Pop quiz: What do the data breaches at Target, Home Depot and Sony all have in common? Give up? They were all caused by employee errors. These, along with about 500 other breaches, are confirming what many security professionals have worried about for years. In the digital age, the weakest link in our information security is us: humans. The most common cause of data breaches around the world is employee error or negligence.
This kind of negligence can take a few forms. It can be an employee responding to a phishing email or downloading a piece of malicious software on a company computer. An employee could fail to adequately secure his login information (by, say, writing it on a sticky note and attaching it to the monitor) or could leave company technology vulnerable to theft.
As with many other complex, human-focused problems, no single solution can address this problem. There are structural and technological changes that can help mitigate the risks posed by employee error. While these changes are developed and implemented, here are three simple steps you can take to help keep your workplace safe from hacks.
1.) Read something, say something
Everyone thinks they can detect a scam. It’s a line of thinking called the general attribution error, that what’s true of “most people” can’t possibly be true of us and the people we know. We constantly believe we’re the exception rather than the rule, and our susceptibility to fraud demonstrates this well. Most people consider themselves intelligent, discerning Internet consumers. Yet, a recent Google study found that 45% of users fell victim to a fake login page.
Scammers wouldn’t keep using these tactics if they weren’t working, and even if you are savvy enough to spot 99 phishing attempts in a row, the one you miss is all it takes for another big data breach to happen. If you work at a company with 100 people who are all as adept as you are at catching these emails, every scam attempt works on one person on average. Worse still, some hacking attempts begin by sending out emails from the first victim to people on that person’s contact list. When that happens, one person falling victim to an attack can quickly increase the credibility of subsequent attacks.
The solution to the general attribution error is the power of collective wisdom. If you receive an e-mail that’s clearly an attempt to solicit sensitive information, don’t just delete it and move on. Forward it to your company’s IT representative. Mention it to a colleague. Ensure that everyone knows this scam is circulating at your company.
If you do fall victim to one of these hoaxes, don’t try to cover it up. You might face disciplinary action for opening malicious emails, but you will face disciplinary action if your login credentials are used to expose sensitive information!
2.) Off the clock? Lock it up!
The VA breach, one of the biggest data leaks that hit some of the most secure data in the nation, was caused when an employee improperly took confidential information home to continue working. The information was stolen and the integrity of the VA’s servers was compromised. Taking work home with you might be a good way to get ahead, but unless your home can provide the same level of security as your office, it’s just not worth it.
If you must take work outside the office, keep it in a secure place. Ideally, you should place it in a safe or locking file box. Failing that, keep it in a locking briefcase or other lockable container. If you’re working with paper copies, don’t forget to destroy or return them once you’re done.
If you have a standing arrangement with your employer to do some work remotely, there are still a number of steps you can take to keep your work technology safe. If you work on a laptop, invest in a cable lock. This piece of hardware works like a bicycle lock. You loop it around a heavy object and fit the lock into your computer’s power port. Should a dedicated thief rip the lock out of the port, the computer will be rendered inoperable, turning a catastrophe into a hardware replacement.
Also, don’t connect to unsecured wireless networks. Anyone can join these and set up monitoring software on them to steal data in transit. If you work on your home wifi, set up a security protocol. Don’t forget to change the default administrator password on your router. Most manufacturers have a default router password which would enable scammers to access your network.
3.) Keep it out of the office!
Most people spend at least some part of their work day browsing the Internet. Modern technology has made work more efficient, so some employees think they can do a little browsing during slow times. The problem is that recreational browsing can expose the office to risks.
Even the most tame hobbies can have risks. Searching for “download sewing templates” could take you to websites dotted with malicious software masquerading as innocuous archives and executables. If your interests run to games or gambling, the Internet can be a very dangerous place for your work computer.
If you’re interested in gaming, you might be tempted to load up a USB drive with a few fun titles. It’s very easy to accidentally save sensitive information to that USB, which becomes a liability. USB drives are the bane of IT security people everywhere, since they’re easy to lose, steal or swap.
If you have downtime at the office, stick to browsing sites you know and trust, or the ones permitted by your IT department. If you feel the need to explore the darker side of the Internet, be sure you do so at home where you can better control the sensitive information on your computer.