When talking about IT-security, the first thing people think of is cybercrime and the measures the IT department has to take to protect their organisation against that. Of course I do not mean that IT-security is less important in any way, but I want to emphasize that there is need of a critical look at the work floor. When IT-security is concerned, the people are the weakest link. In this article you will find the biggest internet traps among employees.
Recently, we at BIT organised the Safe Internet Bootcamp for over 100 IT managers and professionals. At this bootcamp we gave some useful tips and tools and showed which steps need to be taken to help employees be safe online. Recent research showed that 52 percent of the employees thinks of themselves as the weakest link where security of the working computer and corporate sensitive data is concerned. In addition to that, you cannot assume that they report this to the IT department. When they suspect they are the victim of a cybercrime, only 15 percent notifies the responsible IT person and 20 percent only does this occasionally. Shocking numbers that show that the people are the weakest link in IT-security.
The same research shows that employees underestimate the persuasiveness of such emails. Over three quarters of the employees says they immediately recognise a malicious email. Malicious emails are getting better and better, so they are becoming a bigger threat now. Phishing emails are hardly discernible from the real ones. At BIT, we recently received an email asking us to participate in a corporate day for IT students. They redirected us to a website or the enclosed document for more information. The website was not discernible from a real event website. The enclosed document, however, arose some problems because it concerned an xlsm-file. We had to use macros to open the file, but we do not do that in our organisation. We asked the sender for another way to provide us with the information and we were told to install the macros anyway or open the file on another computer. Naturally, we did not do this and it turned out to be a test by Madison Gurkha that only our Security Officers knew about. A good example of how it all works and what to look for.
It is not only the case that people overestimate themselves when malicious emails are concerned, but they are irresponsible when it comes to passwords too. Employees between the ages of 18 and 34 reuse their password for more than three logins (63%). We all think passwords are very impractical, but they are an essentially important part of IT-security. With a weak password policy or no policy at all, organisations are exposing themselves and their employees to risks. A leak in your systems will lead to your employees and clients to be vulnerable on other sites. It is of the utmost importance that you make sure your employees know how to handle passwords. Enforce strict but useful password policies for people who have access to your systems. The rate of strict to useful is very important here. These policies need to be based on guidelines for making passwords, the way in which your employees save passwords and what to do when passwords are leaked.
By now everyone knows that making back-ups is very important. Sadly, this goes wrong quite often. No less than 15 percent of the employees never makes a back-up of their corporate files. The IT department has to play a proactive role here and ensure the back-ups. It is important to know here who is using which devices and where it is stored (cloud services, mobile devices and/or portable media). But that is not enough. Setting up procedures, schedules and knowing exactly what is being backed-up is difficult. By executing restore tests every now and then, you are ensured of a back-up that is complete and restorable. Do the restore tests fail? Then it is time to change the back-up process.
Digital security is very important. This is partly a technical thing, but for the most part the responsibility lies with your employees. Employees that, accidentally or maybe even on purpose, leak corporate data can do a lot of damage to your organisation and your clients. So take notice of the behaviour of your employees and make them a part of the security policy in order to lower the risks.