Companies invest heavily in technology to protect themselves from cyberthreats: firewalls, antivirus software, and other tools to keep out intruders. Not all threats are external, however. Whether deliberately through malicious actions, or accidentally through online naïveté, company employees present the biggest threat to corporate information security.
Deliberate Misuse of Resources
Employees can misuse company computer resources in several ways that expose a company to risk. Use of the Internet for personal matters, like online shopping or visiting social media sites, can overload a company's computer network. This can mean companies invest money to upgrade a network when that isn't supported by business needs, and the money would be more beneficial elsewhere.
When employees bring adult content into the office, they can create a potentially hostile work environment that can lead to sexual harassment lawsuits. Employees who use corporate resources to download illegal copies of software, movies, or music also expose the company to lawsuits. In addition, these sites are also often infested with malware, so files brought onto company computers can risk introducing viruses and other dangerous software into the corporate environment.
Employees also misuse resources by removing them from the company. If files aren't appropriately protected, employees can remove confidential company information by emailing them or carrying them out on a USB drive. Employees may be able to take advantage of code bugs to escalate their privileges in an application, and view data they aren't supposed to be able to access.
Accidental Exposure of Company Data
Phishing and social engineering are still extremely effective ways for hackers to gain access. It's surprisingly easy to trick humans into sharing confidential data like passwords and company bank accounts. Employees also can accidentally expose company data if they lose a company laptop or access the company network from an insecure hotspot. The increased popularity of BYOD means that company data is accessed from devices the company doesn't control. If these devices aren't appropriately protected, confidential company information may be at risk.
Use Technology and Training to Increase Security
Companies that want to protect themselves from these risks need to take a comprehensive approach to information security. They need to use the right technological tools; firewalls and antivirus software remain important. They need to have – and enforce – policies that govern the appropriate use of company resources; these policies should also govern the handling of company information on non-company, BYOD devices.
But the most important step companies can take is to train their employees to recognize online risks, and how to defend against them. Educated employees will help defend against these online dangers because they recognize they aren't only a threat to information security; information security failures that seriously damage a company are a threat to their job security as well.