Between bring-your-own-device (BYOD) policies, shadow IT and an increasingly mobile workforce, companies today are wrapped up in broad potential attack surfaces from employee negligence. When it comes to information security, offsite and remote workers, vulnerable paper trails, unmanned computers, and a host of other forms of employee negligence pose increasing risks to U.S. companies.
“Risky employee behavior and bad habits, coupled with a lack of employer-led training, is not only breeding a culture of lax information security, but is posing serious legal, financial and reputational risks to U.S. businesses of all sizes,” said Monu Kalsi, vice president of Shred-it.
How Can Companies Train Out Employee Negligence?
Many of the riskiest offenses are ones that employees might not even consider potentially negligent or dangerous behavior, such as leaving a computer unlocked or unattended when leaving the office for the day. These might seem like small oversights, but they can have dire consequences.
Many enterprises now include security training in their onboarding process to teach end users about data protection and cybersecurity best practices. Unfortunately, those efforts often do not extend beyond the first month or so of work.
When training programs occur infrequently, employees are less likely to retain essential information, leaving them unprepared to act in accordance with the security guidelines in place. A lot changes in a year’s time, and you’ll need your employees to know about those changes in order to fix their habits.
Establishing Remote Control Over Mobile Security
Despite the ongoing increase in remote workers, as reported in Gallup’s “State of the American Workplace Report,” security training and best cyber hygiene practices are still not a priority among U.S. businesses, according to Shred-it’s “2018 State of the Industry Report.” The latter survey found that over half of small business owners have no policy in place for remote workers.
“Training needs to address the evolving status of your business and the industry in general, which means it needs to be frequent and ongoing,” Kalsi said.
How to Create a Security-Focused Culture
Forty-seven percent of C-Suite executives and 42 percent of small business owners reported internal human error as the source of data compromise in Shred-it’s study, reinforcing the critical need to increase employee awareness around data security.
“In order to establish a culture that is committed to data security, training must be continuous,” Kalsi said.
The problem is that so many organizations don’t really understand what continuous training entails. What does the curriculum even look like?
“Conducting regular information sessions and providing accessible training opportunities for staffers both old and new is a great rule of thumb to ensure all employees have resources available to them to help them understand your company’s security policies,” Kalsi said.
Implementing regular review procedures can also help to identify issues as soon as they arise so that you can be sure sensitive information is handled properly in daily functions across the business. Vetting and training internal staff is just as important as evaluating external partners before working together and exchanging sensitive information.
Don’t Forget About Non-Cyber Risks
Although seldom discussed, mistakes in the treatment of physical data can also lead to a breach. For example, the U.S. Department of Homeland Security experienced a breach back in February when an employee left Super Bowl security plans in the seat pocket of a commercial passenger plane, as reported by CNN.
“Of course, mistakes happen,” Kalsi conceded, “but establishing a culture that equally prioritizes physical and cybersecurity ensures that employees are as prepared as possible,”
Updating the workplace policy to reflect all of these lesser-known security risks is key to arming staff with the knowledge and skills they need to effectively protect your business. Teaching employees basics like how to properly dispose of a hard drive will significantly reduce your risk of a breach.
“As long as hard drives are still physically intact, all private information can be retrieved,” said Kalsi. “This means that if your hard drive disposal process includes erasing, reformatting, wiping or degaussing, you’re still vulnerable.”
Employees need to understand the pain points where both physical and digital data could be at risk. Consistently reminding employees to be security-aware in their daily habits will help reshape the way they perceive data security and your organization’s priorities overall.