Blog Post
Back to all blog posts
TheSpotlight

Employee Behaviours and IT/Cyber Risk - A Webinar Recap

Posted in Data Security/Privacy

On February 15, our Privacy and Data Security and Technology lawyers, Paige Backman, Meghan Cowan and Donald Johnston, hosted a webinar on Employee Behaviours and IT/Cyber Risk. They discussed the biggest risks to IT systems, what those risks are, and how to mitigate those risks.

While most of us have read the news articles about people falling into the trap of responding to phishing emails, or about employees accessing unauthorized data, what we don't realize is that employees are the weakest links when it comes to IT security threats. In fact, threats to IT systems are caused 60% - 90% of the time by "insiders." Insiders are considered to be anyone who has authorized access to hard and soft technology assets and include employees, contractors, business partners, suppliers, service providers/subcontractors and technology escrow providers.

Insiders may inadvertently put your IT system at risk in a number of ways. One of the biggest culprits is employees responding to phishing emails. Phishing emails are now a lot more sophisticated and can be created to look like they're coming from an internal source, such as the CEO or President of the company. Human behaviour as an employee is to respond to emails, particularly those that come from senior management. It is important to be aware and educate your employees and other insiders so that they know what to look for. Some of these telltale signs include an unusual request, a request for personal information or URLs that seem suspicious.

Some additional behaviours that can lead to security threats include:

  • Allowing access of personal equipment to networks (e.g. USB sticks);

  • Sharing computer passwords;

  • Using the same password for multiple purposes;

  • Leaving the computer logged in so that others can use it;

  • Posting information on social media that allows people to appear to know you;

  • Losing laptops, smart phones, etc.; and

  • Leaving business doors unlocked.

Data breaches are another major concern to businesses. There have been several cases recently and widespread media coverage about this growing trend. When it comes to data breaches, healthcare institutions have jumped to the top of the list in sectors that are subject to data breaches or at risk of having their data compromised. Most of these breaches are inadvertent, but for those that are intentionally caused, damage awards can be quite high, particularly in the case of class action settlements.

In order to mitigate threats to your IT system and, in particular, to minimize a data breach, the following actions should be taken:

  • Adopt IT security policies and acceptable use policies;

  • Ensure employment contracts contain confidentiality clauses;

  • Training is key! Hold privacy training sessions every 4 - 6 months;

  • Conduct due diligence on any contractors, partners and service providers; and

  • Audit, audit, audit!

By having policies and procedures in place, you can correct employee and service provider behaviour. This is also the strongest and cheapest way to minimize vulnerabilities and breaches.

To view this webinar and for more information on this topic, click here to access the webinar archive and here to obtain the corresponding PDF presentation.

 

Blog Posts