Employees are a company’s greatest asset — but they’re also a company’s greatest security risk. Despite advancements in cyber training and literacy, employees continue to engage in risky cyber behavior.
A recent OpenVPN survey discovered 25 percent of employees reuse the same password for everything. And 23 percent of employees admit to very frequently clicking on links before verifying they lead to the website they intended to visit.
Cybersecurity breaches are a matter of ‘when’ not ‘if’, and organizations have to be ready to address hackers head on. But with businesses so focused on external threats, they often overlook the role their own employees play in exposing vulnerabilities from inside an organization.
OpenVPN is a provider of next-generation secure and scalable communication services, with an award-winning open source VPN product with over fifty million downloads since its inception. To further understand the impact employee decisions have on security protocols, OpenVPN surveyed 500 U.S. full-time employees about their cybersecurity habits to pinpoint areas of weakness that could potentially harm their organization.
From the Equifax breach to Facebook’s user privacy scandal, the past year has been a nightmare for businesses concerned with protecting the integrity of their data. And whether accidental or intentional, an employee’s online activities can make or break a company’s cybersecurity strategy. Take employee password usage as one example. Employees create passwords they can easily remember, but this usually results in weak security that hackers can bypass with brute force attacks. Similarly, individuals who use the same password to protect multiple portals — like their bank account, email and social media — risk compromising both their personal and work information.
The key to remember is that passwords should be long, strong, complex, and not easy to guess. A strong password consists of at least eight characters that are a combination of letters, numbers and symbols, and both uppercase and lowercase letters. And passwords should be different from account to account — using the same passwords across the board means if one account is broken into, another break-in is sure to follow.
Here are some examples of strong passwords versus weak passwords:
To reinforce strong employee passwords, some employers have adopted biometric passwords, combining ease-of-use with security. A reported 77 percent of employees trust biometric passwords, and 62 percent believe they are stronger than traditional alphanumeric codes. But even among those who trust things like fingerprint scans and facial recognition, user adoption is lagging — just a little more than half of employees (55 percent) use biometric passwords.
Convenience also plays a factor in determining how employees approach cybersecurity behaviors. Unfortunately, some individuals are unwilling to trade the convenience of basic passwords and certain technologies for secure cyber habits. Employees are reluctant to abandon things like voice-activated assistants, for example, even though 24 percent of them believe those assistants have the potential to be hacked. In fact, only 3 percent of employees have actually stopped using their Alexa or Google Home out of fear of being hacked. This signals to employers that even when employees know the security risks associated with a certain technology, they will ignore the warning signs and continue to use it because of its convenience.
Cleaning up security vulnerabilities starts with developing safe cyber hygiene practices. Just like parents teach their children healthy habits from a young age, employers have a responsibility to teach their employees good cyber habits to protect themselves and business operations from malicious actors. Simply telling people to avoid visiting infected websites isn’t enough — more than half (57 percent) of millennials admit to frequently clicking on links before verifying they lead to the website they were intending to visit.
Unlike traditional approaches to cybersecurity, a cyber hygiene routine encourages employees to proactively think about the choices they make on the internet. In addition to thorough security education and clear communications, employers can implement a couple easy tips to help employees develop good cyber habits.
First, employers can promote positive reinforcement when employees make smart decisions. Employees may be a company’s first line of security, but many fail to report cyber attacks out of fear of retribution. Instead of employing fear tactics to prevent weak employee passwords and phishing schemes, employers should consider rewarding or acknowledging individuals who embrace good cyber strategies. Employees are less likely to shy away from security training and are more incentivized to change their approach to cybersecurity when they are sent encouraging messages for safe internet behavior.
Then employers can offer continuous training on best practices. Hackers work year round to catch companies off guard, using tools like phishing to man-in-the-middle to distributed denial-of-service attacks (DDoS) to breach defense mechanisms in place. While employers can’t predict what they will face next, they can offer routine training to employees to keep them up-to-date with the latest security threats. This can help employees recognize and deal with evolving threats like Smishing, a scam targeting individuals with smartphones and other mobile devices.
Building a work culture centered around good cyber hygiene takes time, but will ultimately protect companies in the long run from online threats. When smart online habits become second nature, both employers and employees can better prevent hackers from taking advantage of otherwise stagnant security environments.