We all know that sometimes – despite our best efforts – data disasters just happen. But there are also potentially some employee behaviors putting your business at risk, and it’s important to identify the things that can be done to reduce the poor behaviors that threaten your network.
The good news for cyber-criminals (bad news for the rest of us) is that predictably poor user behavior and habits accounts for much of their success.
Whether it’s an engineer inadvertently building a vulnerability into a piece of software, a user clicking on a bad link, using a weak password, opening an unverified attachment or falling for a phishing attack, hackers are happy to take advantage of the opportunities these errors present. After all, going in through the open door is much, much easier to breaking down that wall of ones and zeros!
So what’s the takeaway?
It’s simple – don’t put so much focus on the technology itself that you fail to factor in the human element. For one thing, no technology is foolproof. (Sometimes your spam filter is going to miss that malicious email.) Secondly, technology alone can’t protect you against an employee’s bad judgment.
Yes, your business runs on technology. But it also relies on human judgment to step in where technology doesn’t fully solve the issue. Which means that it’s important that the humans who are making judgements on behalf of YOUR business are aware, educated, trained and fully supported.
In short, you want to pay attention to counteracting the employee behavior that is putting your business at risk. These behaviors include:
Putting things off until a “better time”…which then never comes along.
Everyone is busy. But constantly re-prioritizing everything else above implementing an important security update or measure is risky behavior. And it's only a matter of time before your business' luck runs out.
We see this all the time with small and medium businesses that have one IT professional (or a small team) trying to do it all. They are usually drowning in daily IT emergencies and password resets, which leaves little to no time to work on the "big picture" stuff.
It's certainly true that they will know that it needs to be done, but freeing up the time to implement -- and then stay current with - all of the components required for modern network security is another matter.
Even riskier is going without any type of dedicated IT support and relying on employees to push those security patches and updates on their individual workstations.
So what's the fix?
In this case, it's simple. Stop looking at cybersecurity and network security as just an IT problem and recognize that it's part of your overall risk management plan. And then allocate the resources that it deserves.
Your busy IT Director isn't always going to let on that he or she is overworked either, so a proactive approach is necessary to solve this.
(Lucky for you, we have a turn-key solution for this. Click here to learn more about our managed IT services solution, which is a great way to offload much of the day-to-day IT maintenance, freeing up your IT staff to work on strategy, forecasting and other big picture stuff.)
Not knowing (or truly understanding) the risks.
Like it or not, your end-users are being targeted on a daily (probably hourly) basis with various phishing campaigns, just as one example. There are also plenty of malicious pop-ups and websites just waiting to be clicked on!
So if the people on your team don't know what to look for, what to avoid, and what should throw up a red flag, it's just a matter of time before the Nigerian Prince has persuaded someone to click that malicious link.
The solution here is pretty clear - make it a point to educate and train your end-users. This includes every single member of your team who has access to a computer.
Having a data breach is bad enough...having one because Andrew from accounting didn't know not to open up the attachment in that vaguely worded email is only going to make it that much worse.
So do everything you can to create a culture of cyber-awareness, and train your team regularly so that they become a part of your defense network instead of your weakest link.
For help in that effort, visit our Cyber Awareness Resource Center! There you'll find free downloads with security-related tips and training information, webinars, and articles on this important topic.
Knowing the risks, but ignoring them.
This type of apathy is common. Employees often share passwords with their colleagues or ignore password best practices (there's a reason that "123456" is AGAIN the worst password of the year!), even though they know better.
They either don't really care or just don't believe that it could ever affect them. Or maybe the pain of using a stronger password trumps the concern they have for the company's network.
It can result in an employee letting curiosity getting the best of him/her and clicking on that "too good to be true" offer or clickbait headline, even though they know that it might just be malicious.
Another way this behavior affects you is when employees go outside of the approved channels to download apps or tools that haven't been verified. Sure they're most likely just trying to find a way to get more done, but actions like accessing the network from an unsecured home wi-fi, or downloading and using a 3rd party app that hasn't been reviewed do carry a certain level of risk.
These types of actions are the reason human behavior ranks as a major cause of data loss and data breaches. Though they are usually unintentional, the consequences are the same.
You need to address this in numerous ways.
One is through continuing education and training, making it clear that the consequences of this type of action could very negatively affect every single employee.
But you should also make sure you have proper administrative controls in place (such as following the principle of least privilege), that all of your data is properly managed with backups, that passwords must be strong and expire on a regular basis, and that all of your software and operating systems are always up-to-date.
You should also make sure that your employees know what to do in the event they DO click on a malicious link, because how quickly you react once an attack occurs is important too.
Not admitting when help is needed.
This is closely related to the first behavior, but still worth mentioning separately because of the risk it creates for your business.
Again, we're mostly talking about (overworked) in-house IT professionals here, but it could also be the HR Director or Office Manager who manages the network by default, despite that not being their primary role.
It could also be a business leader who is stubbornly refusing to admit that it's time for better IT management.
Who it is behaving this way may vary, but the behavior is the same: Instead of admitting that more support is needed for proper technology management, they will act as if it's all completely under control.
The problem is that it's the security of your network and your data that suffers when an employee (or a leader) is unable to ask for help - either due to pride or fear of being replaced (or both). And with how rapidly technology changes and the increasing cyber-threats that every business faces, it's critical that whoever is managing your IT understands all the ins and outs of modern best practices and how to keep you safe.
(This is yet another reason why a managed IT services solution is ideal for small and medium-sized businesses. You get a full team of IT professionals who are trained in the latest IT practices and who know modern technology. Want to talk about your IT? Request a call and we'll reach out right away, or get a quote right now!)