Cybercrimes are on the rise, and with the number and sophistication of attacks growing rapidly, it can feel as if the workplace is constantly under siege. Companies of all sizes, and across all industries, wonder how to protect themselves while maintaining compliance with federal regulations, and without disruption to their business. The 2015 Cyber Security Intelligence Index report from IBM found that 95 percent of breaches involve human error and that hasn’t changed much in these last two years—human error is still the major cause of breaches. These security-compromising mistakes most often come from inadvertently allowing systems and data to be compromised through poor employee device practices.
Given the fact that employees are routinely using personal devices and computers to access company systems as well as installing their own programs and applications on company devices, it’s important for businesses to understand how to protect valuable, proprietary, and customer data. Here are tips for managing workplace digital devices.
Challenges in the Workplace
There are a number of challenges in the workplace as it relates to managing devices. These include:
Bring Your Own Device (BYOD). The days of companies issuing devices only to senior managers are long gone. More importantly, employees are bringing their own devices to the workplace. Research from the Pew Center shows that 68 percent of American adults now own a smartphone and in my own experience, I don’t know anyone in the workplace who doesn’t own a device—do you? But those devices play an important role. Allowing employees to use their own phones and tablets not only boosts productivity and satisfaction, but can also save companies money even if they provide reimbursement for data plan costs.
Passwords. Passwords are a weak point in security procedures, and there are a number of ways in which they can be compromised. All too often, people use weak passwords that are easily identified or use the same password across multiple websites, so once compromised, it can potentially do great damage.
Shadow IT. Shadow IT refers to the practice of employees installing unauthorized software and applications to access work systems and data. Instead of using only the company’s proprietary enterprise grade programs, workers will often either install their own applications onto company computers or use these types of programs from personal devices. Unfortunately, and often unbeknownst to employees, these programs trade convenience for security.
How Do We Reduce or Eliminate Security Risks that Devices Pose?
We know security risks exist, and they are not likely to abate. So what does an HR team, and an IT team, and a manager do to combat them? Here are some ideas:
Policies, Resources, and Training. Particularly in the BYOD era, it is crucial that employers have clear, easy-to-understand security policies. In addition to creating written guides, businesses should provide regular training focused on educating employees about security risks, the company policies on mitigating risk, and how to follow them. Employers should consider offering workers security software for personal devices and offer hands-on sessions to ensure they can use these programs when away from the office. These steps will help reduce the number of errors that can lead to hacking and data breaches. They can also limit the chances personal devices will be compromised when accessing company data when away from the office on less secure connections.
Multifactor Authentication (MFA). Sometimes called “two-factor authentication,” MFA is the addition of one or more additional steps to authenticate a user in addition to a password. For example, when a user accesses a program from a new Wi-Fi location, browser, or device, after entering their password, they are sent a code by text or email which then must also be entered before they can use the account. Enabling MFA wherever possible is one step to increasing BYOD security.
Passwords, even when strong or changed frequently can still provide poor defense. In a May 2016 survey conducted by Arlington Research for OneLogin, up to 20 percent of employees admit to sharing their work email password. A smaller percentage even allow their partners or children to access work devices. Implementing MFA in conjunction with strong policies, resources, and training will help minimize the chances the wrong person can access company data.
Regular Password Changes. People universally hate change, especially when it involves passwords, but putting a policy in place that requires a password change every sixty or ninety days can go a long way toward protecting your employees, and your company, from a data breach. Resolve to deal with the grumbling, but institute a system of regular and required password changes.
Employee Inclusion. Rather than viewing Shadow IT as a problem to be shut down, see it as an opportunity to potentially find better approaches to work. Employees often install unauthorized programs because they find applications that are more convenient, efficient, or easier to use. Talk with them about what they’re using and why, and consider integrating some of those same solutions into your corporate IT offerings. But also, work with employees to ensure that their preferred solutions are secure so that data is protected and workers remain engaged and satisfied.
Take a similar approach when choosing programs and applications for your business and solicit feedback and involvement from your employees. Test potential options with internal users from different levels and across functions, if possible. Incorporate their feedback into the decision-making and purchasing process to help ensure buy-in and adoption of secure solutions while reducing the chances workers turn to unauthorized, insecure choices out of frustration.
Although security risks are proliferating, methods of protecting businesses are growing and evolving, too. No company has the luxury of ignoring the issue. Regardless of size or industry, cybersecurity is now a part of every workplace and it’s part of every employee’s job. How you communicate that, and the programs you implement to keep your company, your employees, and your sensitive data protected and secure, matter—a lot.
What about you? What data and security challenges have you wrestled with in your role within the organization given today’s employees’ desire to bring and use their own devices and programs? What have you implemented to address that? Has it worked? What advice do you have to offer to others dealing with this? We’d love to know more.