Why people are the biggest IT security threat – and what you can do about it!

Intruders in the building: Valuable items have been stolen even though doors and windows are closed. Someone got hold of the key and just unlocked the door! Does this scenario sound unlikely? In companies, this happens more often than you might think – in terms of IT security.

By now employees should know what to do and what not to do when it comes to data protection. Finally, companies have an indirect obligation under the GDPR to provide regular data protection training to all employees. Nevertheless, even CEOs or other high-level employees often use only one master password for all services and applications. In the worst case, they probably even write it down too. It’s only a matter of time before the password gets into the wrong hands. You might not think so right now. But it will happen eventually.

How human error can easily lead to data theft

A study by the security provider Beyond Identity reports that every third user in Germany still writes down their professional passwords by hand. Every fourth user always uses the same passwords. It is therefore hardly surprising that 42 percent of the users surveyed have already experienced their password being compromised several times. Now you could say: “It doesn’t matter, everyone makes mistakes, we all know that.” However, such lapses are not as harmless as they might seem. Such mistakes in securing your IT can have fatal consequences for the entire company.

IT must therefore look at typical mistakes made by employees to be able to take the right countermeasures. However, this happens far too rarely in IT security. Serious errors occur repeatedly, especially when dealing with passwords. IBM have found that a whopping 95 percent of data thefts are due to human error. Passwords written on post it notes and stuck to the monitor are just one of them.

Where mistakes and errors can be potentially damaging

Curious to learn more? Security provider Proofpoint has dealt with human errors and their impact on IT security in a study:

• Almost one in two employees in US companies trust public Wi-Fi hotspots if they are located in a “trusted” environment such as a café or an airport. However, publicly accessible and sometimes not even encrypted hotspots are inherently insecure. Attackers are easily able to spy on insufficiently protected data in wireless networks. Modern VPN solutions are a proven way to protect yourself against attackers.
• Every seventh employee in the UK does not lock their smartphone when they do not need it. To make matters worse, around 41 percent of the participants in the Proofpoint study stated that they use their personal mobile phone both privately and professionally.
• Shouldn't the situation look better for company mobile devices? You might think so, but this is not the case. Proofpoint observed that serious problems also occur here. For example, around 50 percent of employees allow their friends and relatives to use devices provided by the employer to access private e-mails, for example. More than one in five people do not see any cause for concern when it comes to visiting social networks or online shop. Some even reported streaming music and videos or playing games on business hardware.

The examples show that far too many users in companies still do not really take IT security seriously. People often still believe they will be safe: “It won't happen to us”. Unfortunately, the opposite is often the case. Ultimately, it is only a matter of time before a more or less serious security incident occurs.

Why many companies waste time in a security emergency

Bitkom Research found that only one in two companies in Germany has a contingency plan with written procedures and ad hoc measures in the event of data theft, espionage or sabotage. However, this is necessary in order to avoid wasting valuable time in the event of an incident. Every company can and will become the victim of cyber attacks, warn the authors of the study, regardless of industry and size.

“Once the company IT is infected or paralyzed, high costs are incurred, which can go as far as weeks of production downtimes,” comments Simran Mann, Security Policy Officer at Bitkom. “Employees can make cyber attacks easier or more difficult,” continues Mann. After all, the employees are “the first line of defense against cybercriminals”. Ultimately: “Companies should definitely inform about risks and types of attacks and provide information on the right behavior,” recommends Mann.

Introducing new technology means nothing without raising awareness in the company. Equally important are training courses and regular security awareness training. Only in this way can human mistakes and errors be reduced to an acceptable level in the future.