Companies are surrounded by cybersecurity threats, but many are not making it a priority to educate employees about them, a survey says.
Nearly half (46%) of entry-level employees don't know whether their company has a cybersecurity policy, according to research firm Clutch.
The survey demonstrated a lack of awareness that can put companies at risk for IT security breaches. Nearly two-thirds of employees (63%) said they don't know whether the quantity of IT security threats their companies face will increase or decrease over the next year. Additionally, among entry-level employees, 87% said they don't know how the number of threats will shift in the next year.
The survey also found that employees are less likely to recognize IT services as the primary area of security vulnerability at their company. Instead, they cited theft of company property as the primary threat to company security, ahead of unauthorized information and email phishing scams.
The findings are a bit ironic, because “most cyberbreaches are caused by employees, inadvertently,” Robert Anderson, co-chair of the cybersecurity and data privacy group at Lindabury, McCormick, Estabrook & Cooper, P.C., told FierceCEO.
“There is a tendency for businesses to not put the emphasis on employees, but they are the greatest vulnerability,” Anderson said. Companies “have focused on the technology department instead,” Anderson said. “There has been a tendency to do this.”
But “if someone is an authorized user, like an employee, they can get in that way,” Anderson said.
IT security shouldn’t start and stop at the computer, said Penny Garbus, co-owner of Soaring Eagle Database Consulting. “Consider who should have access during operating hours and after hours. Who should have the code/keys. Don’t share your key/code, don’t copy your key/code, don’t leave your code written on your desk. Update the Employee Manual to include these security measures.”
Then, “move to the offices; especially those where key data can be seen or stored," Garbus said. “Consider the data on the screen. If it can be viewed by a bystander, cover the screen with data protective screens, and put virus protective software on it. If the data ever has personal information on it, encrypt the computer and train the receptionist to lock that computer whenever they step away from the desk.”
Next up is cybersecurity training, Garbus said. “Create visual, written, and reminder guides if needed for each job description. Set up mandatory meetings to review the requirements. Explain why the requirements are necessary. Tell employees how often, or if you may be doing surprise spot checks. Explain that failing to meet the security standards in your company may result in job loss, and possible legal ramifications if there is an intentional breach, and set reminders to periodically review the protocols.”