Your Company’s Biggest Information Security Risk? Your Employees.

Dennis Egen, President and Founder, Engine Room

Some of the biggest, most damaging security breaches in history occurred in 2015.

  • Health insurers Anthem and Premera were hacked resulting, in the largest theft of medical records ever. Data on nearly 100 million people was compromised.
  • The names of 37 million clients of Ashley Madison, the online dating destination for extramarital affairs, were leaked online.
  • The tax records of 330,000 Americans were stolen when outsiders infiltrated the IRS.

The cost of data breaches is up, too. According to a 2015 Ponemon Institute study, the average cost of a single corporate data breach was $3.79 million – up 23 percent from 2013.

Yet, even with these high profile security breaches and soaring costs, companies have not taken the most basic steps to secure their data from the biggest threat to information security – their employees.

It has been estimated that approximately 60 percent of corporate data compromises are caused by employees or insiders (e.g., freelancers, contractors). And the vast majority of these are unintentional.

How to address the threat
First, recognize that while most employee-caused data breaches are due to negligence or lack of proper data security education, the potential actions of disgruntled employees must also be considered. Rogue employees, especially members of the IT team with access to network, data center and administrative accounts can severely compromise a company’s important data. Corporate vigilance can curb this kind of activity. Notice telltale changes in employee behavior:

  • Is an employee’s performance dropping?
  • Is an employee acting differently with colleagues?
  • Is a normally prompt employee now habitually arriving late to work?
  • Being proactive, too, will provide greater information security. I recommend the following steps:
  • Perform an annual information security audit.
  • Identify all privileged accounts and credentials. Which users have access to what data?
  • Create attack models to identify exposure to insider threats and perform a damage assessment of these threats.
  • Closely monitor and manage privileged credentials to prevent exploitation.
  • Control flow of inbound delivery methods.
  • Filter on executable mail and web links.
  • Monitor and look for irregularities in outbound traffic.
  • Implement necessary protocols and infrastructure to track and record privileged account activity.

Hackers target employees
It’s true that more and more companies are improving their security procedures and implementing the latest security technologies. But, in response, hackers are attacking enterprises through their employees by targeting, for example, employees’ less-secure home systems to gain access to corporate networks.

Employee carelessness is certainly a primary contributor to network compromises, and such carelessness can be caused by workplace stress, multitasking and long hours. But, lack of education about information security is the main culprit. Most employees aren’t aware that their common work habits can put their company’s data at risk.

Of course, accidents can happen to anyone: leaving one’s laptop on the train; mistakenly sending a confidential email to the wrong person. But, other potentially damaging practices can be prevented.

According to one provider of identity protection and fraud detection solutions, about 60 percent of users who have access to a company network use the same login credentials as on other non-company sites such as Facebook and LinkedIn. Since many targeted breaches begin with a phishing effort to grab users’ social media passwords, many employees are inadvertently putting confidential company login information at risk.

Employees who want to finish some work at home may be putting sensitive files on a Cloud storage application such as Dropbox, which can lead to mixing and sharing of personal data and corporate data.

Other common contributors to employee-caused diminished information security include:

  • Using weak passwords (e.g., containing fewer than eight characters; not employing upper and lower case letters; containing personal information such as phone numbers; using word or number patterns such as 12345)
  • Not changing passwords frequently
  • Clicking on links from people they don’t know
  • Using generic USB drives that are not encrypted or safeguarded by other means

BYOD: A major culprit
Mobile devices give employees access to corporate data anywhere, anytime. BYOD (bring your own device) has become a major risk for companies’ data security. BYOD allows hackers to exploit employees’ poor security habits through fake free Wi-Fi networks, fake login pages for popular sites and phishing emails. And, a recent survey showed that most employees either have no security or use the default settings for their mobile devices.

Here’s how BYOD can impact a business:

Mobile phishing: Phishing can be used to attack mobile users as well as PCs. Hackers can engineer an email with a malicious attachment or link. The attacker can use the information gained from phishing to connect to the corporate network.

Being compromised by attacks on the corporate network: Many outsider attacks take advantage of the fact that current corporate network security solutions lack the visibility required to protect mobile devices once they leave the corporate network – and therefore focus on mobile devices traversing public and private networks.

One of the basic ways to keep mobile devices secure is to keep them updated to the latest operating system version with all the security protections. However, a more comprehensive approach is required. Here are some suggestions.

Create a written information security plan and share it with employees.

Make security a part of performance appraisals. Let employees know that IT security also means job security.

Educate employees about the need to change their work behavior in an age of increased BYOD. They should know about phishing, shoulder-surfing (i.e., an individual peering over the shoulder of an electronic device user to gain personal access information), password protection, physical hardware security and basic encryption.

Use software to manage mobile devices. This could be as simple as settings on the company exchange server or more advanced use of mobile device management software such as Good or AirWatch.

And, there are a few “don’ts

  • Don’t use public Wi-Fi when performing sensitive work.
  • Don’t click on any link in an email if you are not 100 percent sure who it’s from.
  • Don’t use work emails for social media logins.

Having programs in place that include a mixture of education, training, policy and technology is vital to preventing insider threats.

Dennis Egen is president and founder of Engine Room (, a Philadelphia-based technology and security firm that builds airtight technologies and helps clients mitigate risks by identifying information security vulnerabilities and addressing them before they can be exploited. Egen can be reached at