and new is a great rule of thumb to ensure all employees have resources available to them to help them understand your company’s security policies,” Kalsi said.

Implementing regular review procedures can also help to identify issues as soon as they arise so that you can be sure sensitive information is handled properly in daily functions across the business. Vetting and training internal staff is just as important as evaluating external partners before working together and exchanging sensitive information.

Don’t Forget About Non-Cyber Risks

Although seldom discussed, mistakes in the treatment of physical data can also lead to a breach. For example, the U.S. Department of Homeland Security experienced a breach back in February when an employee left Super Bowl security plans in the seat pocket of a commercial passenger plane, as reported by CNN.

“Of course, mistakes happen,” Kalsi conceded, “but establishing a culture that equally prioritizes physical and cybersecurity ensures that employees are as prepared as possible,”

Updating the workplace policy to reflect all of these lesser-known security risks is key to arming staff with the knowledge and skills they need to effectively protect your business. Teaching employees basics like how to properly dispose of a hard drive will significantly reduce your risk of a breach.

“As long as hard drives are still physically intact, all private information can be retrieved,” said Kalsi. “This means that if your hard drive disposal process includes erasing, reformatting, wiping or degaussing, you’re still vulnerable.”

Employees need to understand the pain points where both physical and digital data could be at risk. Consistently reminding employees to be security-aware in their daily habits will help reshape the way they perceive data security and your organization’s priorities overall.

More from Data Protection

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

Third-party access: The overlooked risk to your data protection plan

3 min read - A recent IBM Cost of a Data Breach report reveals a startling statistic: Only 42% of companies discover breaches through their own security teams. This highlights a significant blind spot, especially when it comes to external partners and vendors. The financial stakes are steep. On average, a data breach affecting multiple environments costs a whopping $4.88 million. A major breach at a telecommunications provider in January 2023 served as a stark reminder of the risks associated with third-party relationships. In…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today