Your staff are still your biggest security risk

By: John McGarvey

Date: 17 February 2014

Your staff are still your biggest security risk/IT security is like walking a tightrope{{}}If you’re focusing all your IT security efforts on things like anti-virus and firewalls, are you missing the biggest risk of the lot?

A recent survey from security firm SecureData found careless employees are the biggest concern of IT professionals, pushing obvious dangers like data theft and malware down the list.

And if you’re running your own business, it’s worth listening to the opinions of IT professionals. They know technology, and they can see where the biggest risks lie.

So, what can you do?

Threats are more targeted

Your staff pose a bigger threat these days because the nature of security threats has changed over the last few years. Many organisations — both large and small — have struggled to keep up.

While back in 2008 or 2009 we were all worried about viruses, spyware and Trojans, these days it’s more targeted threats like spear phishing that are most likely to have IT managers worried.

These attacks are on the rise because they’re effective. Even the most tech-savvy of your staff can be tempted into clicking an email when they shouldn’t. And often, the biggest data breaches can be tracked back to a single, unfortunate click.

Combatting these new threats

It’s important to make your staff aware of how phishing scams operate. You can also give them pointers so they know how to spot potential security breaches.

However, you can’t expect your employees to be infallible. People make mistakes, which means it’s vital you have some additional checks and precautions in place.

A good starting point is to make sure you allow access to data on a ‘need to know’ basis. Resources like your customer database, your accounting system and any shared folders often contain lots of sensitive data.

Rather than allowing everyone to have access to all these resources, the default setting should be that people don’t have access. If an employee needs it — and there’s a good case for it — then you can open up access on an individual basis.

This reduces risk because you’re adding extra layers of protection. If a hacker manages to guess the password of an employee, they’ll still face barriers when trying to reach privileged information.

It might cause a little inconvenience when someone needs to request access to a particular resource. But it’s better than giving hackers a free run of the place.

What does the * mean?

If a link has a * this means it is an affiliate link. To find out more, see our FAQs.