It’s a bit of a cliché that your staff are your biggest asset. Of course, there’s truth in clichés - your staff are where ideas are tested and performed; they’re the face of your business – where sales are made and customers are satisfied; and your star players can be the driving force behind your business growth and profitability. 

But, how much thought have you given to the risks that are inherent in your staff? We’re not robots and we make mistakes. Mistakes that occur from either inexperience, complacency or even downright rebellion to rules and processes. 

In this month’s blog, we touch on the five main areas of staff risk that relate to information security and what you can do to minimise these risks.

Disposal

You might ask a staff member to get rid of some sensitive information. A few scenarios might play out here: 

- A flash drive is thrown away. The problem here is the critical information is still held on that asset – what happens if it falls into the wrong hands?

- The paperwork is thrown into the general recycling. It should have gone through a shredder first. 

- The staff member forgets. You now have some sensitive information lying around that you should no longer hold on file – you could be in breach of privacy laws.

The key takeaway here? Confidential or sensitive electronic and paper information must be disposed of securely (and promptly) to reduce the risk of falling into the wrong hands or unwanted disclosure. 

Distribution

You might ask your staff member to email a document with some sensitive information. 

The staff member sends the attachment, but enters in the wrong email address. It goes to a third party – a customer. The email attachment has private information like delivery instructions and bank account details. It is too late to recall this email.

Some email providers have a confidential mode to help protect sensitive information from unauthorised access.

For example, Gmail’s confidential mode allows you to:

set an expiration date for messages or revoke access at any time. Recipients of the confidential message will have options to forward, copy, print, and download disabled.

However, a malicious recipient could still take a screenshot or photo of the sensitive information, so this mode is not completely without vulnerabilities.

According to a 2017 study carried out on 2,000 UK workers by Egress Software Technologies Ltd, a UK based data privacy and risk management company, “more than one in three workers (35%) have sent an email to the wrong person, while nearly half (46%) have received an email clearly intended for someone else.” Although this is an overseas study, it is a handy illustration of the prevalence of this issue. 

Sending emails to the wrong person is embarrassing at the least and criminal at the worst. 

Some systems can now detect if you’ve added an incorrect recipient to an email or mistyped an email address. It’s best to also check and update your email settings – so that emails don’t get released immediately, and you can stop them from sending if you’ve noticed an error.

Remember, wherever possible, sensitive information should be encrypted.

Complacency and forgetfulness

Surprisingly, given our heightened awareness of scamming, hacking and other malicious activity, you will still find staff members who:

- Have very weak passwords.

- Write their passwords on a post-it note and stick it under their keyboard.

- Share their password with others.

- Open attachments without looking carefully at the source.

- Print out documents with sensitive information and leave them on their desk.

- Take an important flash drive or other form of movable media home (including laptops, tablets or work phones) and leave it on the bus.

Lack of vigilance or understanding

Other vulnerabilities happen when staff sign up for a cloud storage system, not fully understanding or complying with company policy and start sharing information there.

Infosec explains the vulnerabilities of cloud storage systems well: 

“Users who are not vigilant may place sensitive data in publicly accessible folders. It is also possible that users may “accidentally” move sensitive files to locations that are synchronized automatically with publically accessible external locations without being aware of doing so.”

Broken record here: Wherever possible, sensitive information should be encrypted.

Inexperience

Staff may be providing support for a system that they have little or no experience in. Bad input breeds bad output.

This can be overcome by creating a culture of ongoing development and awareness. Training should be seen as a non-negotiable investment.

Which leads us onto the three main areas where you can increase staff awareness of risks around your information security:

Skills, Accountability and Knowledge

It’s up to you to ensure that your staff are equipped with the skills they needto do their job well. Skilled staff make less mistakes, are more careful with their work and create a strong reputation for your brand. Skills training includes ongoing development and educating your staff when new systems or technologies are introduced. 

With accountability,staff need to know what to do when things go wrong and that there are consequences to their actions. Done right, a culture of accountability helps increase engagement and communication, and minimise complacency. Of course, it’s important to create an environment where employees can be open when they have made a mistake and feel confident of approaching you promptly.

And lastly, knowledge. Do your staff know company policies and processes around information security? Do they know what steps they need to take if something has gone wrong? Do they know the rules around file sharing and disposing of information correctly? Make all of your staff aware of key policies, standards, and expected behaviours, and make sure that they regularly refresh their knowledge so that information security remains front of mind. 

Equip your staff. Protect your business.

The IT Psychiatrist knows technology and understands the vulnerabilities that surround the sending, sharing and disposing of your sensitive information. That’s why we can design and develop best practice policies, processes and strategies, so that you feel confident that your information is as secure as possible, and that your staff feel equipped to follow best practice. 

If you want industry-leading and best practice IT policies, processes and strategies, or a part-time IT manager to help you make some changes, please give us a call. 

25

Policy and process – What’s the difference and why are they important

Is your business keeping up with the rapid changes in technology and policy? Do your staff have the framework and direction they need to be…

Learn More / >

26

Tech Tip #1: Managing Licence Risk

As businesses become more digitally enabled, their operations and profitability will rely increasingly on software. But software comes with…

Learn More / >

27

Digital Transformation Requires Organisational Change

Digital Transformation ≠ Paperless

Learn More / >

Testimonials

"One of Ant's strengths is relating to owners in a visionary sense and talking to people who are on the ground...[Ant has a] wide understanding of different systems, processes and applications and can articulate where we're going and what the possibilities are...working with Ant has changed the way we make decisions about IT structures and support systems."

Felicity Hopkins, Director - Research Review

We hired Ant to support us with an important project after he was highly recommended by colleagues. Ant was responsive, speedy, super-helpful and helped us to make key decisions. We appreciated his broad experience, and his ability to hold a high level strategic view alongside expert advice on details. We will definitely be consulting with Ant again and are happy to recommend him.

Gaynor Parkin, CEO at Umbrella Wellbring

"We don’t need a full-time CTO [chief technology officer]. Ant knows enough about our business he can deliver it virtually. He can translate things for us. During project management, Ant came into his own... Ant gets his head round your business and [took his time] understanding our context. He was really clear about pausing on investment into the app...Ant's inquisitive, curious and approachable - he's very easy to work with."

Gus McIntosh, Chief Executive - Winsborough

"Ant was really quick to understand the business model and our processes and IT structures."

James Armstrong, Director - MediData

"Ant helped us at the early stages of Aerotruth helping us to plan our technical infrastructure and ensure we built a product that would scale. Ant was great to work with and we really valued his support and contribution to Aerotruth"

Bryce Currie, Co-Founder & Chief Commercial Officer - Aerotruth

"No question has ever been too silly. Ant's been accommodating and helped me understand. I've valued that he understands the charitable sector really well. He can look through the experience that he has with larger organisations and what's the reality for a small and mighty charity where you don't have teams of people that can come in and project manage an IT project"

Nicola Keen-Biggelar, Chief Executive Drowning Prevention Auckland

"Having Anthony was really valuable – to lean in on his skillset – and his connections. He was able to provide impartial advice about the different strengths [of the providers]. It was important that we undertook a good due diligence process. Having Anthony there meant we had impartial selection as well, which is very important to us and [something] other not-for-profits [could benefit from]."

Rose Hiha-Agnew, Program Director - Community Governance