When an employee doesn’t care about cyber security
It doesn’t matter how thorough a business’ protective measures are, employees remain one of the biggest risks to an organisation’s digital security.
In some cases, it is not that employees don’t care about digital security, but that they don’t fully understand it.
An experiment in London’s financial district proved just how much of a risk employees can be to their organisations. CDs were handed out to commuters by employees of an IT skills company and told the disk contained a special Valentines’ Day promotion. In reality, the CDs contained code which notified the IT company how many of the recipients tried to open the CD. Despite clear warnings on the packaging about the dangers of installing third-party software and acting in breach of company acceptable-use policies, several city workers proceeded to run the disk. A major retail bank and two global insurers were among the organisations whose employees fell for the stunt.
Training, education, and awareness campaigns play an important role in the prevention of cyber breaches. But what do you do with an employee who chooses not to cooperate with a company’s security policies and protocols?
A persistent breacher
Perhaps it doesn’t matter how many times they are reminded to verify emails and warned not to click links or open attachments, there is one employee who continues to click everything.
The malware, WanaCrypt0r 2.0, that has affected NHS trusts up and down the country, as well as organisations around the globe, spread via email in PDF or Word attachments. Once opened, the malware spread laterally throughout the NHS’s internal network. This is how several trusts quickly became affected. The effects were chaotic, with hospitals advising the public not to attend affected A&E departments, the inability to perform emergency diagnostic scans, and the cancellation of chemotherapy treatments.
With risks ranging from interruption of service, loss of data, and regulatory fines, the solution might be that an individual cannot stay with the organisation if they refuse to follow company policies. However, what if the individual is the biggest provider of income for the business? If they left and joined a competitor, would they take their clients with them?
We recently encountered a similar situation with one of our clients. The employer decided it would be detrimental to the company to let the offending employee go, so we were asked to develop a solution to reduce the damage the individual could cause. This involved cleaning the individual’s computer, creating a copy to use on backup devices, and isolating the individual’s computer from the company’s main system.
When the employee clicks on a malicious link and damages his computer, the company’s IT department swap it for a clean backup, and wipe the damaged machine.
Of course, the ideal solution would be for the employee to adhere to the company’s digital security policies. If the employee holds any sensitive information on his computer and is the victim of a cybercrime, it is possible he may still be the cause of personal data breach. However, sometimes we need to find the most appropriate compromise between security and clients’ wishes. This example demonstrates one of the many challenges organisations face when seeking to protect themselves from cyber threats.