The threat of cyber attacks is not a secret, and the potential damage is repeatedly emphasized. So why is it that many users still do not follow the basic rules of data security? We’ve identified three common reasons:
1. Lack of knowledge
The first and most obvious reason is honest and genuine non-malicious ignorance. Some users expose their employers to data breaches because they simply did not recognize the threat: the suspicious email, the fraudulent link, the trap to provide sensitive information, or the impersonator on the other end of a telephone call.
What to do: The first step is to identify the exact knowledge gaps and seek the kind and level of training that will adequately close these gaps.
Sometimes we know, in theory, what we should be doing, but we still don’t do it – again with no bad intentions. We might forward an email without scrolling down the long email thread to check if it contains any sensitive information that is not meant to be shared. Or we might plug that usb from a new contact into our work computer without verifying exactly where it came from. Or we might check a work email on our private mobile phone and respond while on the go using a public wifi connection. All these actions are potentially hazardous; but because we are in the habit of acting quickly, spontaneously, and wherever we are when we are dealing with our friends and family, we automatically respond in the same way at work. Although the above habits are never ‘good’, in a work environment, they could have terrible consequences.
What to do: Repeat, repeat, repeat to your team, in words and by example, until new habits are cultivated. This can be supported by introducing a team practise and having colleagues that work together remind each other.
Sometimes the measures an employer expects his staff to follow are time-consuming or unclear. In such cases, you can almost expect users to be tempted to take shortcuts and rationalize their decision to do so.
What to do: This is where a series of actions are required. First, the data security protocol may need to be reviewed. Can the procedures be simplified without compromising the actual result? Can they be better explained, so they are more user-friendly? Once that has been done, every user must be made fully aware of the consequences of a data breach, that could even go as far as ruining a small business. Cyber attacks are not petty crime. Everybody must understand that. Finally, employers need to nurture a sense of collective responsibility. Data is a very valuable asset, and every employee has a duty to protect it.
Do you need help raising the security awareness level among your people? If so, give us a call or drop us a line, and let’s talk.