An unlocked work computer gets left in a hotel room. A link or attachment gets opened in an email that looks like it’s coming from the boss, but isn’t. An employee is promoted to a position with access to vast amounts of sensitive information — no background check has ever been done. A thumb drive gets left in the back of a cab. The home network of an employee who works remotely gets hacked. The access of a retired employee isn’t terminated for several months after she leaves the company.
The likelihood of any of these scenarios taking place should keep IT professionals, in-house counsel and directors awake at night. While many companies have adopted policies and procedures regarding cybersecurity and data protection, not all companies adequately focus on what is likely their greatest source of cyber risk: their employees. The recent 2018 Industry Report by Shred-It, an information security company, indicates that employee negligence is a main source of cyber breaches and related risks. According to the report, which surveyed over one hundred c-suite level executives and over one thousand small business owners in the U.S., out of the businesses that reported experiencing a breach or attack within the past year, 69% (among c-suites reporting) and 71% (among small business owners reporting) were attributable to employees. What can companies do to help mitigate what may be their biggest source of cyber risk? We recommend company counsel and technology/data experts consider the following suggestions:
- Training. Employee training is key, and is probably the most important part of a company’s cybersecurity and data protection efforts. It is not enough to distribute a policy once a year and expect employees to educate themselves. In-person and hands-on training programs, and phishing tests (where emails are sent internally to test whether employees can recognize phishing attempts) should be done regularly. Training should include recommendations for personal cybersecurity, particularly if the company permits employees to work remotely. A company may have imposed every security measure it can, but if an employee who works from home has the password “Password1!” on their home network, the company’s systems or data may be at risk.
- Review access regularly. Don’t forget to change the access of an employee whose position changes, or forget to terminate the access of a departed employee for a period of time. Companies should also periodically review whether the access employees have on a daily basis is appropriate.
- Reduce and dispose of information appropriately. Subject to the need to retain certain information for legal reasons, companies should reduce and appropriately dispose of information appropriately and regularly. This includes appropriate disposal of old networks, computers and phones. Setting cyber risks aside, this is a good practice considering the compliance requirements of a growing number of data security laws like the UK’s General Data Protection Regulation.
- Communicate key contacts. Make sure each employee knows who to call if they suspect that the company’s networks or data have been compromised.
Ultimately, the vast majority of companies will experience a cyber breach or attack at some point. Being able to demonstrate that the company has in fact taken necessary precautions and adopted appropriate policies and procedures can be helpful in communicating the company’s story during any ensuing storm.