It may seem obvious that the technology which protects electronic data is only as effective as the people who use it. Yet time after time we read of employees printing out sensitive information and leaving it uncollected on the printer, or leaving documents on trains and in hotel lobbies. This kind of information leak is as real and damaging as any IT breach.
Worse, says Dmitry Shesterin, vice president of product management at security software developer Faronics. Even if users can be educated to change their passwords frequently, all too often they feel safe in places where they may not be.
“A growing concern for organisations is that employees are simply placing far too much trust in social networking sites, such as Facebook, LinkedIn and Twitter,” he says. “Posting swathes of personal and sensitive information, including what they are doing, their job role, their date of birth and where they live, can end up being crucial to a cybercriminal’s success, putting the corporate network at risk.”
Employees are simply placing far too much trust in social networking sites, such as Facebook, LinkedIn and Twitter
This false sense of security can be localised. “While issues surrounding Facebook’s security have been widely covered in the media, LinkedIn’s security settings are often overlooked, which has led employees falling into the trap of believing that the risk is lower. Indeed, while 46 per cent of Facebook users have customised their privacy settings, just 20 per cent of those on LinkedIn have controlled who can view the information on their profiles,” Mr Shesterin adds, quoting his own company’s survey of 1,000 users.
Another area causing difficulty is that many users assume all technology is equal. Paul Hudson, sales director for Northern Europe at Buffalo Technology, says: “UK IT managers realise the importance of data storage, but they need guidance on the risks involved with using simple storage devices that are designed for consumer use. Failing to back-up data to the cloud or to a networked NAS [network-attached storage] device, rather than removable media devices, leaves the company at much higher risk of data loss, leakage and hacking.”
Finally it’s worth bearing in mind that, whether technological or otherwise, it’s down to managers to educate employers on how to behave. “It’s no good just informing users when they join the company what they shouldn’t do from a security perspective – you have got to change user behaviour,” says Scott Greaux, vice president of product management for security specialist PhishMe. “The reason criminals still use tactics, such as phishing, is because they know they work – which shows that all too often education is failing.”