Cyber crime costs to the world will double in a six year period ending in 2021.
More reports of attacks give rise to a gnawing sense of inevitability. As leaders in the fight, there is only one strategy that safeguards our companies. Inevitability must promote “Response-ability.”
The Biggest Catalyst to Response-ability is Compliance.
Internal compliance drives adherence to the practices, rules and regulations set forth by internal policies. External compliance follows the laws, regulations and guidelines imposed by governments and agencies.
Compliance requirements are numerous, and the legal team and C-Suite Executives are responsible to determine the scope of compliance. Compliance officers and staff are a growing requirement. Technical, procedural and strategic frameworks must be built to assure your company’s integrity.
Behind the pressures, costs and potential fines that surround your compliance, the public is demanding more of you as the steward of their information. 6 of 10 people would blame you, not the hacker, for lost data. 7 of 10 people said they would boycott a company that appeared negligent in protecting their data.
Here are a few pressing challenges to compliance:
Companies now must have strong policies and technical controls in place, such as mobile device management protocols that exist, and by enforcing device lock passwords and time-based, one-time based passwords. Employees with laptops and devices should be provided security policies and prevention mechanisms, as well as secure access to corporate data.
IT Managers must ensure that your organization is current with software updates and that they immediately patch known vulnerabilities. Last year alone, the number of third party vulnerabilities doubled.
Also last year, 63% of data breaches originated directly or indirectly from third-party vendors. Managing vendor information security and vendor compliance with privacy laws is a major and essential undertaking.
Cyber Insurance is Response-able.
And it’s being responsible in advance of the need. Cyber insurance not only covers legal fees, but typically expenses associated with notifying customers of a data breach, restoring personal identities of customers, recovering compromised data and repairing damaged systems.
Purple is Response-able.
Borrowed from military language, Red Teams exist to attack your cyber-security systems and to expose points of weakness. Blue Teams defend, enforcing the security measures you have in place. The buzz of the day is the Purple Team. The Purple is either a make-up of both Red and Blue teams in which participants form a learning community for the sake of the other, or an outside group brought in to examine the tactics of both teams and make recommendations. Ideally, Red and Blue Teams exist not in competition to the other but as complement, holding the security objectives of the company as the standard of each team’s success.
The greatest detriment to your response-ability is lack of clarity on what you need or don’t need. Outside eyes continue to be the best check and balance for CIO’s. Without third-party, unbiased expertise, you will not possess the confidence you need that the compliance, policies, insurance and Purple evaluations are sufficient and efficient for your situation.
Board members are becoming increasingly aware of their own accountability and risk in the event of a cybersecurity breach. By 2020, 100% of large companies will be asked by the Board to report on cybersecurity, an increase of 60% in four years.
What boards are not asking for is a lot of detail they will not understand and that will just cloud their ability to make good decisions on your behalf. Instead, I recommend shaping the board around three important mindsets which I treat as building blocks.
Building Block 1: Cybersecurity is about Risk
The risk is no longer just an IT issue, but an enterprise issue with costs and penalties at every level, from company mission and profit, to employment, and to financial and legal consequences.
Risks are proportionate to threats, vulnerabilities and consequences.
Therefore, boards need to be informed about
Building Block 2: Cybersecurity is about Risk Mitigation
Mitigation is about reducing the threats, vulnerabilities and consequences your company faces.
And it starts with the Board. Often overlooked is their own vulnerability. The Board is privy to a lot of information, much of it confidential, and much of it being communicated on their own devices. Security measures need to be in place for them that reflect the policies and procedures of the company.
By extension the Board needs to be aware of how training and education is implemented and practiced among all employees.
Building Block 3: Cybersecurity is about Risk Mitigation Strategy
A number of boards are now discussing the value of having a cybersecurity specialist on the board in order to bridge the gap between the board’s lack of knowledge and the increasing expertise they must have in front of them. In the least, they must address who in the company reports to them. Ideally, it is the same person each time. Boards are increasingly aware of the time they must now give to cybersecurity issues in their meetings, and to being able to understand these essentials:
The CIO that builds these into the working knowledge of the Board will find a Board and CEO ready to build back into them and the IT needs the CIO represents.
Which of these has been most critical in your own work with boards? Tell us below.
Can you really have faith in everything that’s on the internet? Of course, not. But, that being said, company leaders need to put an awful lot of trust in their employees, the people they’ve hired to manage their network, and the infrastructure and reliability of the network itself. But, if you’re expected to trust so many different factors revolving around your business, while also being told not to be too careful to trust everything else — like WiFi connections or suspicious emails — then how can you navigate your way around all this?
These days, having someone to vouch for you, or having someone vouch for the people you’ll be working with, is one of the oldest, yet most reliable ways to secure your network and your company. Going off of that, it’s equally important to have extra eyes helping to look out for your company at all times.
If the Dark Web does it, so can you?
If you’re familiar with the Dark Web, “trustworthy” wouldn’t necessarily be the first term you would use to describe it. But, believe it or not, sellers on Tor need to be verified for the authenticity of their products as well as themselves as users before being able to complete a transaction. This is done by having current members introduce new members through a system of vouching. Without this, you can’t get onto the site.
So, if the Dark Web relies on some form of vouching in order to be able to trust their users, then surely large companies should be doing something similar. It’s not enough to just have certain cybersecurity protocols in place — although, those are important as well. If you can incorporate a system of vouching along with placing outside eyes wherever you can, then you’ll be protected in ways that machines can’t protect you.
Apply this system to vendors and employees
Of course, companies find ways to vouch for people, too, similar to how it’s done on the Dark Web. When we hire someone, HR usually asks for references, recommendations, and will maybe even do some snooping around on social media to get to know more about this person. The same goes if you’re working with third-party vendors or onboarding and offboarding part-time employees. You need to know who you’re going to be working with. You can go this route, but you can also ask around to see who else has worked with the people you’re planning to work with. These days, it’s very easy to check a person’s or a company’s reputation online, so you can take advantage of this.
Hire someone to look out for you
If your Facebook account gets hacked and your friends find out because they are getting spam messages from you, it’s likely that one of those friends will notify you of this so that you are aware. In a sense, this is a form of informal (and free) cybersecurity. You’re too busy running things at the company to be concerned with staying on top of security, employees, networks, risks, etc. Therefore, hiring managed services to help you keep an eye on things internally and externally can help ensure that nothing fishy comes up.
Down to checks and balances
This idea of vouching further enforces the notion of checks and balances in a company who cares about its cybersecurity. A managed service provider checks the IT team, the IT team checks HR, the company checks the employees, and vigilant, trustworthy employees can keep their eyes out for the company. While a professional certainly helps handle this process at the expert level, it never hurts to rely on people you trust to keep things in balance.
No company is immune to a data breach. These days, no matter what industry a company falls under, there is always the risk of something happening. If companies aren’t taking the proper measures to manage their networks, a data breach can really set a company back, if not taking it off the market completely. Because of this, more and more companies have realized the importance of investing in an outsourced CIO to help prevent problems from occurring. Why, is it then, that we are seeing continuous data breaches in the healthcare industry, and why are the problems not being solved?
Well, it’s not so simple, and there may be several reasons as to why the healthcare industry is experiencing more data breaches than ever before.
In order to really understand how data breaches are impacting the healthcare industry, one would need to look at the actual numbers. According to the annual HIMMS Cybersecurity Survey, 75% of the 239 healthcare respondents surveyed reported that their organization experienced a “significant security incident in the past 12 months.” What’s interesting is that 96% of those respondents said that the organizations were able to identify the threat actor. But, as more than half of these respondents reported that their organization has a clearly defined budget that is allocated to cybersecurity and are seemingly on top of their network, it makes people wonder why these data breaches are continuing to happen at such high rates.
Despite the fact HIPAA laws are in place to protect patients and healthcare employees, it’s been proven that there’s only so much that can be done in order to protect hospitals and doctors’ offices against data breaches. Hackers may have certain inclinations in mind when it comes to installing Ransomware or Malware on a medical facility’s network, and you can’t really blame them. Because a patient’s data is so sensitive, and because almost all records are now kept digitally, these hackers have a lot of leverage when it comes to getting what they want. If hospitals don’t have a way of backing up this information, or they are afraid of it getting into the wrong hands (one of the biggest concerns), they will certainly feel the pressure to pay up.
Of course, as we know, it’s not only hackers that are to blame for data breaches. According to this HIMMS Cybersecurity Survey, 20% of the respondents said the attack came from a negligent insider.
So, what’s the deal? If healthcare industries know that they are a target, and they know that healthcare data breaches are one of the main threats we are seeing today among relevant industries, then what’s going wrong? Why can’t something change in order to put a stop to all of this?
Well, according to HealthIT Security, the problem is that there isn’t a standard cybersecurity framework that’s being utilized across the board. When these healthcare industries aren’t on the same page regarding this issue, then it makes sense that more breaches continue to occur.
Unfortunately, just talking about what needs to be done isn’t going to help the thousands of healthcare facilities that are experiencing data breaches this year or even this month, especially when many hospitals, insurance companies, and doctor’s offices are still each using their own software and computer systems.
At this moment, healthcare companies should be doing everything in their power to keep their own network secure. While one way to do this is, of course, by implementing a solid network management plan, the absolute best way to go about this is through hiring an outsourced CIO. This will not only help to prevent data breaches coming from the outside, but it can also help stop data breaches that happen internally. Additionally, a CIO can help implement a reliable backup and disaster recovery system to protect the patients’ information as well as protect the medical facility from risk.
Cybersecurity is a huge concern for all businesses. Companies understand that they need to prioritize their security methods in order to ensure they don’t experience major losses due to a potential data breach. Despite major headlines that have repeatedly demonstrated the impact these hacks have on companies, recent studies have found that people are still not as prepared as they need to be in order to mitigate such risks. While these companies may be confident saying that they believe in their organization’s ability to manage cybersecurity internally, according to the data, that doesn’t seem to be working (or entirely true).
Even companies who have the best IT teams and equipment understand the need for an outsourced CIO to handle cybersecurity, as well as other managed services.
Many Risks are Internal
One reason that companies are unable to mitigate all the risks is because they are simply looking in all the wrong places. Every time we learn of another major breach, it doesn’t take long to discover that it happened due to something internal. Perhaps a firewall wasn’t updated, an employee used their personal unsecured device to access work, or the network infrastructure the company is using isn’t being maintained properly, leaving gaps all over. Companies don’t want to admit that they are a risk to themselves. And, even if a breach came from elsewhere, the fact that a hacker could get in is usually the company’s fault.
To fix this, an outsourced CIO can come in, take a look at your systems from an outsider’s point of view, and do what they need to do to patch it up.
Everybody Needs to be Vetted Before Being Onboarded
If your company hires contractors, partners, or interns to work with you, they will likely be given access to the company’s network. And, the more often you’re onboarding “strangers,” the easier it is for one of these people to let in a breach. Typically, it’s unintentional, but there are times where perhaps an employee who was recently let go seeks to take some kind of revenge on the business.
However, with the right network infrastructure (these days, it’s the cloud), security is placed on identities themselves, provided for new or temporary employees. When this is set-up by a managed service provider, HR and IT follows the process and works together with the outsourced CIO to prevent any leaks from occurring. Of course, proper vetting of the individual is necessary before providing them with company access as well.
Because Your Day to Day Job Doesn’t Involve Monitoring Security Risks
In general, 70% of respondents off the Marsh-Microsoft Worldwide Cyber Perception Survey reported that their IT departments are in charge of making important decisions about the company’s network. A lot of these decisions naturally have to do with the network’s security overall. As a business leader, this definitely isn’t your department, so you’re counting on the individuals over in IT to make the right choices. But, believe it or not, IT shouldn’t really have that kind of say, either. Their job isn’t just calling the shots on security measures.
While cybersecurity is certainly a task that involves a little work from everyone in the company, it takes a little more expertise than that. An outsourced CIO can help assign appropriate roles to each employee to make sure everyone is doing their part. Additionally, companies who have moved over to a cloud infrastructure are likely to face fewer risks, too, as cloud technology manages many risks on its own.
The Costs Alone Aren’t Worth the Risk
According to Business Insurance’s breakdown of the survey, 40% of respondents who reported a data breach in the last 12 months said that the worst-case scenario lost them $50 million or more. Out of that number, only 19% revealed “they are highly confident in their organizations’ ability to mitigate and respond to a cyber attack.”
With that much money at stake, it doesn’t really seem worth it to take your chances. As a C-level leader, if you’re not totally comfortable in your company’s ability to mitigate such risks, then it’s time to find someone you can trust who can.
Cybersecurity is hands down becoming one of the most talked about issues today. Companies nowadays have to put their security before anything else they do, and this can be a costly venture if not done correctly. While one aspect of managing security involves hiring an unbiased third party to take care of it, it’s also important to know what you could be doing for yourself and your company to keep everything that matters secure. Each year, the cybersecurity conversation is constantly changing, though, due to the ever-increasing sophistication of data breaches that we typically see.
These are the security issues you want to pay the most attention to as 2017 comes to an end:
1) Machine Learning
It may not be Judgement Day yet, but we might be well on our way to the land of the “Terminators.” Machine learning is happening fast, and next year we will have technology that doesn’t need to be programmed to learn a new task. Sound scary? Well, the implications machine learning can have for people with bad intentions looks good for them, and very bad for everyone else. Hackers out there with such intentions can use machine learning to their advantage.
2) Digital Baggage
Remember all those Facebook photos you posted back in college? Okay, maybe you didn’t grow up during the Facebook age, but if you have children now that are online, it’s something you need to know. That’s because 2018 will be a year where we discuss “Digital Baggage” in terms of cybersecurity. These days, minors can essentially post whatever they want online, and there aren’t too many regulations in place to stop it. While some parents are very cautious with this, most are too busy to pay too much attention. Regardless, anything that you post online can have the potential to hurt you later on. Next year, companies will start looking into this when it comes to hiring new staff or getting rid of employees they already have.
3) Biometrics and Serverless Architectures
Technology is continuing to expand into realms that we have never seen before. Next year, we’re likely to see biometrics — such as face and fingerprint scanning — be incorporated into device verification. We will also start to see more serverless architectures which are apps that can be built without having to host them on a managed server.
What do these two things have in common? Well, whether it’s the ease of use, low-cost, or user-friendly interfaces, biometrics and serverless architectures are pretty attractive. However, while they seem to be some of the most secure methods out there, there are still some inconsistencies and questions being raised. For instance, how secure really is a face scan? And, aren’t serverless apps immune to DoS attacks?
4) Wireless Breaches
We are in an era now where everything is connected. You may have heard it described as the ‘Internet of Things.’ Pretty soon, things like smart homes will be the norm. We will be connected in every aspect of our lives, on every device possible. As we already know, Wi-Fi isn’t always as secure as we want it to be, and the more connected we become, the more we need to pay attention to our security on each of those devices.
5) A Closer Eye on Companies
It seems that no matter how many times big companies make headlines for data breaches, we still continue to see this happening in the news over and over again. Because consumers rarely read privacy regulations (often checking off the “agree to terms” box to get to the next step), companies tend to cut corners and take advantage of this in order to save themselves money. At the same time, companies who do experience data breaches seem to think that ignoring it or covering it up will keep customers on board. Unfortunately, after what we’ve seen with Yahoo!, Uber, and other companies, the more they’ve tried to hide it, the more they’ve made the problem worse.
Next year, you can be sure that there will be more watchful eyes upon companies when it comes to their cybersecurity. And, these watchful eyes won’t just be from auditors, but from the customers themselves. Therefore, the more you make security a priority, the better off you will be.
In 2018, anything involving data, machines, Internet, etc., will certainly have more streamlined processes. However, it’s important to keep in mind that there are two sides to everything. What’s easy in one aspect could be a nightmare in other aspects, in this case, security. Get ahead of the game and know what to look out for next year so you’re company is prepared.
Data breaches can happen to any company. No matter what industry you work in, there’s always a threat out there. While companies can be doing a lot to stop a breach before it happens, they sometimes have to learn the hard way that they’ve made an error somewhere along the line.
But, it’s not always what companies do before a breach happens that’s a problem. Sometimes, it’s what they do afterward that results in more serious problems long-term. However, if companies can be aware of what mistakes they can make following a data breach, then they can do a better job of cleaning up the mess and getting back on their feet.
Of course, if you ignore this advice, then you could be making things much worse:
Trying to Keep it Quiet
When a breach happens, there’s no doubt that it’s embarrassing. You’re well aware of what people will say about your company, and that some customers may decide to stop buying your products and services altogether. But, it’s always important to remember that honesty is the best policy. And, in today’s world, if you fail to be honest, people will eventually find out anyway, and wonder why you didn’t come forward in the first place.
We’ve seen it in the headlines with major companies. Equifax, Target, Yahoo…all of these companies waited quite some time before reporting the breach to the news. Uber failed to say anything at all. But, often times, the public beat them to it, leaving customers asking, “Why?”
If consumers know about the breach, they have time to call their banks, change their passwords, and secure their information. Most people are also understanding that breaches happen. What they can’t understand is why the company would waste any time in helping them their consumers protect their data.
If your company experiences a data breach, inform relevant parties ASAP. If you’re still waiting for information, you can let your customers know that you will give them more details as soon as possible. Of course, having a protocol in place to deal with this is very important.
Not Giving Correct Information
Perhaps what’s worse than trying to cover up a breach is giving the wrong information about it. While you should give a press release as soon as you can, it’s never okay to jump to conclusions and then report those conclusions to consumers. Instead, you can say “We’re waiting for more information at this time,” instead of flooding the media with information that isn’t necessarily true. Many major companies have done things like this on various occasions, leading to more confusion and questions that could have been avoided.
Trying to Protect Your Reputation and Taking it Too Far
In addition to keeping a breach “hush-hush,” companies also make the mistake about fretting over their reputation too much. And, as we’ve all learned, sometimes putting in too much effort in anything has the opposite effect.
For instance, back when the Yahoo breach happened, CEO Marissa Meyer did not inform users to reset their passwords. She was too concerned that this would “annoy” customers when instead, it could have protected them. Additionally, when the Equifax breach occurred, the company profited off of consumers by giving them the opportunity to freeze their report for a price. Before that, they told consumers that they’d get a year of free credit score reports if they waived their right to sue the company.
If you experience a breach, there are always going to be consumers who have something negative to say about it. But, as long as you follow protocol, the consumers that are loyal to you will appreciate your cooperation and not let the breach ruin the relationship they have with you.
Not Owning Up to Your Role in Causing the Breach
Although we know a breach can happen to anyone, the truth of the matter is that most companies can prevent a breach – or, at least minimize the magnitude of that breach – if they really wanted to. It’s also important to recognize that many breaches are a result of human error within the company and not external threats. Company leaders who fail to come clean and give a public apology for the breach, regardless of whether or not they actually had a role in the matter, are causing more damage long-term.
So, bite your tongue, apologize, and make sure whoever or whatever is responsible for the breach is held accountable, only after you’ve said your “sorry.”
If you can avoid these mistakes after a breach occurs, you will be better off.
Any individual or company who wants to follow best security practices understands how important it is to make sure any passwords used are strong and hard to break. In addition to that, people try to utilize two-factor authentication whenever possible and are starting to stray away from sites that don’t offer this. However, as people are taking their passwords more and more seriously, it’s getting more difficult to remember all those passwords.
Password managing software, like Dashlane, has helped to find a solution to the “forgot my password” problem. At first, many people are skeptical about using it, and we don’t blame them. With all your passwords stored in one location, doesn’t that make it riskier?
If you’re considering using a password managing software, it’s good to know what you’re getting yourself into. So, here are some basic facts and how we feel you should move forward.
Websites like Dashlane have a variety of different features that keep it secure. First of all, your master password doesn’t get stored on the servers. That master password is the only key to your closet of passwords. Beyond that, each individual password you have on there is encrypted, so if a hacker really wanted to know your information, they’d have to decode each one separately – and that would take a really long time. Therefore, there’s no possible way for all of the passwords you have stored to be decoded – at least, not all at once.
Additionally, companies like Dashlane use some of the most reliable servers, such as AWS, which scatters data in a lot of different places. This means that if you were to visualize where your passwords are sitting in cyberspace, they aren’t in a room that’s labeled “John’s Passwords.” They are split up with other users’ information, too.
Lastly, these companies are generally working with cybersecurity providers on a constant basis so that security is consistently being audited.
Unlike other websites, your master password for a site like Dashlane is unique. As mentioned before, it’s not stored on their servers. There are no password hints given, and once you create a master password, it can’t be reset if you forget it. This is to keep tricky hackers out there from easily resetting your password so they can then have access to everything else. Of course, these password managers also ask you to create a very secure password using a combination of letters, numbers, symbols, etc. – and, generally, won’t approve your account until the password is strong enough.
There are a lot of proactive individuals and companies needing to utilize password managing software but are worried that the consequences of a hack are much worse than if just one password happened to be revealed. That being said, it seems as though that these managers are doing everything in their power to keep your information as secure as possible.
Does that mean it could still get hacked? Well, these days, it’s not impossible. But, it seems very, very unlikely.
If you’re still hesitant, one of the best ways to keep your passwords safe is the old – fashioned way; in a notebook, locked in a safe. Still, it’s also important to practice safe password protocol, and if you do use a notebook, make sure absolutely nobody untrustworthy has access to it!
There’s no clear answer about how secure password managing software is, so, at the end of the day, it’s up to your discretion. And, best security practices are constantly changing, so just make sure you stay up to date.
When people want to feel safe in their home, they take security very seriously. They move to a safe neighborhood, get some kind of security system set-up, and maybe even get an additional form of self-protection, whatever that may be.
But, in today’s world, there are other ways for bad people to infiltrate well beyond your household walls – and it’s all done through the Internet. Your Internet security is just as important as your physical home security, because you need to be protected from the dangers that lurk in cyberspace – as silly as that may sound.
One of the easiest and most effective ways to do this is by downloading a VPN on your network. It may seem as though a VPN is only necessary for businesses or people traveling abroad, but that’s not the case. If you use WiFi in your home, you’re just as much as a target as a major company – if not more.
Keep yourself safe, and consider utilizing a VPN for your remote access network.
VPN stands for “Virtual Private Network.” It’s a way to access the Internet through a private, secure connection, and it’s also a way to share information over the Internet while remaining protected. You could think of it as a firewall that protects you while you’re online, and stops hackers and viruses from getting in and taking your information.
If you need a little help visualizing how it works, it’s nice to think of a VPN as a “tunnel” – a tunnel that leads you right to where you’re intended destination is, without risking any detours, leaks, traffic jams, or accidents (hacks) along the way.
There are plenty of VPNs you can get for free online. However, some of those can slow down your connection and, in general, aren’t as useful or reliable as paid VPNs.
Why Everyone Should Use a VPN
Nowadays, people need to protect their business online just as much as they protect their physical, household possessions. The Internet can reveal a lot about an individual, and when that information gets into the wrong hands, you can find yourself in a lot of trouble.
As it is, people could be doing more to protect themselves online, like practicing better password strategies or staying away from harmful URLs. Adding a VPN is another layer of protection on top of all that.
Whether it’s to guard your private messaging conversations, hide your location from those who don’t need to know it, or even streaming your favorite TV shows at top speeds, everyone can find a good reason to use a VPN.
When and Where to Use a VPN
There are really no rules when it comes to when and where a VPN should be utilized. As we mentioned before, it certainly won’t hurt you to use a VPN at home when you’re accessing the Internet over WiFi. However, one could argue that a VPN is best utilized when you’re accessing a public WiFi network that is not trusted (perhaps at an airport or a cafe).
Additional Benefits of Using a VPN
One of the most important benefits of using a VPN is that you can do what you need to do online without having to worry. Whether you want to access your online banking, book a trip or make a purchase, apply for a mortgage, or stream a live event, a VPN lets you do all of this as safely as possible.
But, besides security reasons, using a VPN also has other benefits. For one, it helps you access certain websites from abroad, especially if those sites are unavailable in your location. For instance, if you’re traveling in a country where a website like Paypal or an app like Venmo isn’t yet available, a VPN can help you access it without any issues.
So, based on all this information, why NOT get a VPN?!
Though company leaders would like to believe that their own employees wouldn’t do anything to put the company’s security at risk, sometimes, these employees are actually the most likely suspects. Though we tend to think data breaches are only caused by malicious hackers, usually, those aren’t the people you need to worry about. That’s because most of the potential problems are being caused by the people sitting right in front of you every day.
So, are your employees ignoring security measures deliberately? Probably not. But, they could be avoiding telling you about a cyber-security incident, that could ultimately result in a major loss for your company.
So, if it’s just a little mistake, why are these employees not saying anything? And, as a leader of your company, how can you get them to speak up so you can stop the problem in its tracks?
5 Reasons Employees are Causing Data Breaches and Not Saying Anything
Typically, one of the biggest reasons an employee won’t tell you about a data breach is the same reason no human likes to admit he or she is wrong. After all, why bring attention to something when it might not be a big deal after all? This mentality, along with other things, is putting companies at major risk, resulting in huge losses that could have otherwise been avoided.
Besides that, there are other reasons why employees don’t say anything.
1) They’re scared of losing their job.
These days, companies have strict rules in place when it comes to their employees correctly managing the equipment. If employees are held accountable for a data breach, it’s certainly not the kind of news an employer wants to hear. Therefore, employees are under a lot of pressure and thus afraid of losing their job if they put the blame on themselves.
2) Policies are too loose and employees are taking advantage.
If your company has a BYOD policy or you have a lot of remote workers accessing the system from all over the world, you’re already at risk. If that device is not solely for work and thus lacks the proper security on it, you’re at risk of a data breach whenever that person uses their device at home, at a cafe, or while traveling. Don’t let your employees take advantage of your leniency, because once a BYOD policy is implemented, it’s very difficult to supervise.
3) They were uninformed or unaware that they even did something.
Perhaps an employee made a security error, but they didn’t even know they did. With technology being so advanced, even the best and most skilled employees may not be too read up in the IT department. In many cases when there’s a data breach, it’s very likely the person who is at fault isn’t even aware that they are. All employees need to have basic knowledge when it comes to protecting your company’s security.
4) They were actually careless.
While in most instances we want to believe that a potential cyber breach was really just an accident, we know that’s not always the case. There are employees who don’t follow guidelines and are quite careless. And, if that is what happened, that’s not something an employee is going to be so willing to admit.
5) They were doing it intentionally.
It’s hard to trust any one 100%, and when that one untrustworthy person has access to your company’s most sensitive data, there’s always a chance that you’ll receive an unfortunate surprise; that someone you hired has been intentionally stealing your company’s data or hacking your systems to their own benefit. As scary and unlikely as this may seem, it has happened before, and will continue to happen if employers aren’t more diligent.
How to Prevent Employees from Causing Serious Breaches
The first step in making sure your employees don’t cause a data breach is by screening employees before they start working for your company. It may seem obvious, but you don’t want any suspected hackers slipping through the cracks.
If your employees are all deemed trustworthy but you still want to prevent them from accidentally causing a breach, start by implementing strict security standards in the office. Make sure new employees are aware of how to use the systems securely and update current staff regularly. Secondly, make sure your employees feel comfortable letting you know that they may have made some kind of error. If they feel worried about losing their job, they aren’t going to be willing to talk. But, encouraging them to speak up and assuring them that it’s the right thing to do, will save your company from any serious breaches and leave your employees feeling secure in their job.
Additionally, it’s your job as a company leader to make sure you implement specific instructions given to you from your outsourced CIO. For example, if your CIO strongly advises you against using a BYOD policy, then listen. Most of all, make sure your CIO is doing their job of keeping your company’s security safe above everything else, and it will be much easier to prevent problems from happening altogether.
Don’t have time to worry about your employees making an expensive mistake? Your CIO will take care of that.