When it comes to the main causes of data breaches, employee error and weak password hygiene are huge. So are the consequences. How to increase data security.

Data Security and Poor Password Hygiene: It’s Time to Clean Up Your Act.

May 5, 2017 3:00:00 AM

We all know that keeping data secure is important. To be careless is to put all of your sensitive company and personal information up for grabs, making your business vulnerable to data breaches and putting you and your employees at risk for identity theft. And yet when it comes to data security, far too many of us are guilty of throwing caution to the wind.

How guilty, you ask? Shockingly.

You probably heard about the US secret service agent whose laptop was stolen out of her car.

But did you hear about the data breach at Boeing, where personal information for 36 THOUSAND employees (including name, date of birth, employee number, and social security number) was leaked unintentionally by an employee who emailed the spreadsheet to his spouse at home for help with formatting? True story.

And then there’s the Snapchat breach, where a phishing email appearing to be sent from the CEO asked a staff member for payroll information for over 700 employees— and got it. Initially, no one realized it wasn’t a legitimate email, and the requested information was provided. How’s that for frightening?

According to a study by the ACC Foundation, the number one cause of company data breaches isn’t a misfit team of hoodie-wearing hackers. It’s a little thing called employee error.

Employee error can include things such as:

  • Weak passwords
  • Unintentional leaks
  • Falling for phishing scams
  • Lost or stolen laptops, tablets, or cell phones
  • Improper storing or disposal of confidential paperwork

That’s a lot of error, a lot of compromised information, and a whole lot of risk.

Human error, weak passwords, and lax security practices can have huge financial consequences for businesses. And while the actual cost associated with data breaches varies by industry and the number of stolen or compromised records, one thing remains clear: data breaches are expensive.

An IBM study of 383 companies in 12 countries found that the average cost of a data breach is – brace yourself – 4 million dollars.

Meanwhile, post-breach damage control results in additional time and resources added to the loss column. And recovering from negative press and the loss of consumer trust can be a serious uphill battle.

Let’s talk about passwords

Ever created a weak password with the intent of going back and changing it later? What about using the same password for all of your accounts? Or sharing passwords with family, friends, or coworkers?

Think you’re being clever by using the word "password" as your actual password? So does everybody else.

According to a recent study by Keeper, “password” is pretty much the most popular password out there, second only to 111111 and various other predictable number and letter keyboard patters such as 123456 or qwerty.

It’s understandable. People are becoming increasingly frustrated by the ridiculous number of passwords and PIN codes necessary just to navigate everyday life. But poor password hygiene is risky. In fact, according to the 2016 Data Breach Investigations Report* by Verizon, 63% of all confirmed data breaches leveraged a weak, default, or stolen password.

And speaking of stolen…

Let’s talk about our devices. Laptops, tablets, cell phones. Pretty much everyone uses them for work. But how secure are they? And how often do they disappear?

And a report from TrendMicro found that nearly 14% of all data breach events from 2005 – 2015 were caused by lost or stolen devices. Think it won’t happen to you? Think again. It’s been estimated that a laptop is stolen about every 53 seconds. And not always from the backseat of your car.

A recent survey by Kensington found that 23% of IT theft happened IN THE OFFICE. What??? That’s just a hair behind device thefts from vehicles (25%) and way ahead of theft in airports (15%) and restaurants (12%).

But it’s not all about electronics. Confidential data can also be stolen right from your desk, file cabinet or the recycle bin. In one semi-creepy study, Ponemon sent computer experts disguised as temporary employees into a variety of businesses to see what kind of sensitive information was literally just lying around, and how much of it they could easily steal. The results were startling.

Nearly 9 out of 10 fake employees were able to gain access to an average of 5 pieces of confidential information with simple tactics such as snapping photos of computer screens, swiping information from unattended desks, and rifling through printer bins. In 70% of cases, no one even bothered to ask what these individuals were up to.

Holy Crap! How can I increase data security?

Every company is different, but here are a bunch of expert/industry suggestions definitely worth considering:

All-staff training

Your IT department may be knowledgeable about these issues, but do your employees know the risks associated with lax data security practices? If you don’t tell them, you can’t be surprised when they don’t know.

  • Create a culture of security.
  • Teach your staff how to create good passwords, spot suspicious emails, and secure electronic and hard copy and data.
  • Train from the top down, and do it often.

Technology changes quickly, so this isn’t a one and done adventure. Commit to keeping everyone up to date.

Written policies

Telling the team isn’t enough. Take the time to properly document and enforce your security policies.

  • How is data to be handled, stored, and disposed of?
  • Where is information kept and who has access to what pieces?
  • Be clear about permissions, and err on the side of caution. (No need to give that new intern access to your entire drive!)

Consider implementing an on-site visitor policy so you know who is coming and going and a clean desk policy to help keep sensitive data out of plain sight.

Storage and disposal

Never assume your data is safe, or that everyone who walks in your door is trustworthy.

  • Lock file cabinets and shred bins.
  • Make it clear what kinds of documents can be recycled vs. shredded.
  • Set up offices so that computer screens aren’t visible to everyone walking by.
  • Think twice about Bring Your Own Device policies and liberal use of thumb drives.
  • If you use portable devices, make sure data is encrypted and that you have remote wiping capabilities in case they are lost or stolen.

Think of your old computers and devices as disgruntled exes. Just because you’re moving on doesn’t mean they can’t come back to haunt you. When it’s time to let go of old computers and devices, make sure to wipe the slate clean.

Technology

Technology is a double edged sword. Make sure it’s working for you and not just against you. There are lots of tech solutions out there to help you thwart potential technology mishaps.

  • Keep your software updated.
  • Use SPAM protection and email filters.
  • Monitor network, Internet and email activities.
  • Consider using two factor identification.

Don’t let data security be something you learn about after the fact. Start with the easy changes (new password, anyone?) and work your way up to the bigger stuff.

If this article has you a little spooked, you may also want to read it’s companion piece: Should Your Company Invest in Identity Theft Protection?

Photo by Intel Free Press

PS. *Verizon's 2016 Data Breach Investigations Report might be the most entertaining research study you’ll read all year. No kidding! It's worth the download. 

5 Pillars of Employee-Related Expenses eBook

Kristi Birkeland

Written by Kristi Birkeland

Kristi Birkeland is the Director of Integrated Marketing at Q4intelligence. A former business owner, she understands the power that companies have to do good. She helps organizations find their voices and articulate their value. Her goal is to make the world a better place-- one job, one person, one business at a time.

Tags: HR Strategy

WHAT CAN WE HELP YOU FIND?

SUBSCRIBE TO THE EMPLOYER BLOG