The increasing intensity and sophistication of data breaches mean that businesses are right to be concerned about the ongoing risk to their corporate data. However, despite this imminent threat, organisations often ignore the fact that their primary vulnerabilities relating to data security come from within. 

Very often, we see companies invest an awful lot of money to protect themselves against external cyber security threats, but fail to act against the equally damaging internal risk and exposure to threats that are worsened by their own personnel. 

It is important to note that internal negligence is among the leading causes of security breaches, and many of these hacks are carried out using information that has been stolen from members of staff. Further to this, according to the recent Cyber Security Breaches Survey: 

• More than four in 10 (43%) of businesses have experienced a cyber security breach or attack in the last 12 months 
• Less than three in 10 (27%) of businesses have a formal cyber security policy 
• Large companies reported an average of 12 attacks per year that they knew about, while six attacks per year were reported by medium-sized enterprises 

Issues for employees 

The primary issue for employees when it comes to protecting company data is a lack of awareness. Very often, staff have received no formal training in best practices for cyber security, which means they are more likely to adopt weak, duplicated passwords, as well as click on any suspicious links they are sent via email. 

The increasing popularity of bring your own device policies has also contributed security risks. It is not uncommon for employees to use personal and work devices interchangeably, which poses a risk in itself. This may seem harmless on the outside, but even the simplest activity - such as sharing files via the cloud, listening to music or participating in online games - can pose a threat to business security. 

The potential threat posed by mobile working is considerable. In its mobile security report published in 2018, iPass revealed that: 

• More than half of organisations fear that their mobile workers have been hacked 
• 81% of respondents have knowledge of Wi-Fi related security incidents in the past 12 months 
• While most respondents have implemented BYOD (Bring Your Own Device) policies, 94% of CIO and IT admin security professionals said BYOD has actually increased overall mobile security risks.

A widespread lack of basic IT knowledge among employees is also a contributing factor leading to potential risks for businesses. Our recent survey findings revealed that 65% of UK professionals working across all industries were not given mandatory IT training that they had to take without exception during their first month of employment in their current or most recent role. 

Of these, 74% had never received any IT training at all in their current or most recent role, despite 86% of all respondents saying they worked on a computer every single day. 

The findings suggest that there is a widespread assumption among businesses that new employees have at least a basic knowledge of IT and IT security. However, such an assumption can be dangerous and potentially catastrophic. We very often hear from clients who firmly believe that the biggest threat to their IT security is the users operating within their infrastructure, and very often, a lack of basic IT skills are putting the business at risk of security breaches. 

What businesses can do? 

Businesses across all sectors should, as standard, ensure they provide mandatory IT training, which is carried out by the IT department, to all new starters within their first month of employment to ensure they are able to carry out their work on the company’s network without exposing the organisation to security risks. 

On top of this, existing employees should receive formal security training on a regular basis that is carried out in line with the business’ wider IT security policy in order to ensure they are treating the security of their employer with the same regard they would their home devices. 

Sign our petition 

We take IT security seriously, and we believe action is needed to ensure businesses have a minimum standard level of security in place to protect themselves from cyber attack. We’re currently running a petition to make the currently optional Cyber Essentials scheme from the National Cyber Security Centre (NCSC) a legal requirement for small and medium-sized businesses and the more comprehensive Cyber Essentials PLUS scheme mandatory for large businesses.

For more details on the petition and to show your support by signing it, visit: http://chng.it/vN49nYNQ

Speak to Evaris today about your IT security needs by calling 0330 124 1245 or email [email protected].