Untrained employees can undercut cybersecurity efforts | Crain's Nashville

Untrained employees can undercut cybersecurity efforts

A new study suggests that more than half of all data breaches can be linked to untrained or negligent employees. | Photo courtesy of Ripley PR. 

It may come as a surprise, but hackers and other players on the dark web are not your company’s biggest issue when it comes to data security breaches. In fact, the biggest threats to your company are sitting in your offices right now.

According to a recent study from Keeper Security and the Ponemon Institute, negligent employees make up for more than half of the cyber breaches that affect small and midsized businesses. These employees aren’t allowing unauthorized access intentionally, but do so through the actions they take, or fail to take, on a daily basis. 

“If employees don't understand what their responsibilities are when interacting with a company computer system, it's going to be difficult for them to truly protect it," said Mark Burnette, partner at Brentwood-based LBMC Information Security. "They might unknowingly do something that would put the company's data at risk.”

Employees may have the company’s best interests at heart, but at the end of the day, it truly comes down to employers to educate them.

According to Burnette, the single biggest step employers can take is to routinely provide multifactor authentication. That means using something more than just a password to access sensitive data. The most common form of this is some sort of token, like a key fob with a rotating password or a code sent via SMS to a cell phone.  

“This is something companies have to get ahead of. They cannot rely on their users to always catch it. In many cases, the attacks are so good that anyone would fall for them,” he said.

While it is mostly the employer’s job to train employees on best cybersecurity practices, Teddy Ansink of cybersecurity firm Sword and Shield said employees need to stop being so nice. Ansink conducts social engineering engagements where he actually walks right into company offices and steals their data – and even their devices and equipment. If he looks and acts like he knows what he’s doing, polite employees will give him access.

“They don't want to challenge someone who is unfamiliar. Employees don't think of IT attacks coming from someone walking their hallways,” Ansink said.

Nashville companies practice what they preach

Nashville insurance and risk-management firm Anderson Benson handles cybersecurity cases regularly, and has the opportunity to learn from these claims and put that knowledge to work at its own workplaces

“We see firsthand the vulnerabilities that exist in the real world," Anderson Benson partner Leigh Anne Strickland told Crain’s Nashville. "We stay coordinated with insurance companies to understand the latest cyber and data breach mechanisms used by hackers, so that we can regularly give presentations to clients and different business groups to keep them up to date.

“Since we’re doing these presentations for clients regularly, we are sure to repurpose our findings for our own internal audience to stay informed,” Strickland said. 

Similarly, Patterson Intellectual Property Law of Nashville is focused on educating clients on best cybersecurity policies and practices. In particular, law firms are at a heightened risk for breaches because of the highly sensitive and confidential information stored in their databases.

Staff attorney Wade Sims strongly believes in the importance of educating employees across all sectors, because all companies are at risk for data breaches.

“By example, Patterson Intellectual Property Law has its own policy that governs cybersecurity practices such as password management, secure document storage, network access, use of personal devices, cloud service vendors, and more,” Sims said.

February 9, 2018 - 12:32pm