When it comes to cybersecurity, many businesses, particularly smaller businesses and those outside the tech sector, are underprepared. Those who do have coherent cybersecurity strategies, appropriate software, and company policies to help protect sensitive data, though, also frequently fall victim to data breaches. This isn’t because their strategies are inadequate on paper, but rather because they fail to take the human element into account. A business’ data is never more secure than its employees make it.

In order to effectively protect themselves, businesses need to ensure that their employees are a part of their security strategy, rather than its weak point. To do this, businesses need to explore how their employees might compromise their sensitive data, and how they can specifically minimise these risks. Typically, this means educating employees about data security directly, and providing them with the tools they need to do their jobs effectively without putting their, or their employers’ data at risk.

Educate employees about data security

In the popular imagination, data breaches are still things conducted by hackers sitting in front of a supercomputer in a basement somewhere. This image interferes with the ability of laypeople to recognise data security threats and to properly prepare for them. Before employees can become a part of your business’ cybersecurity strategy, they need to understand how data breaches happen, and what it actually takes to keep data secure.

Understanding how data breaches happen

A cybercriminal can use a wide variety of tools and approaches to access a business’ secure data. This is almost never done by attempting to crack a password through brute force. Instead, criminals normally work to find or create easier ways to break into secure systems. They do this by either using malware to compromise the system’s security, by stealing access information from someone, or by manipulating authorised people into revealing secure information through “social engineering”.

Keyloggers, ransomware, trojans, and other types of malware each compromise systems in different ways and are used for different purposes. Some steal data directly, others lock down a computer to prevent its use, and others allow the criminal to access and directly control the system. These are most often introduced to a computer through download links in spam emails, or via cookies that are downloaded when someone using the computer visits an infected website.

Data theft in the real world

While the word “cybercrime” sounds like something that occurs exclusively online, it’s just as much a danger in the real world as in cyberspace. For example, a criminal can attempt to glean data by hacking into poorly secured personal laptops that an employee might be using at a coffee shop. In person, cybercriminals sometimes physically steal employee devices and papers. Sometimes, though, a hacker can get the passwords they need by simply asking. In a process called “social engineering”, the criminal simply impersonates an authorised person who has forgotten their access information and manipulates someone else into providing the information they need.

Help employees manage cybersecurity challenges

Modern cybercrime strategies capitalise on our natural impulses to understand the emails we receive, to help out a coworker in a pinch, and to minimise the hassle involved in our own work. With regard to the latter issues, employees often physically write down their sensitive passwords, which are often complex and difficult to remember, in order not to forget them. This is clearly a problem, since a password that’s written on a note next to the computer or in a laptop bag is hardly secure from a thief. To protect their data, businesses need to take these issues into account, and find ways to protect themselves.

Manage password security

Employees are often required to keep track of a relatively large number of passwords, particularly those who have access to a lot of sensitive data. A good way to prevent the theft of a single password from compromising a system is to use two-factor authentication. Here, employees need to use both their password and a periodically generated random authenticator code that they receive on a separate device to log in.

Create company policies to protect data

Businesses typically try to deal with employee vulnerabilities by creating policies that effectively mandate that they shouldn’t exist. This doesn’t work, of course, because workers are regular people who sometimes forget their passwords, or who click on dodgy emails. Instead, businesses need to create specific policies for how to handle a request for access to data, specifically how to document that request, and how to verify the identity of the person asking. Additionally, businesses need to ensure that clear protocols exist for referring email recipients to web addresses, so that non-conforming spam links are clearly identifiable. In this way, businesses can both protect themselves from a wide variety of cyberattacks, while also improving their ability to recognise and document when an attack is occurring.