Key Points

• Data breaches have risen globally, emphasising the importance of addressing bad habits that can lead to data loss and cybersecurity threats.
• Bad habits include a lack of a human firewall, leaving screens open and unattended, connecting to public WiFi, falling victim to social engineering tactics, using weak passwords, and emailing sensitive documents to personal accounts.
• To prevent these habits and protect sensitive data, bridge the gap between security teams and the rest of the organisation, use educational tools, embed security professionals within the organisation, and invest in security tools while providing continuous, relatable training to staff.‍
• Metomic is a data security solution, which is helping security teams and organisations to protect sensitive data across their entire SaaS stack.

When it comes to overseeing data security, your employee’s bad habits could be letting you down. According to Infosecurity, data breaches rose by 70% globally in Q3 of 2022, showing just how serious the problem is. 

Here you'll learn how to bridge the gap between security and employees, educate staff, and minimise cybersecurity risks.

What bad habits can cause data loss or cybersecurity attacks?

There are a number of bad habits that can cause data loss and in most cases, they can be improved with some careful planning and a robust data security strategy: 

1. Lack of a human firewall 

Your employees are one of your most important defences against cybersecurity threats and building your human firewall with well-informed staff can help you enormously when it comes to detecting anything unusual. 

Security is often seen as the complete domain of the security or IT team, but within any organisation, everybody should be taking steps to protect important data like customer information. By implementing a data security tool like Metomic that makes security everyone’s responsibility, you can start to build a security-aware culture and reduce the threat of cyber attacks such as phishing. 

2. Leaving screens open and unattended 

With more people working remotely, it’s not unusual for your employees to be working from coffee shops or co-working spaces, where remote working security risks such as data left on unattended computers could easily be accessed. 

Whether you have an office space or not, encouraging your team to always lock their screens before they leave their desk can help reduce the chances of someone stealing company secrets. 

3. Connecting to public Wi-Fi

And with all those coffee shop trips, or visits to co-working spaces, comes the potential of employees connecting to public Wi-Fi or unsecured networks. 

Easily intercepted by hackers, public Wi-Fi can be a huge risk, particularly for those working with sensitive data. Understanding the chances they’re taking by connecting to it can be the difference between losing sensitive data or protecting it. 

4. Employees falling victim to social engineering tactics 

Social engineering attacks have become increasingly more sophisticated, making them more difficult to spot. Of the UK businesses that were impacted by breaches in 2022, the most common form of cyber attack was phishing at 83%.

If employees aren’t properly trained to notice possible phishing tactics, they could be easily manipulated into handing over sensitive information that could compromise the company. 

5. Easy-to-guess passwords 

Weak passwords typically contain employees’ names, hometowns, or dates of birth - all of which are easily accessible via social media accounts. Not only that but passwords are often reused across multiple platforms, making it easier for hackers to gain access to company secrets and/or sensitive customer data. 

6. Employees emailing themselves documents 

When employees move from one job to another, they may email documents to their personal accounts, so they can retain them for future use. 

However, this can lead to difficulties in tracking sensitive data and where it’s being shared. This bad habit could potentially involve company secrets being taken to competitors, or customer data being held in insecure spaces.

7. Not updating software 

Although it can be tempting to put off software updates, outdated equipment can put your sensitive data at risk. Encourage your employees to update software whenever they’re prompted to, rather than leaving it too long. 

The small interruption to their day will be worth it in the long run. 

What is the potential damage of just one mistake? 

Just one mistake could have massive ramifications for companies that suffer a data breach. 

In 2022, some of the biggest data breaches resulted in reputational damage for huge companies such as Uber as well as eye-watering financial losses, including $600M being stolen from Ronin. 

Within the security world, it can be difficult to earn trust, and once you have it, you don’t want to lose it. Tightening your policies and creating a strategy around data loss prevention can help you show your customers that you’re doing everything you can to protect their information. 

How can security teams prevent bad habits?

One of the best things you can do is bridge the security awareness culture gap between your security team and the rest of the company. Make sure everyone is taking responsibility for cybersecurity, rather than a select few. You can do this through educational data security tools like Metomic, as well as embedding yourself within the organisation. 

As a security professional, make yourself known to the rest of the team so they can easily report any incidents and know who they can go to for help. You may even want to carry out a practice run of a cybersecurity attack, so that the information really does stick in your employees’ minds.

Finally, invest in security tools that can keep data protected, so you know that even if one person in your team does make a mistake, there’s a tool that can help you pick up any DLP concerns. 

How can you train and educate staff on data security risks, dangers and consequences? 

Think about the best way to educate your staff about the types of data security - is it really with an annual training session or is it with continuous learning that feeds into their day-to-day work, so they can see it in action? Make the training topics relatable to their job & scenarios they might find themselves in and choose relevant cyber security awareness training topics so they know what to do instantly if they notice any suspicious activity. 

You’ll also need to speak to them in a language they understand. For instance, speak in financial terms for your leadership team so they can realise the impact that a data breach would have on the business. 

How to approach employees who share too much information

If your employees are oversharing sensitive data, it can lead to bigger problems down the line, if it's not nipped in the bud.

Firstly, you should have a 1:1 conversation with them, so as not to embarrass them in front of other colleagues. Try not to approach this discussion with anger or resentment for any mistakes they might have made. For instance, you could start the conversation off by saying how you acknowledge their efficiency in their role.

Within the conversation, you should outline specific examples of sensitive data being shared so they can understand where they might be going wrong. Again, approach this logically and rationally, without letting emotion get the better of you. Once you have given them an example of their oversharing, you can move on to highlight the risks associated with doing so. Discuss the impact this could have on the company's reputation, and any financial or legal losses that can occur as a result.

Encourage the employee to ask questions and gain full clarification on where they can share sensitive information, and where this is strictly forbidden. It may be helpful for them to run some scenarios by you so you can give them tailored guidance for their specific role.

Finally, wrap up by letting them know that you will be monitoring the employee's behaviour for any other instances of oversharing, and where possible, try to reward them for their efforts in taking your feedback on board. Where employees aren't receptive to feedback, enrolling them in data security training workshops may be beneficial.

Conclusion

Educating and training your staff could have a massive impact on your data security strategy, and help you to identify any cybersecurity attacks, such as phishing. 

To enable your team to receive continuous training, and build your human firewall, book a personalised demo with one of our data security experts.