Companies have focused on increasing cybersecurity efforts as students and employees suddenly found themselves connecting from home during a pandemic. As an IT support company, we understand the importance of both the technological and behavioral aspects of security. We have helped organizations employ security measures such as web filtering and networking tools. However, hackers and scammers are all too often successful at gaining access to data, installing malware such as viruses on computers, and stealing money from victims. Often, it's the human element that makes it possible.
They say that people are the weakest link in an organization's security. All the technological measures in the world cannot protect an organization's data, network, or device if users do not follow security practices that were put in place for this exact reason. In fact, because hackers and scammers recognize the risk of the human factor, they have focused on so-called social engineering tactics that manipulate people into handing over data or credentials that would provide unauthorized users access to that data rather than focusing solely on security vulnerabilities. We can install firewalls to protect computers and servers, instruct staff to use VPNs when connecting remotely, and offer secure cloud support, but all of this can be undone with the user's poor judgment. Clicking on links from unknown senders, even if the message has been marked as spam by a spam filtering program, can lead to phishing attacks, downloading files from unsafe sources, and failing to protect sensitive data are all examples of human vulnerability.
While some companies may think that training would mitigate some security risks by increasing awareness of personal responsibility, this isn't necessarily the case. A TrendMicro survey found that most users were aware of security risks and agreed that they shared responsibility to uphold security. Yet, these same respondents reported downloading unauthorized software to their company-provided devices, including 60% of respondents who admitted to uploading work-related data to those apps. On top of that, others admit to completing work tasks on their personal devices.
It's clear that awareness alone is not enough to ensure that employees follow the best security practices, so what can companies do to increase compliance? First, they can understand some of the reasons why employees do not follow these practices. Nearly a third of respondents to TrendMicro's survey reported using unofficial means to complete tasks because they consider the solutions provided by their employers to be "nonsense." If companies can streamline processes to make them more efficient, utilize software that doesn't slow down Internet access, or rethink website design to improve the user experience, they may be able to increase compliance.
TrendMicro's Bharat Mistry also advises against a one-size-fits-all policy that punishes employees who follow protocols. Instead, we should identify those who are most likely to flaunt security protocols and tailor custom solutions to increase compliance. These solutions may include specific managed services or working more closely with the information technology team to emphasize the importance of security. Employees may especially benefit from understanding that some actions pave the way for data leaks and attacks that require more than a simple help desk ticket to resolve. They cause a loss of profits and productivity—ransomware alone cost companies between $6.3 and $25 billion last year—and can damage a company's reputation. IT companies like ours wind up retrieving data and cleaning up code in addition to routine IT support and email support. The personal risks are no less significant, with phishing attacks sometimes leading to identity theft that is difficult to undo and has long-lasting effects on credit scores, which can impact future financial decisions.
Increasing cybersecurity is not just a technological issue, and unless users understand and act on their personal responsibility, we will remain vulnerable.
LeadingIT offers 24/7, all-inclusive, fast, and friendly technology and cybersecurity support for nonprofits, manufacturers, schools, accounting firms, religious organizations, government, and law offices with 10-200 employees across the Chicagoland area.