Not a day goes by without data leaks, hacked email accounts or compromised corporate networks hitting the headlines. The topic has become the new front line for businesses - a battleground between malicious hackers and security experts that shows little sign of stagnation.
Businesses are investing billions every year defending against external attacks and protecting their assets. But any defence is only ever as strong as its weakest link and for every organisation, this is their staff. There is no greater risk to sensitive company information than human error or negligence. The director of the CIA could tell you a story or two about this, having recently been hacked after downloading confidential information onto his private email account. An unusual lapse for someone who has worked with the intelligence services for nearly 40 years.
A case in point, and as revealed in a new report on an organisation's riskiest users, a company's longest-standing and most loyal employees also pose the biggest IT security threat. As people stay longer with a company, they get more comfortable. They become complacent because they’re still doing the same job even as IT and technology are advancing around them. Tenured employees are most likely to neglect IT security guidance by using personal passwords for business applications (42%) and keeping hard copies of their passwords (37%), increasing the likelihood of intruders gaining access to the company systems. Ironically, those employed to keep watch and ensure a company's IT security is tight are the worst offenders. IT generally has the poorest security habits of any department within a company.
But while these results are concerning, there are steps that UK businesses can take to reduce the risk of falling victim to insider breaches. Employees are a company's first line of defence but they also need to be aware of the security threats out there in order to avoid them. Staff training should be constantly refreshed to ensure it stays in line with evolving threats. Equally, companies need to stay on top of the game themselves and implement dynamic security policies that evolve in step with technological advancements. This approach will give employees clear guidance on what they should and shouldn't be doing. Finally, users should always only have access to documents that are in direct relationship to their function and role. If disaster strikes, intruders won't get very far and the data at the very heart of the business is still protected.
IT security best practice clearly can't just rely on fending off external threats alone. Companies also need to put stronger emphasis on internal threat prevention in order to build a business that's secure from the inside out.
By Richard Walters, GM and VP of Identity and Access Management, Intermedia