It used to be that a place of business was its own independent silo with respect to employees interacting with colleagues and clients.
Employees went about their business in their offices and cubicles speaking privately about work amongst themselves and those with whom they were doing business.
Fast forward to the current digital era where the lines between those four walls and the outside world are now blurred — a large part due to the prevalence and on-demand access provided by mobile devices.
Personally identifiable info is everywhere
Research has shown that the number of total connected devices will be more than 24 billion in 2020, and within that, mobile connected devices will rise to 12 billion in 2020. The ubiquity of device usage also means that at the end of the day, our personally identifiable information is everywhere. Today’s workplaces encourage the use of technology to succeed and maintain goals effectively.
This means that businesses and employees are at risk more than ever before — vulnerable to identity theft that puts themselves, their employers and the company at risk of a data breach.
We’ve all heard about widespread data breaches including those hitting Target, Anthem Blue Cross Blue Shield, and eBay — and there are many you don’t hear about among smaller businesses across the country. It may surprise you to know that data breaches increased by 40 percent in 2016 with an average total data breach cost of $7 million, according to IBM.
Many companies are very focused on corporate IT security but are susceptible to hackers, especially through email vulnerabilities. Ninety-five percent of data breach attacks on enterprise networks start with spear phishing, a targeted email engineered to look legitimate and fool even tech-savvy users; the email installs malware and tries to gain system access.
According to an Association for Corporate Counsel survey, “employee error” turns out to be the most common reason for a data breach. An example of the kind of employee error mentioned in the survey, and also discussed above in relation to spear phishing, — “accidently sending an email with sensitive information to someone outside the company.”
This really is something just about all of us have heard about or experienced directly. It can occur as the result of a phishing scam. This type of fraud happens when a cybercriminal disguises an email to make it appear as if it is from the organization’s executive — often from HR or accounting asking for sensitive information such as a social security number or even a W-2 form.
Other leading causes behind a data breach include disgruntled employees, relaxed BYOD (bring your own device) policies, and actual physical loss of a device.
Let’s face it, no matter how diligent an HR team is, you just can’t predict how employees behave. Employees can certainly be careless about sharing passwords, and in some cases, can even be persuaded to sell sensitive company passwords. And, losing a device is as easy as leaving a laptop in an Uber or leaving a cell phone in a restaurant.
No matter how it happens, it’s a daunting challenge to keep your employees protected, when threats come from all directions
Mobile devices and unstructured BYOD policies also lead to security risks and exposure. Not only does the average large enterprise have more than 2,000 unsafe mobile apps installed on mobile devices, employees can often access and then store customer data and confidential client information on their mobile phones.
When email, or other sensitive data, is retrieved over cellular networks and opened on a mobile device, your organization loses visibility into data access.
Having HR partner with your organization’s IT team to ensure everyone at every level is being vigilant will help to address security vulnerabilities.
Proactive steps can go a long way
If a company can go a step above and hold regular monthly or quarterly company meetings on how to be safe in the new digital workplace, and even engage employees in testing scenarios like a fake phishing scam, it makes a difference. These proactive steps can go a long way to inform employees and keep personal and corporate data safe.
At minimum, HR teams and executives should have a proactive plan in place which includes:
Refresh your employee policies: Clearly state usage best practices around email, internet, social media, and mobile devices/BYOD.
Train your employees on security measures: Don’t assume new, or even seasoned employees, know security best practices -- technology and scams change fast. Train all employees and managers on how to protect confidential information and why it matters.
Establish a telecommuting policy: With companies increasingly adopting telecommuting policies, it’s critical to convey to employees that when they work outside of the office, sensitive company information is no longer in the control of the four walls of the office. Outline acceptable use of both company-issued and removable media devices, and confidentiality requirements around company documents and information.
Know how to identify risky employee behavior: If an employee’s behavior is in question, investigate it. It could signal a threat to the security of sensitive corporate information.
Maximize exit interviews: Ensuring you have a proper exit interview procedure in place is critical in terms of making it part of a strategic HR effort to protect confidential information. Ask the employee for all work-related passwords for any computers, devices, accounts, and files he or she has had access to; work with your IT team as necessary to change the passwords. Conduct a return of property review; have the employee disclose all company information or devices in his or her control. Collect all keys, access cards, badges, company credit cards, and other property.
In today’s digitized world, the chances of identity theft affecting your business are high. Employee education and training decreas the odds, as does having in place effective HR policies that are regularly reviewed and updated.
Steven Bearak is the CEO of Framingham, Massachusetts-based IdentityForce, a company commercialized from nearly four decades of in-depth experience around personal identity and security services and products.
Originally published on BenefitsPro. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.