Are employees the biggest security threat in your business?


When asked what makes a complete network security solution, what’s the first thing that comes to mind? The most common answers are generally:

  • antivirus software,
  • firewalls, or
  • email filtering

They are all right answers.  Companies invest a lot of their network security efforts against external attacks, but it’s often easy to overlook the greatest cyber threats lurking within their your own network.

Yes, believe it or not, your employees are walking security threats. Security measures breed the mentality that nothing will get through regardless of how unsafe the practice.  Because of this attitude, many business tend to have lax internal security. When dealing with employee threats, there are three key factors you should address.

1. Unsafe habits

Careless employees who don’t know how to protect themselves online are as dangerous as any malware. Even with the strongest antivirus software or cloud security, they all mean nothing unless you can protect the business from reckless employees who click links on suspicious emails or access untrustworthy websites. In fact, a study from The Ponemon Institute found that Australian companies are more likely to experience data breaches caused by employee negligence than external attacks.

When left unchecked, employees can accidentally, and sometimes intentionally, leak company secrets and expose workstations to malware, which take a toll on your business. To minimise the damage caused by employee negligence, a code of conduct agreement should be created for employees.  This details how they should manage private data and what the consequences are if they voluntarily leak sensitive information. Afterwards, train personnel to detect and avoid the most common social engineering scams.

byod-securityWith the rising popularity of bring your own device (BYOD) policies, it’s also imperative to prepare your staff for cyberthreats they may encounter outside of the workplace. Connecting to unsecured public Wi-Fi hotspots, for instance, allows hackers to capture data travelling over those networks. Whatever the threat may be, it’s up to business owners to instil values of critical thinking and safe web practices keeping you, your employees and your business out of harm’s way.

2. Losing devices

Ransomware and phishing scams may grab the headlines, but lost or stolen mobile devices continue to be one of the leading causes of data breaches in Australia. According to the Australian Mobile Telecommunications Association (AMTA), approximately 100,000 mobile phones are reported lost or stolen in Australia each year.

The optimist in us wants to believe the private data contained inside our phones remain untouched, but that’s usually not the case. Smartphones are a portal to nearly every aspect of our lives.  They can contain intimate details of our personal lives in social media to sensitive company data. It’s also the very information that would-be thieves seek to exploit.

Of course, responsible iPhone or Android users keep their phones secure with lock pass codes to deter prying eyes.  However, even pass codes are no more foolproof than any other password or PIN. They can be guessed or cracked in seconds using brute force tools like XRY. The point is that passcodes really shouldn’t be the only system protecting smartphone data.

Businesses who enlist the help of a trusted service provider can track misplaced phones, remotely lock mobile devices, and wipe all the data from a stolen device. More importantly, companies should set policies on what company data employees can access on their smartphones and how they should respond to smartphone theft.

3. Poor password management

Chances are, your employees are recycling two or three easy-to-remember passwords across multiple online accounts. Or maybe they’re still using weak passwords like “password”, “qwerty”, or “123456”. They’re only human after all, and even the most tech-savvy humans are known to commit some of the biggest password offences.

Facebook CEO Mark Zuckerberg was hacked following a LinkedIn breach earlier this year. As you might have expected, Zuckerberg’s LinkedIn password was recycled across several accounts, granting hackers full access to sensitive information. What’s more surprising was that his password was “dadada”.  This six-letter sequence ignores all the lessons of password best practices. Twitter CEO Jack Dorsey’s password “nopass” was no better.

Strong password management

We cannot emphasise enough the importance of strong password management. Having employees set long passwords that employ a combination of:

  • numbers,
  • upper and lower case letters, and
  • symbols

This can make a world of difference in data security. But setting a strong password is only half the battle.

Employee training

Train your employees to use different passwords for every account, or better yet, encourage them to install a password manager software like LastPass or Dashlane to eliminate the hassle of remembering hundreds of passwords for each service.

A business can achieve cyber security installing antivirus software and intrusion prevention systems.  However, safeguarding company data is a shared effort. Managed services providers are in charge of installing secure cloud and network security systems. However, your employees are responsible for making it more difficult for attackers to gain access to your data.

Despite your organisation’s best efforts, hackers can and will use any means to breach, corrupt, and steal your data. They’ll usually attack your weakest security link — your employees. But with a comprehensive approach to employee training, mobile device management, and some guidance from the team at Empower IT Solutions, your attackers will regret the day they underestimated your business. Get in touch with us today to turn your greatest security weakness into a security asset.