May 8, 2019

The No. 1 Threat to Cybersecurity? Your Employees


Hackers and malware are formidable foes, but employees are the biggest threat to your company’s cybersecurity, according to a recently published study.

A complacent or poorly trained employee can undermine even the strongest security protocols with a single mistake. Lost or stolen hardware, weak passwords, and other bad habits lead to more data breaches each year than cyberattacks.

The Paccar Financial Case

Paccar Financial, an American Fortune 500 company, discovered firsthand the negative effect an employee’s mistake can have on company cybersecurity. In early 2018, two company devices were stolen from an employee’s vehicle. The laptop and accompanying USB thumb drive contained clients’ social security numbers, credit applications, and even copies of their photo IDs.

This breach could have been prevented had the employee in question stored the devices securely. Company devices should never be left exposed or unattended. When not in use, they should be stored in a locked cabinet or safe on company premises. All company devices should also be locked with a unique username and password, using two-factor authentication when possible. Sensitive data should be kept in the cloud or in an encrypted folder on the device’s hard drive to prevent unauthorized access.

How to Protect Your Business From Negligence and Mistakes

The only way to reduce the risk of cybersecurity breaches is to understand exactly how they happen and how to protect against them.

Don’t Fall for Phishing Scams

Phishing emails are messages sent by scammers masquerading as credible sources. They will typically ask the recipient to open a link that requires them to enter their login details for a service or platform. Once the employee enters their credentials in the fake login portal, the scammer has them and can use them to gain access to sensitive information.

Train your workers to identify phishing attempts. Teach them to look for tiny details that give away the scam. For example, they should always scrutinize the URLs of any links they receive via email. Does the URL contain identifiable mistakes? Then it’s not a legitimate email, but a phishing attempt.

These lessons don’t have to be boring. There are many interactive quizzes and training modules you can use to make the content more exciting, such as this one from Google.

You should put a strict policy in place that instructs employees to forward suspicious-looking emails to the IT department before clicking on any links.

Use a VPN

Employees’ personal devices are far less likely to feature the same security measures as company devices do. They may even be infected with malware or spyware that can leak into the company network.

The risk increases exponentially if your company employs remote workers, because they will also be using their own internet connections to access company information. Unsecured and public WiFi networks are easy targets for hackers and spies. Using an unsafe or public connection to log into company networks can directly expose your entire organization to cyber threats.

For this reason, you should make sure your employees use VPNs when logging into company networks via their own devices or internet connections. VPNs encrypt data as it travels over your company’s network to prevent hackers harvesting it.

A business VPN will issue your company a dedicated server and IP address. This will allow your employees to connect to the network from anywhere in the world while preventing others from being able to access your company’s data.

Create a Cybersecurity Policy

As in most spheres of life, education is the best prevention when it comes to cybersecurity. You should ensure that employees know how to protect their data and why they need to protect it.

A strong cybersecurity policy is essential. Yours should include instructions on how to create secure passwords, store sensitive data safely, access sensitive files, and store physical devices at home or in the workplace.

The policy should also include instructions for disposing of hard drives and portable devices. Thieves can retrieve data from a hard drive even after it has been deleted or reformatted. Ultimately, the most secure way to dispose of old hard drives or devices is to have them destroyed by a professional disposal company.

In the absence of an IT department, you should appoint a trained staff member who can be contacted in the event of a cybersecurity breach. Be sure to include their details in your cybersecurity policy. Make sure the appointee understands the importance of their role and doesn’t see it as a burden. Ask them to produce quarterly reports on cybersecurity issues that can be distributed throughout the office. The secret to preventing cybersecurity breaches is to be aware of the risks 365 days a year.

Ariel Hochstadt is the cofounder of vpnMentor.

Read more in Training

Ariel Hochstadt is a successful international speaker and the author of three books on computers and the internet. An ex-Googler, he previously served as the global Gmail marketing manager. Today, he is the cofounder of vpnMentor and an advocate of online privacy. He is also very passionate about traveling around the world with his wife and three kids.