Your staff might be your biggest asset. Or risk.
It’s a bit of a cliché that your staff are your biggest asset. Of course, there’s truth in clichés – your staff are where ideas are tested and performed; they’re the face of your business – where sales are made and customers are satisfied; and your star players can be the driving force behind your business growth and profitability.
But, how much thought have you given to the risks that are inherent in your staff? We’re not robots and we make mistakes. Mistakes that occur from either inexperience, complacency or even downright rebellion to rules and processes.
In this month’s blog, we touch on the five main areas of staff risk that relate to information security and what you can do to minimise these risks.
You might ask a staff member to get rid of some sensitive information. A few scenarios might play out here:
– A flash drive is thrown away. The problem here is the critical information is still held on that asset – what happens if it falls into the wrong hands?
– The paperwork is thrown into the general recycling. It should have gone through a shredder first.
– The staff member forgets. You now have some sensitive information lying around that you should no longer hold on file – you could be in breach of privacy laws.
The key takeaway here? Confidential or sensitive electronic and paper information must be disposed of securely (and promptly) to reduce the risk of falling into the wrong hands or unwanted disclosure.
You might ask your staff member to email a document with some sensitive information.
The staff member sends the attachment, but enters in the wrong email address. It goes to a third party – a customer. The email attachment has private information like delivery instructions and bank account details. It is too late to recall this email.
Some email providers have a confidential mode to help protect sensitive information from unauthorised access.
For example, Gmail’s confidential mode allows you to:
set an expiration date for messages or revoke access at any time. Recipients of the confidential message will have options to forward, copy, print, and download disabled.
However, a malicious recipient could still take a screenshot or photo of the sensitive information, so this mode is not completely without vulnerabilities.
According to a 2017 study carried out on 2,000 UK workers by Egress Software Technologies Ltd, a UK based data privacy and risk management company, “more than one in three workers (35%) have sent an email to the wrong person, while nearly half (46%) have received an email clearly intended for someone else.” Although this is an overseas study, it is a handy illustration of the prevalence of this issue.
Sending emails to the wrong person is embarrassing at the least and criminal at the worst.
Some systems can now detect if you’ve added an incorrect recipient to an email or mistyped an email address. It’s best to also check and update your email settings – so that emails don’t get released immediately, and you can stop them from sending if you’ve noticed an error.
Remember, wherever possible, sensitive information should be encrypted.
Complacency and forgetfulness
Surprisingly, given our heightened awareness of scamming, hacking and other malicious activity, you will still find staff members who:
- Have very weak passwords.
- Write their passwords on a post-it note and stick it under their keyboard.
- Share their password with others.
- Open attachments without looking carefully at the source.
- Print out documents with sensitive information and leave them on their desk.
- Take an important flash drive or other form of movable media home (including laptops, tablets or work phones) and leave it on the bus.
Lack of vigilance or understanding
Other vulnerabilities happen when staff sign up for a cloud storage system, not fully understanding or complying with company policy and start sharing information there.
Infosec explains the vulnerabilities of cloud storage systems well:
“Users who are not vigilant may place sensitive data in publicly accessible folders. It is also possible that users may “accidentally” move sensitive files to locations that are synchronized automatically with publicly accessible external locations without being aware of doing so.”
Broken record here: Wherever possible, sensitive information should be encrypted.
Staff may be providing support for a system that they have little or no experience in. Bad input breeds bad output.
This can be overcome by creating a culture of ongoing development and awareness. Training should be seen as a non-negotiable investment.
Which leads us onto the three main areas where you can increase staff awareness of risks around your information security:
Skills, Accountability and Knowledge
It’s up to you to ensure that your staff are equipped with the skills they need to do their job well. Skilled staff make less mistakes, are more careful with their work and create a strong reputation for your brand. Skills training includes ongoing development and educating your staff when new systems or technologies are introduced.
With accountability, staff need to know what to do when things go wrong and that there are consequences to their actions. Done right, a culture of accountability helps increase engagement and communication, and minimise complacency. Of course, it’s important to create an environment where employees can be open when they have made a mistake and feel confident of approaching you promptly.
And lastly, knowledge. Do your staff know company policies and processes around information security? Do they know what steps they need to take if something has gone wrong? Do they know the rules around file sharing and disposing of information correctly? Make all of your staff aware of key policies, standards, and expected behaviours, and make sure that they regularly refresh their knowledge so that information security remains front of mind.
Equip your staff. Protect your business.
The IT Psychiatrist knows technology and understands the vulnerabilities that surround the sending, sharing and disposing of your sensitive information. That’s why we can design and develop best practice policies, processes and strategies, so that you feel confident that your information is as secure as possible, and that your staff feel equipped to follow best practice.
If you want industry-leading and best practice IT policies, processes and strategies, or a part-time IT manager to help you make some changes, please give us a call.