Why your biggest security risk could be people, not technology

  • You can improve security compliance by clearly articulating the rules and consequences of violating your company's security policies.

  • Training all employees on security measures is a wise investment in safeguarding your organization.

When securing IT networks, the tendency is to strictly address the problem from a technology perspective. But while security tools are essential to preventing breaches, companies must not overlook the human factor. Look up any study on the causes of security breaches, and you’ll notice a common thread: Internal risks are often behind security incidents and are typically a result of negligence, malice, or simple curiosity.

To address this weakness, companies first must invest in a layered security approach, including endpoint protection, intrusion detection, patch management, device configuration, access controls, forensics, and remediation. With all that in place, companies must then address human behavior through well-defined policies, user training, and enforcement.

1. Set Clear Rules

Every enterprise must clearly define who gets access to which systems and in what context. Users should have privileges only for the resources they need to do their work. Mission-critical systems should never be accessible to people who don’t need them. Strong authentication methods should be in place to prevent misuse or inadvertent access.

It is also wise to block unwanted websites, applications, and devices from the network. This won’t prevent users from accidentally clicking an infected URL or website once in a while, so your security policy must cover suspicious emails and what steps to take – alerting IT, at a minimum – after opening an infected document or website.

2. Invest in Education

In an April 2015 study, CompTIA revealed that only 54 percent of companies offer cybersecurity training. Training is an expense too many companies regard as a low priority, but that’s a mistake. One click of a compromised website or document is enough for a malicious payload to wreak havoc on your network, potentially causing millions of dollars in losses.

Employees need training on all company security measures and practices. They should be given a security guide, digitally or paper format, and required to sign a document saying they have read and understand the rules and their responsibilities.

Be sure to cover unsafe practices, such as sharing passwords, clicking email links from unfamiliar senders, carrying unencrypted sensitive information on mobile devices, failing to log out of websites, and leaving computers unattended in the office.

3. Don’t Forget Enforcement

All your security measures are for naught without enforcement. Employees need to be aware of the consequences of failure to follow security rules. No company should approach IT security rules and enforcement casually. If you do, you’re inviting trouble, so it’s best to be very clear with employees on the disciplinary sanctions that apply for violating security policies. 

Learn more about how you can alleviate Network Security risks associated with your technology and your employees.

Pedro Pereira is an independent business writer and the author of this blog. All of the opinions are his own. AT&T has sponsored this blog post.

The Networking Exchange Blog Team About NEB Team