Despite the optimism that greeted the beginning of 2021, last year turned out to be another challenging one, especially for cybersecurity. A Forbes article published on Oct. 24, 2021, quoted Eva Velasquez, president and CEO of the Identity Theft Resource Center, as saying data breaches from all causes were on pace to tie or break the previous record for a single year. Additionally, more high-value data appeared to have been compromised.
Clearly, the growth of online traffic driven by the ongoing COVID-19 pandemic was accompanied by a rising threat of cyberattacks. This trend appears likely to continue as even more content and services move online throughout 2022.
The lesson for employers and employees is that taking actions to protect sensitive information from leaks and theft has become more important than ever. The following industry secrets for good cyber hygiene were compiled from daily practices and long-term strategies implemented by colleagues at my firm over several years. Each addresses potential threats, and adopting these best practices at your own organization will help eliminate the risky habits of employees that contribute to causing the loss of sensitive and confidential information.
Keep Desks Clean
It is imperative for managers and supervisors to remind team members about the importance of keeping confidential documents and personally identifiable information out of view. While messy desks are common in most workplaces—and particularly in home offices—they should be discouraged. There is always a risk someone walking by could spot or even photograph information that should be kept private.
A written clean desk policy is simple to create. Enforcing it produces the added benefit of reducing clutter in the workplace.
Requiring training that emphasizes the importance of locking away confidential documents when they are not being used, logging out when leaving a computer unattended, keeping track of USB drives and using different passwords for professional and personal purposes is also essential. Be aware that it can help for an employer to supply remote workers with lockable storage.
Maintain Data Integrity While in the Office and When Working Remotely
No matter where they work, employees must follow standard procedures for securing confidential information that is contained in physical documents, stored on portable drives and accessible in online databases. Reinforce policies against removing certain documents from secure areas and against letting printouts out of one’s sight. Ensure computer drives and databases are encrypted, protected by passwords or biometrics, and accessible only by authorized individuals. Never allow remote workers to log in while using unsecured public wi-fi connections.
Reminders and training may be more necessary for remote and hybrid employees. Schedule flexibility is desirable, but it creates cyber risks. Data from Tenable summarized in a Sept. 27, 2021, CEPro article indicate “over half of remote workers use a personal device to access work data, and 71 percent of security leaders lack sufficient visibility into remote employee home networks, leading to a large portion of cyberattacks (67 percent) targeting remote employees.”
Stop Forwarding Confidential Files to Personal Email Accounts
Making important work documents more readily available by sending them to oneself is tempting. But a personal email account will undoubtedly be less secure than an email account maintained by an employer. Likewise, storing sensitive data in a cloud account tied to a personal email address leaves the data more vulnerable to inadvertent disclosures or theft.
Only networks, servers and cloud accounts that are set up and maintained by the employer will comply with the employer’s security policies. As an added concern, moving documents and data to personal devices can itself be considered theft. This makes it a good idea for everyone to occasionally check the details of their employer’s policies for handling data to ensure they are in compliance.
Report Data Leaks as Soon as They Are Detected
Data breaches often go undetected for six months or longer. This makes quickly and honestly reporting suspected or known problems essential for ensuring no further damage can be done and proper responses can be implemented. The responsibility to report data breaches holds even when a leak was accidental or the event was not the fault of the person who detects the problem.
Allowing a cyberattack or disclosure of confidential information to go unreported generally means the situation will grow worse and authorities may be forced to get involved. Large monetary fines and a loss of reputation, which is priceless, can follow.
For instance, Google was fined $57 million by French regulators in 2019 after failing to adequately safeguard Android phone users’ personally identifying information. On the government side, the U.S. Office of Personnel Management is still dealing with fallout from a theft of federal employee records during 2014-15 that netted the perpetrators millions of Social Security numbers, fingerprints and other personal details the agency had sworn to keep private.
In light of incidents like these, it is of critical importance for employers to create official procedures for reporting cyberattacks and data leaks. All efforts must be taken to confirm employees thoroughly understand how to follow the reporting procedures.
Investing in better security software and improved cloud technology will help protect data, but those efforts fall far short of what is necessary. A widely cited estimate attributes nearly 90 percent of data breaches to human error. That makes developing and enforcing strong policies while continuously training employees in how to be cyber literate and secure imperative for all employers.
01 March 2022
Category
HR News Article