A number of recent reports have demonstrated the risks posed by the dangerous combination of technology in the workplace and the humans that use it. We examine how you can best protect your business from the risks associated with internet use and cyber-attacks in particular.
Cyber security – a common problem
The Government’s “2015 information security breaches survey”, conducted by PwC, confirmed that 90% of large, and 74% of small organisations had a security breach in the past 12 months – in fact, the median number of breaches was 14 and 4 respectively. 81% of large organisations stated that there was an element of staff involvement in some of the breaches, whereas only 27% of small organisations suffered an incident caused by staff. 28% of all respondents, however, reported that the worst security breach was partly caused by senior management giving insufficient priority to security within their organisation.
Unwanted “exposure” to risk…
According to a recent research study 10% of UK workers watch pornography at work. This startling statistic introduces a number of issues for employers.
First, from an employment law perspective, viewing pornographic material on work time will inevitably fall foul of a number of company policies including:
• Not devoting 100% of work time to work;
• Breach of IT rules; and
• Equality and Diversity policy, including potential sexual harassment issues.
One or more of these policies, as well as the disciplinary policy, will usually stipulate that such behaviour is regarded as gross misconduct.
What is often overlooked, however, is the less “sexy” side of viewing pornography at work – the exposure of the employer to a significantly increased risk of cyber-attacks and associated reputational, financial and commercial damage. Accessing websites that are not appropriately secure is unwise at best, and adult websites are notorious for being unsafe. A recent example of computer misuse involved three judges who were removed from public office for viewing pornography on court computers, thus potentially weakening the entire court IT system as well as bringing the judicial system into disrepute. No doubt employees in other public sector bodies such as the NHS and the civil service, as well in the private sector, are exposing their employers’ data, systems and reputations by similar means.
It’s not always easy to spot cyber misconduct. Not all viewers of pornographic material do so through external websites – they may be using applications, handheld devices, viewing images sent via email, using mainstream video streaming facilities or using social media sites such as Facebook. Each of these media introduces additional security concerns.
40% of employees admit to using social media sites at work for personal reasons and in doing so they are likely to be visiting “clickbait” sites that their friends have liked or shared and which are, again, not likely to be particularly secure.
Employees may also be exposing their employer to reputational damage. In a recent case an employee of Norbert Dentressangle, a European transport company, posted a photograph of himself and a colleague in a “sexually compromising position” (and in company uniform) on Facebook; he used it as his cover photo for many years before it was spotted by his new boss and he was promptly sacked. In that case, the lack of a social media policy was the company’s downfall and the employee won his claim of unfair dismissal as a result.
Who is to blame?
Unfortunately, employees pose a significant threat to a company’s information security. Most damage is caused inadvertently, not maliciously, through taking unnecessary risks such as:
• Using new apps or software without permission;
• Opening emails from unknown senders; and
• Clicking on links in emails without first ascertaining the safety of doing so.
“BYOD” or “bring your own device” is also a major security issue in the modern workplace. It is easy, convenient and cost effective for staff to access their emails or work on mobile devices and home computers. However, employers who allow or encourage staff to use an external hard drive to take work home, push emails to their mobile devices (or webmail accounts) or upload data to a cloud server from a desktop or mobile device increase the risk of losing control of their commercially sensitive data.
A fundamental misunderstanding about how systems are “hacked” is often to blame for employees taking risks with their internet use – people often believe that a hacker sets out to enter a particular system and cannot be predicted or stopped. However, this is not the case – sometimes weaknesses in systems can be identified and exploited opportunistically, simply as a result of the risk having been taken in the first place.
The biggest risk of all is human error – pressing the send, reply all or delete keys, accidentally uploading data to the cloud, inadvertently or naively “sharing” information with their friends, leaving accounts logged in by mistake and other accidental “mis-clicking” incidents – which can lead to reputational and/or commercial damage and expose the company to the risk of regulatory action and fines.
So how should businesses manage the risk?
There is realistically only so much that can be done by way of policies and training to prevent security breaches by employees in an environment in which it is becoming ever more difficult to identify, or predict, cyber threats. The traditional “dodgy” email link is now far more sophisticated and can be indistinguishable from a safe one, such that employees need to be supported by sound technological safety measures, such as content filters, to attempt to mitigate risk.
Organisations need to take a broader view of data protection and information security in respect of their business. Before focusing on a narrow area of prevention, first establish the bigger picture:
• What data is held?
• In what way is it valuable, both to the organisation and to a hacker?
• Where is it stored?
• Who has access to it?
• How is it protected?
• How effective is that protection?
Only then can the right supporting strategies be put in place to minimise risk.
Given computer misuse by employees poses the greatest risk to an organisation; this is truly where the solution has to start.
• Make cyber security a key part of the company strategy at all levels – from board level right through to temporary staff and contractors.
• Contracts of employment and staff handbooks ought to make clear the responsibilities of the employee and that everyone is accountable for their own contribution towards maintaining a safe cyber environment.
• Clearly drafted policies on IT systems, handheld devices, appropriate IT use and social media need to be introduced and regularly reviewed.
• A “BYOD” policy is essential and should make clear provisions for minimum security criteria to be met in order for any such use to be authorised.
• A disciplinary policy should make express provision for treating certain acts (such as the viewing of pornographic material) as gross misconduct and appropriate action must be taken against anyone breaching company standards.
• Consider implementing a security standard such as ISO/IEC 27001, which manages information security.
• Once you have a set of solid policies, train, train, train your staff on them, at induction and beyond.
The reality appears to be that data breaches are almost inevitable for the vast majority of businesses. Employers must therefore have a clear strategy and risk management plan on how to deal with cyber security breaches when they occur.
More on that to follow.
Remember, cyber security is not an IT issue, it’s everyone’s issue!