Your Employees are the biggest threat to data security
Cybercrime has tripled since the beginning of the pandemic.
Working from home. Unprotected networks. Personal devices.
Security is simply harder to control with hybrid work.
A lot rests on your employees – even if you invest in employee cybersecurity training.
But especially if you don’t.
Let’s face it, you have at least one employee who uses the same password for their work account and their Facebook profile.
And that password is tragically “123456.”
Now get this: 64% of financial services have thousands of sensitive files open to every employee.
All it takes is for a cybercriminal to get (or guess) the password to any one of your employees’ accounts, and you could lose sensitive information and your clients’ trust.
Not to mention the potential lawsuits and other expenses.
Well, that won’t be you though, right?
That’s what we figured.
So today, we’ll talk in-depth about why employees are the biggest threat to your data security and show you what you can do to minimize the risks.
Employees, Really Your Biggest Security Risk
It’s worth highlighting the difference between intentional and unintentional employee behavior causing security risks.
We’re not pointing fingers and saying your employees are definitely up to something.
It happens. But most data breaches in professional services are caused by:
|Cause||What it means|
When it comes down to it, both malicious activity and employee negligence are dangerous to your company.
Here are some consequences you could face:
- Data loss – client information like bank accounts and other sensitive data
- Getting sued for the damage
- Having your site blacklisted and losing most of your traffic
- Tanking your SEO and your Google ranking
- Ruining your client relationships
- Dealing with huge expenses (especially if you get infected by ransomware, wherein you have to pay the hacker to recover access to your system)
- Rebuilding your online presence from scratch
- Going out of business
And these are real cybersecurity risks for small businesses as much as, if not more than for big companies – because the big guys can afford all the tools to defend themselves, and hackers know it.
That’s why 43% of cyber attacks target small businesses.
So what about other cybersecurity issues? And aren’t hackers going to attack even if you take care of your employees’ habits?
It’s true – you can’t completely eliminate all vulnerabilities.
But there are a few things you need to know about modern cybersecurity threats:
- Security threats didn’t use to be so personal, but 82% of breaches in 2022 involve A human element – clever traps like phishing scams take advantage of human errors instead of going straight to your company door.
- The lines between personal and professional have never been more blurry with employees accessing work from personal devices, some of which are shared between household members – and open to attacks.
- Unaddressed, your IT security depends on your employees’ security hygiene, circumstances, education, and goodwill.
The bottom line?
Monthly website maintenance is essential, but it’s not the end of the story.
Your employees are by far the biggest threat to your security and the one you should be focusing on to eliminate preventable breaches.
We’ll get to how in a second.
But let’s take a step back and see exactly what we’re dealing with here.
What’s Potentially Going Wrong?
These are the main causes of security breaches:
- The switch to working from home
- Negligence or careless behavior
- Intentionally stealing and distributing information
- Use of personal devices, or multiple devices
- Lost USBs and laptops
- Shared passwords among team members
- Use of third-party file-sharing and storage websites
Given how nonprofits, professional services, and retail are rated as some of the top targets for hackers, it’s worth reading how you might be making it easy on them.
The switch to working from home
It’s not just the switch.
It’s what it entails if poorly managed, i.e., insecure WiFi, shared accounts, and unencrypted emails.
For example, maybe Linda is aware of malware threats, never falls for phishing attempts, and knows better than to use a single password for everything.
But she shares an account with her husband, Larry. And Larry’s not the type to think twice about security – he’d give his information away for a coupon or some coins to spend in a game.
So now your sensitive data is at the mercy of whoever takes advantage of Larry.
Remote work is, by default, less under your control.
You don’t see your employees, and more importantly, you don’t have much say in their environment, and often the equipment and software they use.
Or their choice in spouses.
You depend on their personal security measures unless you educate them on it (we’ll get to that later).
Negligence or careless behavior
Negligence is just that: not intentionally causing harm, but not caring or knowing enough to follow even some basic safety measures.
- Not locking computers or accounts
- Using one password for everything
- Falling for phishing emails, etc.
Infiltrated employee email was the source of a data leak for a large medical nonprofit, People Inc., in 2019.
The leak involved:
- Medical and financial information
- Health insurance details
- Social security numbers
- Government IDs
- Other sensitive customer data
Thankfully, the company managed to react on time and prevent the problem from spiraling further.
But imagine if they didn’t monitor for breaches? What if they waited a bit longer before changing the weak password that compromised their security?
The story could have ended way differently.
Intentionally stealing and distributing information
Shopify had such an incident where two (now ex) employees stole customer information from almost two hundred vendors in 2020.
Shopify’s shares were impaired by 1% over the following week.
Goes to show how easily company data can be misused and what a massive impact that can have on the public perception of the company.
This is one of the more unpredictable insider threats.
Still, there are things you can do to mitigate the risk, and it’s worth stating that micromanagement is not the answer.
The key is probably closer to good hiring processes, solid security policies, and yes, employee cybersecurity training.
Use of personal devices, or multiple devices
We’re not only talking about remote work.
Bring your own device (BYOD) is a trend that makes employees more productive in the office and helps companies save money.
But the use of personal devices brings its own safety risks.
For example, an employee could be using the notes app on their mobile device to keep track of different passwords, giving access to company records to anyone who finds it.
Or they could download a file with a virus to their device and spread it the next time they log into work.
It’s too easy.
Lost USBs and laptops
This one is pretty straightforward.
If the account isn’t locked, a lost device could be a real safety hazard.
There are steps you can take to protect yourself in case your laptop gets stolen or lost:
- Activating “find my device” options to have your laptop’s location visible on the map
- Encrypting your data (and not leaving passwords on a sticky note)
- Having regular backups
- Never leaving your laptop unattended or in a room others can access, etc.
Your employees are probably not doing all of the above.
Maybe they’re looking at it as just a piece of hardware they can replace, so it’s on you to initiate the talk and make sure they are taking precautions for data protection.
Shared passwords among team members
The risk of careless mistakes is higher per password if it’s shared.
Simple scenario: Employee A forgets the password and asks employee B. Employee B sends it over in Slack.
Somebody gains access to either employee’s phone or Slack and the password is right there, up for grabs.
The problem doesn’t end there.
Because you don’t know who is using the account when, it’s hard to say if there’s unusual activity on it.
New device? Could just be a colleague.
Or an attacker.
It gives you less time to react and leaves you vulnerable.
Use of third-party file-sharing and storage websites
Dropbox, Google Drive, and other cloud solutions are very useful for storage.
They’re usually well-protected, too, but not always from the users’ endpoint.
Your employees could be copying your files to their own storage, accidentally leaving them publicly accessible, or sharing them with people without your knowledge or permission.
Again, they’re probably not malicious insiders – they just don’t know it’s a big deal.
So you have to tell them.
The good news is that once you get your employee cybersecurity training sorted, most of these problems are preventable.
So it’s time we discussed what that should entail and how to execute it to perfection.
Employee Cybersecurity Training: The Key to Prevention
It’s not enough to invest in security programs.
But for it to work, you need to teach your employees the benefits of using them – so they see them as useful tools, rather than some annoying, time-consuming process being forced on them by management.
Don’t get mad at them for not knowing something you never taught them.
So, how do you approach the topic?
First, by acknowledging that it starts at the top.
Yes, your employees are the biggest threat to data security. And yes, they need to do their part.
But it’s your responsibility to bring up cybersecurity, stress its importance, and provide the tools and education they need to do better.
You need to help them understand their role in all that and how to keep you safe.
And you can take care of that in five steps:
- Set clear security expectations on day 1
- Run routine reminders and training
- Train employees on security from home before letting them work from home
- Implement data security best practices
- Remember to keep iterating and developing your cybersecurity documentation and systems
Don’t worry. We’ll explain everything.
Set clear security expectations on day 1
Don’t let this be one of those situations where everyone depends on one clever cookie to ask the question before they accidentally learn something important.
Talk about cybersecurity proactively and explain the consequences of a security incident:
- Loss or leak of important data like private customer information (e.g., donors’ financial records)
- Loss of customer trust
- 98% less traffic if your site gets blacklisted
- Damage and potentially lawsuits
People are much more likely to take you seriously if they understand why it’s important and exactly what could happen if they aren’t careful.
Most employees won’t intentionally break the rules – as long as they know they even exist, and why it makes good sense to follow them.
Then when you’re done talking… no you aren’t.
Run routine reminders and training
- An identification course on phishing attacks
- Regular training = not just a one-off course
- Train existing and new employees
- Set reminders to account for forgetfulness or inattentiveness
Employees want consistent, continuous education that directly helps them in their role. 80% of them believe regular courses are more important than formal workplace training.
In other words, they don’t want a singular lecture they’ll never revisit or information they don’t think they need.
That’s why employee cybersecurity training needs to become routine.
That and the simple fact that you’ll need to refresh their education as you iterate your security solutions and practices.
Train employees on security from home before letting them work from home
It’s best not to assume anything goes without saying.
People have varying knowledge and experience on the topic of security, but you need everyone to meet a certain standard to keep you safe – a single careless employee is all it takes for a breach.
You can’t afford to leave it up to chance. Here’s what you should cover:
- Safe and unsafe WiFi
- Data encryption and password hygiene
- Storage and sharing policy
- Keeping accounts locked
- Multiple/personal devices good practices
And encourage questions to make sure you didn’t fail to specify important details.
Implement data security best practices
For example, strong passwords or 2FA (two-factor authentication).
Pro-tip: don’t just toss an alien term like two-factor authentication at your employees and rely on them to figure it out – show them the ropes. Who knows, they might unknowingly be using 2FA already and just need help connecting the dots.
And just in case you’re not sure either (we’re not judging):
2FA is a system that requires an additional credential besides your email or password to make sure it’s really you who’s logging in.
It could give you a couple of options to choose from, like:
“Have a pin sent to my phone” or “Send a confirmation link to my email.”
For example, here’s what that looks like when you try to sign in to your PayPal:
It can be really annoying – we know – but it’s a necessary extra layer of security:
60% of employees use the same passwords for personal and work accounts, and 67% of people use the same password for everything.
This is a huge risk for security threats as 61% of breaches happen due to compromised credentials.
It’s definitely worth explaining the benefits to employees. Just don’t go about it like some websites do:
“No, that’s a weak password. You need to add a number. Now it’s too short. Include at least one line from “Purple Rain” and donate your blood before proceeding…”
- Give them all the information at once, and
- Teach them how to make a system where coming up with and saving new passwords isn’t a hassle
Otherwise, back to sticky notes they go.
Remember to keep iterating and developing your cybersecurity documentation and systems
You have to start somewhere. But with some due diligence and an expert in your corner, you can develop a bulletproof process to keep you protected.
And then you’ll tweak it…forever.
Yeah, it doesn’t sound too appealing.
But technological innovation comes with smarter, sneakier cybersecurity threats, which means you need to keep up with the best practices to keep them at bay.
Stay on the pulse no matter what.
But especially if you’re in a sensitive spot like shifting to a remote work environment – as we established, old systems won’t be enough.
Other Best Practices for Avoiding Internal Breaches
By now, you’ve seen that employees are the biggest threat to data security and how you can get a lot safer by training them.
But they aren’t the only threat, so we still have a bit more ground to cover.
Here are the other, non-training-related solutions you shouldn’t forget about:
- Staying on top of data storage and distribution audits
- Constantly monitoring website security breaches and taking quick corrective action
On why and how to implement them.
Stay on top of data storage and distribution audits
We mentioned unsafe third-party storage earlier, and it’s a real risk to your safety.
But the need for storage remains.
You can’t really blame your employees if they have to make do because you didn’t set up a proper system, right?
So again, be proactive:
- Assess how much storage you’ll need (and keep checking it regularly)
- Create protected storage space with two-way authentication
- Give employees access only to the things that concern them – don’t share everything with everyone
- Do regular audits to account for changes, like an employee shifting to a new role and no longer needing access to accounts and instructions for their previous responsibilities
- Make sure everyone knows there’s a safe way to get what they need so they don’t need to use anything outside the tools you give them to do their jobs
And keep auditing.
Constantly monitor security breaches and take quick corrective action
You should take all the measures to prevent security breaches, but nothing can ever make you 100% immune.
So sleep with one eye open.
Get expert help and figure out your website maintenance together.
Regular reports, a good security program like Sucuri (we use it, by the way), and swift reactions to red flags will do the job, and that’s something an expert can easily advise you on so you can sleep peacefully.
If only you knew an expert…
Pair Your Website Maintenance With Security Training
The benefits of cybersecurity employee training are indisputable: you know everyone’s on the same page about security and the risk gets minimized.
Security awareness training is the foundation of your company’s information security. Just remember that you have to keep iterating it.
If you mentioned security to employees two years ago and one of them makes a mistake, that’s not a good enough reason to suspect malintent.
When you get that sorted, you can leave the more technical part to security teams with expert know-how in keeping your system secure.
A good package like StateWP website maintenance and security support can be highly effective at protecting your website, especially when combined with the right internal training and awareness programs.
Reach out if you’d like help, or keep learning about improving your website security here.