Reining in Responsibility to Reduce Risk

Written by: Jon Fielding, Managing Director, EMEA Apricorn

Sellafield nuclear plant recently faced allegations of unfair dismissal following the sacking of an employee whom ‘risked national security by downloading unencrypted data onto her personal memory devices and taking them home with her’.

The story has raised numerous concerns around data security and responsibility, and it’s worrying that even today, the risks posed by employees are still one of the biggest threats to organisations.

Unfortunately, individuals remain a primary target for attackers. The statistic that 95% of data breaches involve human error is often cited, this stemming from research conducted by IBM several years ago.

Human error will always be unavoidable to a certain degree. Even the most cyber-savvy workers will slip up now and again, falling into increasingly carefully laid social engineering traps. However, what is concerning is the fact that many organisations believe their workforces still broadly lack the cyber skills and consciousness required to minimise those simple errors that can lead to devastating attacks.

According to a recent survey from Apricorn, 37% of IT leaders feel that their staff are continuing to unintentionally put data at risk, with 21% also stating that lost/misplaced devices containing sensitive corporate information were a major problem.

These statistics are particularly alarming. The saying that a chain is only as strong as its weakest link rings true – when employees are left to their own devices, even the best technical efforts will fail.

Building a strong security culture

For this reason, organisations need to work to better protect themselves by fostering a stronger security culture, with defined policies and responsibilities that all employees are responsible for upholding and adhering to.

Developing such a culture requires a multi-pronged effort. It’s not simply about putting critical rules in place, but equally ensuring that awareness is maximised among the workforce so that the risks associated with particular tools, actions and devices are understood. 

Of course, it can be difficult to know where to start. However, given that incremental change can often be best in order maximise understanding, a sound first port of call could be introducing policies that manage employee access, limiting each individual to only utilising those exact software solutions and systems that they truly need to do their jobs effectively.

This approach is better known as the principle of least privilege – a core aspect of zero trust strategies that are designed to secure an organisation by eliminating implicit trust.

Equally, firms should also work to ensure that staff are only ever using managed devices to access corporate networks. Why? Unmanaged devices reduce visibility, undermine security protocols, and expand an organisation’s attack surface, providing cybercriminals with unobstructed avenues to easily gain a foothold on a network.

Developing a policy that includes mandated procedures for encrypting all business data across all devices as standard and, wherever possible is enforced through technology, can also be effective.

For example, if organisations want to secure data on the move, it is essential that encryption and endpoint control is applied to all devices, whether that be laptops, mobile phones which can then be used to ensure that only corporately approved, hardware encrypted removable media, such as USB storage devices, can be used. That way, if the worst nevertheless happens, information lost or revealed cannot be deciphered and would at least have blocked the personal and unencrypted USB stick used in the Sellafield story if deployed.

Further, a sound backup strategy can pay dividends. Using offline backup technologies in parallel with a centralised cloud back-up plan, for example, ensures data can always be recovered, thwarting potential attacks.

Compartmentalising staff responsibilities in this way, mitigating the opportunity for individual actions to lead to catastrophic events, provides good grounding for a sound security culture: Employees will be less likely to put information unknowingly or accidentally at risk, and if they do, threat actors won’t be able to exfiltrate sensitive data with ease.

Balancing security and productivity

Of course, the process of restricting access and encrypting data must be done with significant care.

Critically, it is essential that security policies are both communicated properly, and do not obstruct employee productivity.

In a 2022 survey, we found that the core reason that remote policies weren’t followed was due to employees not prioritising security practices despite being informed about them (51%), and because they are using personal devices for working purposes (40%).

If individuals find policies too difficult, complicated or confusing to follow, it will result in frustration, and efforts to bypass security protocols wherever possible. In other words, it will leave employees working against, rather than with, the security strategy.

This is even more important within the new normal of hybrid working. Those operating in remote environments that become frustrated with technical barriers may resort to using non-sanctioned tools and devices that circumvent IT departmental control, resulting in additional risks to corporate data, for example. Such policies should therefore be tailored to suit mobile workers and contractors to limit further risks.

By following these simple steps, firms can ensure that all stakeholders play a crucial role in mitigating and minimising the impacts of modern threats.