Cybercrime has tripled since the beginning of the pandemic.
Working from home. Unprotected networks. Personal devices.
Security is simply harder to control with hybrid work.
A lot rests on your employees – even if you invest in employee cybersecurity training.
But especially if you don’t.
Let’s face it, you have at least one employee who uses the same password for their work account and their Facebook profile.
And that password is tragically “123456.”
Now get this: 64% of financial services have thousands of sensitive files open to every employee.
All it takes is for a cybercriminal to get (or guess) the password to any one of your employees’ accounts, and you could lose sensitive information and your clients’ trust.
Not to mention the potential lawsuits and other expenses.
Well, that won’t be you though, right?
That’s what we figured.
So today, we’ll talk in-depth about why employees are the biggest threat to your data security and show you what you can do to minimize the risks.
It’s worth highlighting the difference between intentional and unintentional employee behavior causing security risks.
We’re not pointing fingers and saying your employees are definitely up to something.
It happens. But most data breaches in professional services are caused by:
|Cause||What it means|
When it comes down to it, both malicious activity and employee negligence are dangerous to your company.
Here are some consequences you could face:
And these are real cybersecurity risks for small businesses as much as, if not more than for big companies – because the big guys can afford all the tools to defend themselves, and hackers know it.
That’s why 43% of cyber attacks target small businesses.
So what about other cybersecurity issues? And aren’t hackers going to attack even if you take care of your employees’ habits?
It’s true – you can’t completely eliminate all vulnerabilities.
But there are a few things you need to know about modern cybersecurity threats:
The bottom line?
Monthly website maintenance is essential, but it’s not the end of the story.
Your employees are by far the biggest threat to your security and the one you should be focusing on to eliminate preventable breaches.
We’ll get to how in a second.
But let’s take a step back and see exactly what we’re dealing with here.
These are the main causes of security breaches:
Given how nonprofits, professional services, and retail are rated as some of the top targets for hackers, it’s worth reading how you might be making it easy on them.
It’s not just the switch.
It’s what it entails if poorly managed, i.e., insecure WiFi, shared accounts, and unencrypted emails.
For example, maybe Linda is aware of malware threats, never falls for phishing attempts, and knows better than to use a single password for everything.
But she shares an account with her husband, Larry. And Larry’s not the type to think twice about security – he’d give his information away for a coupon or some coins to spend in a game.
So now your sensitive data is at the mercy of whoever takes advantage of Larry.
Remote work is, by default, less under your control.
You don’t see your employees, and more importantly, you don’t have much say in their environment, and often the equipment and software they use.
Or their choice in spouses.
You depend on their personal security measures unless you educate them on it (we’ll get to that later).
Negligence is just that: not intentionally causing harm, but not caring or knowing enough to follow even some basic safety measures.
Infiltrated employee email was the source of a data leak for a large medical nonprofit, People Inc., in 2019.
The leak involved:
Thankfully, the company managed to react on time and prevent the problem from spiraling further.
But imagine if they didn’t monitor for breaches? What if they waited a bit longer before changing the weak password that compromised their security?
The story could have ended way differently.
Shopify had such an incident where two (now ex) employees stole customer information from almost two hundred vendors in 2020.
Shopify’s shares were impaired by 1% over the following week.
Goes to show how easily company data can be misused and what a massive impact that can have on the public perception of the company.
This is one of the more unpredictable insider threats.
Still, there are things you can do to mitigate the risk, and it’s worth stating that micromanagement is not the answer.
The key is probably closer to good hiring processes, solid security policies, and yes, employee cybersecurity training.
We’re not only talking about remote work.
Bring your own device (BYOD) is a trend that makes employees more productive in the office and helps companies save money.
But the use of personal devices brings its own safety risks.
For example, an employee could be using the notes app on their mobile device to keep track of different passwords, giving access to company records to anyone who finds it.
Or they could download a file with a virus to their device and spread it the next time they log into work.
It’s too easy.
This one is pretty straightforward.
If the account isn’t locked, a lost device could be a real safety hazard.
There are steps you can take to protect yourself in case your laptop gets stolen or lost:
Your employees are probably not doing all of the above.
Maybe they’re looking at it as just a piece of hardware they can replace, so it’s on you to initiate the talk and make sure they are taking precautions for data protection.
The risk of careless mistakes is higher per password if it’s shared.
Simple scenario: Employee A forgets the password and asks employee B. Employee B sends it over in Slack.
Somebody gains access to either employee’s phone or Slack and the password is right there, up for grabs.
The problem doesn’t end there.
Because you don’t know who is using the account when, it’s hard to say if there’s unusual activity on it.
New device? Could just be a colleague.
Or an attacker.
It gives you less time to react and leaves you vulnerable.
Dropbox, Google Drive, and other cloud solutions are very useful for storage.
They’re usually well-protected, too, but not always from the users’ endpoint.
Your employees could be copying your files to their own storage, accidentally leaving them publicly accessible, or sharing them with people without your knowledge or permission.
Again, they’re probably not malicious insiders – they just don’t know it’s a big deal.
So you have to tell them.
The good news is that once you get your employee cybersecurity training sorted, most of these problems are preventable.
So it’s time we discussed what that should entail and how to execute it to perfection.
It’s not enough to invest in security programs.
But for it to work, you need to teach your employees the benefits of using them – so they see them as useful tools, rather than some annoying, time-consuming process being forced on them by management.
Don’t get mad at them for not knowing something you never taught them.
So, how do you approach the topic?
First, by acknowledging that it starts at the top.
Yes, your employees are the biggest threat to data security. And yes, they need to do their part.
But it’s your responsibility to bring up cybersecurity, stress its importance, and provide the tools and education they need to do better.
You need to help them understand their role in all that and how to keep you safe.
And you can take care of that in five steps:
Don’t worry. We’ll explain everything.
Don’t let this be one of those situations where everyone depends on one clever cookie to ask the question before they accidentally learn something important.
Talk about cybersecurity proactively and explain the consequences of a security incident:
People are much more likely to take you seriously if they understand why it’s important and exactly what could happen if they aren’t careful.
Most employees won’t intentionally break the rules – as long as they know they even exist, and why it makes good sense to follow them.
Then when you’re done talking… no you aren’t.
Employees want consistent, continuous education that directly helps them in their role. 80% of them believe regular courses are more important than formal workplace training.
In other words, they don’t want a singular lecture they’ll never revisit or information they don’t think they need.
That’s why employee cybersecurity training needs to become routine.
That and the simple fact that you’ll need to refresh their education as you iterate your security solutions and practices.
It’s best not to assume anything goes without saying.
People have varying knowledge and experience on the topic of security, but you need everyone to meet a certain standard to keep you safe – a single careless employee is all it takes for a breach.
You can’t afford to leave it up to chance. Here’s what you should cover:
And encourage questions to make sure you didn’t fail to specify important details.
For example, strong passwords or 2FA (two-factor authentication).
Pro-tip: don’t just toss an alien term like two-factor authentication at your employees and rely on them to figure it out – show them the ropes. Who knows, they might unknowingly be using 2FA already and just need help connecting the dots.
And just in case you’re not sure either (we’re not judging):
2FA is a system that requires an additional credential besides your email or password to make sure it’s really you who’s logging in.
It could give you a couple of options to choose from, like:
“Have a pin sent to my phone” or “Send a confirmation link to my email.”
For example, here’s what that looks like when you try to sign in to your PayPal:
It can be really annoying – we know – but it’s a necessary extra layer of security:
60% of employees use the same passwords for personal and work accounts, and 67% of people use the same password for everything.
This is a huge risk for security threats as 61% of breaches happen due to compromised credentials.
It’s definitely worth explaining the benefits to employees. Just don’t go about it like some websites do:
“No, that’s a weak password. You need to add a number. Now it’s too short. Include at least one line from “Purple Rain” and donate your blood before proceeding…”
Otherwise, back to sticky notes they go.
You have to start somewhere. But with some due diligence and an expert in your corner, you can develop a bulletproof process to keep you protected.
And then you’ll tweak it…forever.
Yeah, it doesn’t sound too appealing.
But technological innovation comes with smarter, sneakier cybersecurity threats, which means you need to keep up with the best practices to keep them at bay.
Stay on the pulse no matter what.
But especially if you’re in a sensitive spot like shifting to a remote work environment – as we established, old systems won’t be enough.
By now, you’ve seen that employees are the biggest threat to data security and how you can get a lot safer by training them.
But they aren’t the only threat, so we still have a bit more ground to cover.
Here are the other, non-training-related solutions you shouldn’t forget about:
On why and how to implement them.
We mentioned unsafe third-party storage earlier, and it’s a real risk to your safety.
But the need for storage remains.
You can’t really blame your employees if they have to make do because you didn’t set up a proper system, right?
So again, be proactive:
And keep auditing.
You should take all the measures to prevent security breaches, but nothing can ever make you 100% immune.
So sleep with one eye open.
Get expert help and figure out your website maintenance together.
Regular reports, a good security program like Sucuri (we use it, by the way), and swift reactions to red flags will do the job, and that’s something an expert can easily advise you on so you can sleep peacefully.
If only you knew an expert…
The benefits of cybersecurity employee training are indisputable: you know everyone’s on the same page about security and the risk gets minimized.
Security awareness training is the foundation of your company’s information security. Just remember that you have to keep iterating it.
If you mentioned security to employees two years ago and one of them makes a mistake, that’s not a good enough reason to suspect malintent.
When you get that sorted, you can leave the more technical part to security teams with expert know-how in keeping your system secure.
A good package like State Creative’s website maintenance and security support can be highly effective at protecting your website, especially when combined with the right internal training and awareness programs.
Reach out if you’d like help, or keep learning about improving your website security here.