Light Dark
October 17, 2018 By Kacy Zurkus 3 min read
Data Protection
CISO

Between bring-your-own-device (BYOD) policies, shadow IT and an increasingly mobile workforce, companies today are wrapped up in broad potential attack surfaces from employee negligence. When it comes to information security, offsite and remote workers, vulnerable paper trails, unmanned computers, and a host of other forms of employee negligence pose increasing risks to U.S. companies.

“Risky employee behavior and bad habits, coupled with a lack of employer-led training, is not only breeding a culture of lax information security, but is posing serious legal, financial and reputational risks to U.S. businesses of all sizes,” said Monu Kalsi, vice president of Shred-it.

How Can Companies Train Out Employee Negligence?

Many of the riskiest offenses are ones that employees might not even consider potentially negligent or dangerous behavior, such as leaving a computer unlocked or unattended when leaving the office for the day. These might seem like small oversights, but they can have dire consequences.

Many enterprises now include security training in their onboarding process to teach end users about data protection and cybersecurity best practices. Unfortunately, those efforts often do not extend beyond the first month or so of work.

When training programs occur infrequently, employees are less likely to retain essential information, leaving them unprepared to act in accordance with the security guidelines in place. A lot changes in a year’s time, and you’ll need your employees to know about those changes in order to fix their habits.

Establishing Remote Control Over Mobile Security

Despite the ongoing increase in remote workers, as reported in Gallup’s “State of the American Workplace Report,” security training and best cyber hygiene practices are still not a priority among U.S. businesses, according to Shred-it’s “2018 State of the Industry Report.” The latter survey found that over half of small business owners have no policy in place for remote workers.

“Training needs to address the evolving status of your business and the industry in general, which means it needs to be frequent and ongoing,” Kalsi said.

How to Create a Security-Focused Culture

Forty-seven percent of C-Suite executives and 42 percent of small business owners reported internal human error as the source of data compromise in Shred-it’s study, reinforcing the critical need to increase employee awareness around data security.

“In order to establish a culture that is committed to data security, training must be continuous,” Kalsi said.

The problem is that so many organizations don’t really understand what continuous training entails. What does the curriculum even look like?

“Conducting regular information sessions and providing accessible training opportunities for staffers both old and new is a great rule of thumb to ensure all employees have resources available to them to help them understand your company’s security policies,” Kalsi said.

Implementing regular review procedures can also help to identify issues as soon as they arise so that you can be sure sensitive information is handled properly in daily functions across the business. Vetting and training internal staff is just as important as evaluating external partners before working together and exchanging sensitive information.

Don’t Forget About Non-Cyber Risks

Although seldom discussed, mistakes in the treatment of physical data can also lead to a breach. For example, the U.S. Department of Homeland Security experienced a breach back in February when an employee left Super Bowl security plans in the seat pocket of a commercial passenger plane, as reported by CNN.

“Of course, mistakes happen,” Kalsi conceded, “but establishing a culture that equally prioritizes physical and cybersecurity ensures that employees are as prepared as possible,”

Updating the workplace policy to reflect all of these lesser-known security risks is key to arming staff with the knowledge and skills they need to effectively protect your business. Teaching employees basics like how to properly dispose of a hard drive will significantly reduce your risk of a breach.

“As long as hard drives are still physically intact, all private information can be retrieved,” said Kalsi. “This means that if your hard drive disposal process includes erasing, reformatting, wiping or degaussing, you’re still vulnerable.”

Employees need to understand the pain points where both physical and digital data could be at risk. Consistently reminding employees to be security-aware in their daily habits will help reshape the way they perceive data security and your organization’s priorities overall.

 |  |  |  |  |  |  |  | 
Kacy Zurkus

More from Data Protection
January 27, 2025

How secure are green data centers? Consider these 5 trends

4 min read - As organizations increasingly measure environmental impact towards their sustainability goals, many are focusing on their data centers.KPMG found that the majority of the top 100 companies measure and report on their sustainability efforts. Because data centers consume a large amount of energy, Gartner predicts that by 2027, three in four organizations will have implemented a data center sustainability program, which often includes implementing a green data center.“Responsibilities for sustainability are increasingly being passed down from CIOs to infrastructure and operations…

January 21, 2025

Why maintaining data cleanliness is essential to cybersecurity

3 min read - Data, in all its shapes and forms, is one of the most critical assets a business possesses. Not only does it provide organizations with critical information regarding their systems and processes, but it also fuels growth and enables better decision-making on all levels.However, like any other piece of company equipment, data can degrade over time and become less valuable if organizations aren’t careful. What’s even more dangerous is that neglecting data hygiene can expose organizations to a number of security…

January 3, 2025

Router reality check: 86% of default passwords have never been changed

4 min read - Misconfigurations remain a popular compromise point — and routers are leading the way.According to recent survey data, 86% of respondents have never changed their router admin password, and 52% have never adjusted any factory settings. This puts attackers in the perfect position to compromise enterprise networks. Why put the time and effort into creating phishing emails and stealing staff data when supposedly secure devices can be accessed using "admin" and "password" as credentials?It's time for a router reality check.Rising router risksRouters…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature