Forget viruses, be worried about your staff!
A recent study shows that employees are more of a threat to cyber security in a business than viruses.
Now we are not saying that viruses aren’t a serious issue. Whilst it is difficult to obtain a definitive figure for the costs it’s fair to say it runs into billions of dollars worldwide, and that’s without taking into account the detrimental effect on the reputation of companies who suffer from virus attacks.
Unfortunately businesses often think that putting in place anti-virus software is all they need to do as far as cyber-security is concerned. However there is much more to it than that and business owners and staff need to be smarter in the way that they work to prevent attacks.
A study carried out on October 2016 testing employee data privacy and cybersecurity knowledge revealed that 88% lacked the awareness to stop preventable cyber incidents. The 2016 State of Privacy and Security Awareness Report tested the knowledge of 1000 employees across the US.
The survey ranked users based on their knowledge of correct behaviours and awarded a risk ‘profile’: Risk, Novice or Hero.
16% of respondents exhibited behaviours that would have put their employers at serious risk and were appointed a ‘Risk’ profile
A further 72% were given a ‘Novice’ profile – which indicated that they understood the basics.
Only 12% of respondents showed a strong knowledge of security and privacy and obtained the ‘Hero’ status.
Drilling down further shows some worrying results:
25% of respondents failed to spot a ‘phishing’ email with a questionable ‘from’ address and attachments
Over 26% thought it OK to use a personal USB drive to transfer documents when working remotely
Additionally, 30 percent of respondents failed to comply with their companies social media policy and posted company related issues on social media.
Coupled with the above research from MediaPro, a CompTIA survey in April of 2016 found that 52% of security breaches were caused by human error.
The problem is that most employees simply don’t understand the risks that they put themselves and their employer at each day.
I believed I was pretty savvy when it came to cyber security, but since getting into the IT industry and researching blogs like this I’ve realised that I can improve greatly.
As an employee there are some really simple things you can do to protect yourself:
Avoid simple passwords such as password123 (it still happens!) and create ones that have a combination of upper and lower case letters, numbers and symbols. Passwords should be 12 characters long and never share them with colleagues.
Don’t use the same password for several different sites or apps. If your Hotmail account was compromised you don’t want that to mean that the individual has access to your Facebook, Twitter, or even bank accounts too!
Never open email attachments from sources you don’t know, and avoid responding to emails requesting sensitive information about the company or your colleagues. You should also pay attention to where your emails are going; make sure you review the ‘send to’ field before hitting send – especially if the email includes any sensitive data.
Do not use USB drives unless you have permission and these have been encrypted.
Lock your computer when you are away from your desk, even if you are only going to make a cup of tea.
If you see anything suspicious tell your line manager, IT department or IT Support Provider. Don’t be afraid to shout up!
For employers too there are basic precautions you can take and these are generally around communication and education.
Put in place proper systems and policies and communicate these to employees. For example make sure that employees understand what they can and can’t install on their computers, this can include plugging in devices like USB drives, tablets and phones.
Think about permissions. Decide who really needs access to databases, social media accounts etc. and only grant permission to those people that really need it. Also remember to change permissions (and passwords) when people leave the business.
Train your employees. You can start with the simple tips above, but you should also consider external training from your IT Support Provider.
Undertake the Cyber Essentials self-assessment questionnaire online at https://www.cyberaware.gov.uk/cyberessentials/ Cyber Essentials has been mandatory for suppliers of Government contracts since 2014 and provides a structured framework which will help protect your organisation against the most common threats and show your staff and customers you take cyber security issues seriously. Your IT can help you to achieve Cyber Essentials certification, give us a call to find out how.
If you want to read more about the MediaPro study you can find an infographic and a download of the full report here – https://www.mediapro.com/blog/infographic-2016-privacy-security-awareness-iq/
Your IT Department provide complete Cyber Security solutions including anti-virus software, Watchguard Firewall Hardware, advice and training. To find out more about how we can keep you secure call 0115 7980704 or email us firstname.lastname@example.org