The Innocent Spy: How Employees Unwittingly Become the Biggest Data Breach?

Not just phishing or disgruntled employees, companies today are sitting ducks to cybersecurity threats, courtesy portable devices

The first week of December 2018 witnessed what can be termed as a digital catastrophe. Thirty million O2 mobile users in the UK had their life at a complete virtual standstill. Deliveroo courier and Uber drivers could not go on with their normal work day. At the end of a whirlwind that lasted a good part of 24 hours, O2 said that an expired software by Sweden’s Ericsson was to blame for this chaos.

The outage was scary, our dependency on mobiles – scarier.

Ericsson did not want their week to go in utter chaos over the textbook ripple-to-wave problem. Its Chinese competitor Huawei was way ahead in the race of having a bad week. The U.S. raised a red flag with its rather voiced concern to its allies about the Huawei’s proximity with the Chinese government. It may look like the U.S. government is having some serious trust issues. But can anyone really vouch for the fact that there is no data back door installed at Huawei or for that matter Ericsson’s glitch was just an accident and not a deliberation? In the last few years, data breaches have dragged Facebook, Marriott, Cathey Pacific and many other organizations in a quagmire of chaos and public embarrassment.

Looks like we jumped into the era of portable devices without giving it much forethought.

You can call it a golden era when phishing e-mails were the only prominent data breach threat. And as it is with the golden eras, we christen them even when they are long gone. It is quite the irony that portable devices are personal, but the data security threat they pose can rattle organizations. A study by Shred-it, a data security firm, holds employee negligence as the main culprit behind data breach.

• 47% of business leaders agree that human error is the biggest pain point in data security.
• In 2017, data breaches made companies cough up $3.6 million on an average as cost. For many companies, this cost can mean the final knell.
• Do not jump to prepare a list of possible disgruntled employees and pin the blame on them. Just not yet. 25% of well-meaning employees say that they have a bad habit of leaving their computers unlocked and unsupervised.

More than half of the managers agree that work from home aka remote work is an increasing trend and a third of them think it is a future. While the very picture of sitting at the nearest café with espresso, while you work or working in your pajamas may look enticing, the entire situation has a big catch. Broadband at home may be secure, but what about on-the-go Wi-Fi? Can you vouch for the absence of any backdoors while you access sensitive work data through them?

One in five small business owners said that a security breach traced its way back to a vendor they employed. The disturbing part here is that over half of them do not have a standing policy for remote workers or vendors.

While companies are all sunshine while typing policies encouraging BYOD and IoT (Bring your own device and Internet of things) at the workplace, cybersecurity guideline becomes too mundane to draw attention. Symantec, a cyber-security company said that only 14% of companies actually implemented a basic cybersecurity guideline.

If we go by the facts above the first step for HR should be drafting a written cybersecurity guideline. But, moving on a heavier note, a written draft is just not enough. A secure office network and a ‘clean’ laptop/computer are what IT support-team provides on the joining day. As time goes by, there are some urgent software installations and going through the IT looks like a drag. Employees bypass the IT and with BYOD it is so much easier to be the rookie IT of own devices.

• Downloading software without notifying IT is an integrity issue. Detailed background checks of employees before they go through onboarding help you to be sure of your hire. A major flaw with background checks is that people are rarely brutally honest.
• What starts with a background check should follow-up with regular audits. Start by preparing a checklist of devices that you gave the employee during onboarding and any personal device, which acts as an access point for office data. Have a monthly audit or check for devices. Keep it a surprise.
• While some of your employees might go pseudo-technocrats on devices, there will be a big majority of them who need training in basic data safety procedures (including the pseudo technocrats). Encourage them to speak up if they see any possible data breach.
• Know who accesses what in the organization. It is good to be open in communication, but that is no excuse for callous giving away the most sensitive data to almost everyone in the organization. Have a clear territory of data sharing and when it comes to confidential data, restrict their on-the-go access.
• Employees post on social media and access office files with the same device. While accessing email on-the-go is almost a second nature to organizations, keeping a check on these access points won’t hurt much.

There is no denying of the fact that we are not wearing the best armor to fight in full-strength against a security threat. Staying alert and knowing the possible points of breach to take a proactive stance may very well be the best bet. We need to work on our basic security habit. Talking about habits. What is one data security bad habit that you think is a high risk? How do you identify a maleficent employee? Are your onboarding and exit policies in tune with data security protocol?