Humans Are Your Firm's Most Overlooked Security Risk
We all make mistakes, we’re only human after all
We may only be human, but a mistake involving sensitive and private data can be catastrophic; in any industry or profession.
To kick off my first blog here at The Link App, it is important to understand the different types of risks that humans can make in the world of business.
Recent studies, as reported by Kapersky, show that businesses top three cybersecurity fears are related to human factors.
I have listed 3 as an example:
- Bring your own devices to work
- The carbon (human) based error
- Weak or lacking IT Security Policy
So let’s take a closer look at these three human factors.
Bring your own device to work (BYOD)
It is widely accepted for employers to allow staff to use their own devices for work purposes. After all, the rise of home based and remote working has made this a very common scenario.
On a number of occasions, an employee’s own device is often more sophisticated than what their employer may supply. This could be seen as a win-win for employers, as the employee invests in their own tech that they are comfortable working with (Mac or Windows, for example), which means an overall reduction of burden on the employer’s purse strings.
Is it really a win-win scenario?
There has been a proven correlation between businesses that actively encourage these schemes and the increased cybersecurity risk to SMEs, with malware and viruses being the main culprits.
As you would expect with a BYOD scheme, these devices are also being used for personal reasons. After all, they are the employee’s own devices.
By accidentally accessing infected website, or perhaps unsecured WiFi connections in coffee houses and public areas, the employee places their business’s IT infrastructure under undue vulnerability. This could be on a laptop or mobile device.
An employer’s main concern will be an employee accidentally or inappropriately sharing company information. But with BYOD schemes, an employer’s biggest fear is not malicious action, but rather a genuine human error.
Added risk with BYOD
Employees are more than likely going to be carrying their own devices with them more regularly than if it was their employer’s device. It’s their day-to-day device. This increases the possibility of theft and accidental loss, which would impact the business also.
Reducing the risk of a BYOD scheme ultimately depends on the employee being responsible for their actions. Will they treat business data as securely as their own personal data?
Employee carelessness can be attributed to almost half of reported cybersecurity incidents.
The carbon/human based error - across the board
A survey of UK GDPR decision-makers conducted found that 52 percent of businesses are not fully compliant with the regulation. It is well known that a lack of training can cause serious issues to firms.
After all, you would not allow a fork lift truck driver to operate their machinery without the necessary training.
So how does a lack of human training impact businesses?
There are a number of areas that can be looked at here, but for the purpose of being relevant, I will look at data breaches and general security.
The human factor in a business is from top to bottom. How can employees be expected to reduce risk if management does not provide adequate training, or, where necessary, the right tools to be vigilant?
It is extremely important for law firms to have ongoing and robust training programmes to ensure employees are fully aware of potential threats to the business.
Every individual should be included, from the Managing Partner down.
Most issues arise from a genuine mistake, but thought also has to be given to potentially disgruntled employees.
Take the recent data breach at Morrisons as an example, whereby payroll data was stolen by an employee. Could this potential risk have been minimised? Quite often, staff are provided with much wider permissions than is perhaps required for them to carry out their duties.
A thorough review of what employees are given access to should be carried out. And where appropriate, rescinded if it is not required to fulfil their work duties.
But what about the “postponers”?
These individuals are usually well aware of their responsibilities, but push them back in favour of completing their own work. The classic example here is postponing network, programme and machine updates that come through regularly.
We are all guilty of postponing an update as we have multiple tabs open with work to complete, but continued push backs can result in important security updates not reaching all machines.
This can potentially have a greater impact if individuals use their own devices (BYOD) and continually push back important updates.
With year on year increases of malicious threats to businesses, such as phishing or viruses, it is fundamental that all individuals know the implications of not keeping security updates current.
Weak or lacking IT security policy
Awareness of IT security is essential. But laying down an IT security policy and process is what separates and protects security conscious businesses.
It is important for businesses to create a policy and have an open and honest attitude towards reporting a potential risk, or an event that has occurred.
Without this kind of culture it is more than likely that any individual will attempt to hide or deal with an issue themselves without raising it to the appropriate channel. This can have further dramatic consequences and potentially increase the level of damage caused.
Introduce an IT security policy… for everyone within the business
Ensuring all individuals within the business are aware of the need to have strong policies is essential. But also it is important that employees know what the best practice is in the event of an incident, and are aware how the issue is raised and escalated where appropriate.
Ensure all employees understand the importance of having strong password credentials, as this is a firm's first line of defence. Then ensure employees do this on all devices.
This is more important with BYOD schemes as employees will often allow others outside of work access their device.
Enforced password changes are considered to be an essential part of keeping company data as safe as possible. Many third party application now used (such as Salesforce) can be configured so that users have to change their password every 30 or 60 days.
Whilst implementing your IT policy, consider these questions:
- Do all individuals within the business know how to fully protect themselves when online?
- Are they aware of what could potentially cause the business harm?
One example, and one of the most common warnings, suspicious links. Clicking on a link in a suspicious email for example can have a catastrophic effect on any business. Providing information and access that opens the gates to cybercriminals.
All individuals within the business need to understand what their vulnerabilities might be and take the appropriate steps to ensure they can help mitigate as much risk as possible.
Educating all staff can go a long way in helping, but it is equally important to view this as an ongoing education as risk and vulnerability is continuously evolving in the world of technology.
Security is imperative. A data breach is more than information and financial loss, it’s your reputation that is on the line.
What’s your next step?
To ensure all your law firm’s communications are protected, avoid using email and other free messaging platforms to speak with clients and share sensitive documents.
Consider implementing a secure communication platform like our solicitors software, The Link App, for your clients and lawyers.
Written by: James Pearson, Senior Business Development Manager