New research undertaken by 247meeting has revealed senior management as being the culprits for some of the biggest lapses in workplace security.
247meeting surveyed 2,000 UK office-based workers and remote workers to understand their attitude to workplace security and the impact it has already had throughout their career. The new report aims to educate businesses on the biggest potential threats to security and how to overcome this.
Some of the biggest lapses in security admitted by senior managers include 1 in 4 allowing other colleagues to use their conference call PINs, meaning those colleagues can dial into their calls at any time. Couple this with the fact that senior managers also admit to discussing many sensitive matters on calls such as business issues (34%), employee salaries (31%) and internal company trading results (27%) and the potential for data breaches is clear. Unsurprisingly a quarter of senior managers did admit to experiencing a stranger on their conference call previously, yet this doesn’t seem to have changed their behavior.
Strangers hacking into conference calls can be managed by employees not sharing conference call PINS and using a safer option like a secure mobile app version instead. While sharing conference call PINS might not seem to be very risky, it can be the start of a major security breach and you should take every precaution when it comes to calling clients and customers.
Other precautions you can take are making sure that you are taking all calls in a private space and if you are out of the office you should leave important calls about private information until you are back in a secure space.
This lack in attention to security policies seems to be commonplace with 30% of employees admitting they don’t know where to access their company’s IT security policy. And even of those that have read the policy, only 13% say they actually remember all of it.
When looking at how well different industries know their security policies we can see big differences. Not one single employee from the following industries said they could remember all of their workplace’s IT security policy:
- Law enforcement and security
- Performing arts
- Publishing and journalism
- Recruitment and HR
- Science and pharmaceuticals
- Social care
Most worrying from this is that among these are some of the industries we place most of our trust in to protect us and our personal data – law enforcement, social care and HR, in particular.
Reassuringly those working in information technology were among the industries most likely to remember all of their IT security policy, but even then only a quarter say they remember all of it:
Industry |
I remember all of my company's IT security policy |
Hospitality and events management |
25% |
Information research and analysis |
25% |
Information technology |
25% |
Business, consulting and management |
21% |
Accountancy, banking and finance |
20% |
Some simple ways to ensure that employees are reading and understanding your IT security policy would be:
- Make it mandatory reading for all new employees
- Pre-save the policy on every employee’s desktop for them to refer to
- Ensure all employees undertake a knowledge test based on the policy every six months
By doing this companies can be sure that they have done all that they can to communicate their policy to employees.
British Airways came under fire recently for their data breach, but 247meeting’s report shows that these breaches aren’t as rare as customers would hope. Alarmingly, one quarter of those surveyed said their company has been affected by a data breach, a cyber attack or, worse, both.
All of this raises a very important question of whether companies are really doing enough to prevent data breaches and hacks, and this research seems to indicate they are not.
Despite the General Data Protection Regulation (GDPR) coming into force earlier this year, 25% of employees with access to customer data said they hadn’t been trained on GDPR. This lack of training could prove extremely costly to businesses with potential fines for non-compliance as high as £20 million.
This lack of training on GDPR is even more prevalent among remote workers, with 42% admitting to not being trained (versus 26% non-remote workers). This trend continues when looking at whether remote workers are clued up on security policies, with only 40% knowing where their company’s security policy is saved (versus 61% non-remote workers). This highlights an overwhelming need for companies to look closer at their approach to remote working and ensure that remote workers are being given the same training and policy updates as staff based at their offices.
All companies that have customers based within the EU need to ensure that they have trained employees handling customer data on the new regulations. The GDPR site has a great summary of the main changes under GDPR, and this should be mandatory reading for all employees, at the very least.
One of the key changes within the GDPR was the strengthening of conditions for consent, given that those working in the marketing industry and one of the most common to be obtaining this consent, it is worrying that they are the third most likely to have not been trained on GDPR.
Industry |
% not trained on GDPR but with access to customer data |
Hospitality and events management |
55% |
Media and internet |
45% |
Marketing, advertising and PR |
44% |
Engineering and manufacturing |
41% |
Property and construction |
40% |
Another worrying finding in the report was the use of non-secure communication methods by employees, with almost half admitting to using technology tools to communicate at work without them being password protected. These communication tools can often be an easy target for hackers or even competitors to gain information about clients, customers or even just business performance. One solution to avoid this is to ban or block certain communication tools within the workplace.
Instead of hoping that you never experience a security hack, it is sensible to ensure that employees are aware of the procedures they need to follow in case of the unfortunate event. Make sure that you have a process when contacting customers or clients and you have a plan to correct the damage the security hack has done.