The corporate breaches that make the biggest headlines are targeted attacks carried out by skilled hackers. But while external cyberattacks pose a big risk to businesses, it’s easy for company leaders to overlook another potent threat: their employees.
Through bad security habits and a lack of basic cybersecurity hygiene, employees routinely put their employers’ networks at risk of attack. It’s not that they’re malicious; it’s just that there typically is plenty of room for improvement, and arguably, a certain degree of carelessness.
This “carelessness” tends to be more common with remote workers, whose approach to device security can expose businesses to a broader sphere of attacks. The devices they use remotely — laptops, USB drives, hotel/home Wi-Fi — are now all an extension of the company’s network. As the remote workforce continues to grow, HR administrators must work to manage personnel’s risky security habits. The solution is to build a climate of company cybersecurity – one that involves a clear policy, consistent training, and the right technology.
The bad security habits of mobile workers
Today’s HR administrators face a huge hurdle: the increasingly mobile workforce isn’t mobilizing around security. As a May 2016 OneLogin study carried out by Arlington Research revealed, employees and their digital devices are a plentiful source of company security risks, and this risk is only growing. The study – which polled over 1,000 U.S. employees – found that 55% of respondents use work applications outside of the office. With remote workers increasingly more common, HR employees need to look at how these employees are approaching device security.
Unfortunately, it’s not a pretty picture. The first major issue is device sharing. As OneLogin’s study found, nearly one in ten employees surveyed allow their partners access to devices that are linked to their company network. And even more employees – 13% – do this with colleagues. Employees have a similarly lax attitude when it comes to passwords: one in five share their work email password, while more than one in ten share passwords of other work apps.
Build a climate of internal security
It’s time for HR leaders to reign in employee behavior that’s actively compromising company security. Here’s three ways they can do that:
- Create and enforce an office cybersecurity policy: If your company doesn’t have a clearly stated cybersecurity policy, sometimes called an acceptable use policy, you can’t blame your employees for not following it. Of the employees OneLogin and Arlington Research surveyed, almost half stated they didn’t know whether their company had a policy in place surrounding password sharing. That’s a real problem; for HR leaders, eliminating employee bad security habits starts with having a policy that clearly delineates company cybersecurity rules.
- Prioritize cybersecurity training: Cybersecurity training must become part of the employee onboarding process, but it can’t stop there. For example, consider setting aside five minutes at the monthly company meeting for a discussion of security best practices. Or bring in a cybersecurity expert to discuss the basics of identifying a phishing scam. By encouraging employee cybersecurity literacy, you’ll improve company security.
- Secure remote access with the right tools: Even though building awareness around cybersecurity is a required step, it’s still not enough to curb the threat of breaches; particularly when it comes to remote workers. One way to secure the remote workforce, is for HR leaders to turn to multifactor authentication tools, which create an additional security wall between privileged data and outside access. For remote devices connected to the corporate network, this resource is indispensable.
The challenge for today’s HR leaders is to get a rapidly mobilizing workforce proactive about corporate security. There are severe consequences otherwise. Just take a look at the Identity Theft Resource Center’s record of 2016’s breaches. The ever growing list is filled with incidents that began with employee negligence and were amplified by a lack of corporate preparedness. Companies that don’t build a climate of internal security awareness and deploy technology to manage the risks that impact your employees, remote or in the office, risk being one more name on this list.
