the weakest link

How to mitigate your biggest cybersecurity risk: your employees

Freelance tech writer, LinkedIn profile

Author Bio ▼

A tech writer specialising in cybersecurity, working with Redscan on this and a number of other GDPR, MDR, and ethical hacking projects.
January 24, 2019


State of Physical Access Trend Report 2024

Employees are typically the weakest link in an organisation’s cyber defences, with 54% of IT professionals citing negligent employees as the root cause of data breaches, in a survey by the Ponemon Institute.

So it’s vital that businesses provide them with the knowledge and skills to mitigate risks.

There are plenty of things you can do to reduce the risk of your staff being targeted by, and falling prey to, a cybersecurity breach.

Audit the software you use

One of the most important things that you can do to minimise the risk is to thoroughly audit the software that is currently being used by employees. Remember that different systems can present security risks – where you might be concerned about hackers gaining access to email credentials in the business, a less publicised risk might revolve around third-party accounting software that your finance department uses.

Another good example is HR software. Many businesses assume that cybercriminals will attempt to breach systems that contain customer data, but remember that employee information can be a valuable resource too.

Staff roster specialists Planday created this HR checklist to provide an overview of your inventory of your company processes. Outsourced HR software could contain anything from personal details about employees to financial reports and payroll information – all of which can be very valuable to cybercriminals.

Manage access across the system

A good way to mitigate potential damage if you are breached is to manage and limit access that members of staff have. It is common for businesses to have IT systems where being able to log in provides full access to all aspects of the company infrastructure – but this can be very dangerous. Employees should only be given access to the information and systems that they need to do their jobs.

This ensures that if an individual employee falls victim to a phishing scam or has their password hacked, the cybercriminal that gains access will not be able to steal all of the data on the company system. They will be limited to the data that the employee has access to in order to work.

Investigate breaches and incidents thoroughly

Of course, it is also important that any security incident or, worse, breaches are investigated to the full extent. It is a nightmare scenario for a business to be compromised and to lose the data of staff or clients, but this experience is something that the company has to learn from.

Failing to take lessons from a previous breach can leave you vulnerable to suffering the same sort of attack again in the future.

Some organisations like to invest in ethical hacking and penetration testing. These forms of testing simulate a hacking attempt and the testers then provide the organisation with information on how they were able to access the system and mitigating steps they can take to prevent this kind of attack in future.

In a sense this sort of testing allows you to invest in breaches and incidents before they even occur – and the results can be invaluable.

Have a strong password policy

Unfortunately, it is the case that weak passwords are the problem in the major of cyber incidents. In fact, recent research suggests that almost two-thirds of all data breaches are the fault of weak passwords.

This shows just how important it is for your staff to use a unique password that is genuinely strong – but what makes a strong password?

There is no completely foolproof method, but ultimately, the longer the password is, the harder it is for criminals to crack it. Traditional advice suggests a minimum of 12 characters, and that those characters should include letters, numbers and symbols as well as avoiding words that can be found in dictionaries.

Provide regular training sessions

Finally, it should be pointed that if you want to ensure your staff are as secure as possible then you need to provide them with security changes. The techniques and tactics used by hackers and criminals changes all the time, so it is generally sensible to provide regular sessions throughout the year.

For example, it may be the best idea to ensure that all staff have cybersecurity training as standard when they come onboard, and this can then be followed up with refresher sessions that keep employees up to date with the latest goings on.

Notify of
Inline Feedbacks
View all comments