Employees: Risks from Within
Employees are like any other form of business capital, representing both risk and reward. In terms of cybersecurity (and ultimately, potential employer liability), employees often carry more risk than reward. Whether due to carelessness, ignorance, or fear, employees may fall victim to and hide security incidents in the workplace. Targets of social engineering and phishing attempts, employees are often untrained to spot, respond, and mitigate potential security incidents before they transform into data breaches. This gap in employee training will likely become the next wave of mass tort lawsuits rooted in negligent supervision and vicarious liability.
To protect themselves, businesses have a responsibility to institute preventative measures, examples of which are below:
1. Prepare and Disseminate Communication Protocols: Ensure employees know exactly who to alert in the event he/she notices something amiss with a computer or receives a suspicious email. It may be as easy as taping a laminated card to telephone handset.
2. Prepare and Disseminate a Data Breach Response and Business Continuity Plan: Be sure that employees know basic response information such as how to disconnect from the internet, while leaving the computer turned on. And to further prevent panic, especially for those hourly employees concerned about the ability to work, ensure employees know that there is a business continuity plan based off previously encrypted or off-network stored data.
3. Create Incentives for Reporting Issues: Hiding an incident will undoubtedly increase resulting damage. If an employee hides an incident, there will likely be a reason why he/she did not disclose the issue initially, such as visiting a prohibited website. While enforcing cyber hygiene practices cannot be undervalued, incentive programs for reporting suspicious activity may encourage employees to both be more vigilant and less afraid to report instances of erroneous judgment before network integrity is compromised.
4. Software for BYOD Policies: “Bring your own device” policies are risky as individuals tend to lose or have their devices stolen outside of the work environment, creating unnecessary data risks. However, in the modern market, 24/7 network access is almost standard. Therefore, consider implementing software that allows a business to access and wipe a remote device carrying business data that is lost or stolen; and
5. Conduct Training: Hire a professional to conduct semi-annual training on cybersecurity risks. Seminars can be tailored to individual business needs, wherein employees are taught basic security skills and legal implications of malfeasance. Aside from possibly preventing or mitigating a breach, such training can help lower insurance premiums or assist in the defense of a lawsuit.
To receive additional information about employee training and educational seminars, please email firstname.lastname@example.org.