Research shows that employees are often the root cause of business security breaches. More training will help, but better security will require cultural change.
According to 2018 research conducted by Shred-it, more than 40% of senior executives and small business owners report that employee negligence or accidental loss was the root cause of their most recent data security breach. The same State of the Industry Report reveals that 96% of consumers view employee negligence as at least a minor contributor to data breaches at US companies. Executives, owners, employees, and even consumers all agree that negligent behavior is a security vulnerability, yet the problem persists.
Unfortunately, the lack of security awareness extends beyond phishing emails and other socially engineered cyberattacks to include the circumvention of physical security procedures and protocols. For example, more than 25% of United States workers admit to leaving their computer on and unlocked when they go home at the end of the day—a behavior that breaks every security best practice policy ever implemented.
SEE: GDPR security pack: Policies to protect data and achieve compliance (Tech Pro Research)
Identity and access management
The vast majority of companies surveyed in the Shred-it study said they were implementing security training programs for employees. However, the types of behavior that can lead to expensive data breaches are often just bad habits that at first glance, seem insignificant and trivial.
Simple and seemingly innocuous behavior, like leaving a door unlocked that should always be locked, can lead to costly security breaches. Even leaving a computer unlocked or documents exposed while taking a coffee break can provide all the opportunity necessary for unauthorized access to confidential data.
In fact, according to the report, 36% of workers admit to leaving sensitive work documents or notebooks on their desks after they leave the office for the day. Security breaches stemming from this sort of behavior are more common than you may think. Some 36% of executives report that employees have had documents lost or stolen because they ignored physical security protocols.
SEE: 27 ways to reduce insider security threats (free TechRepublic PDF)
Preventing unauthorized access to sensitive and confidential data requires a concerted effort from every employee. All documents and mobile devices should be stored in locked containers when not in use, and all computers should be locked according to enterprise IT policy when unattended. Servers, switches, routers, and modems should all be housed in locked rooms with access restricted by established security access and authentication protocols.
Restricting access to IT hardware and software with detailed security procedures at both the individual and department levels requires a comprehensive policy. Businesses looking for a framework they can use to build their own physical security procedures may want to download the IT physical security policy from Tech Pro Research, TechRepublic’s premium sister site.
How many times has your security been breached this year? Share your experiences and opinions with your peers at TechRepublic in the discussion thread below.