Security training should be prioritized by HR: Expert
Although many employees may feel safe while travelling for business, there are data breach vulnerabilities around every corner, with devastating repercussions.
In 2017, more than 24,000 records were compromised in an average data breach, according to the Ponemon Institute. With so many records at risk, employers must be aware of their areas of vulnerability.
Employees who are unaware of proper policies and processes can be the biggest risk to organizations. Sharing passwords, carrying sensitive information unnecessarily, and leaving information unattended in public places can leave an employer at risk.
More than half (51 per cent) of U.S. consumers re-use passwords and PIN numbers, according to a 2018 survey by Shred-it with 1,200 respondents. What’s more, 49 per cent of consumers believe their own security habits make them vulnerable to information fraud or identity theft, with nearly 30 per cent confirming they do not shred documents containing sensitive information before throwing them out.
While travelling, employees must be vigilant in keeping their personal information safe and be mindful of those around them — not only on days of travel, but when they have settled in at their hotel or workplace.
Employers have an active and critical role to play in ensuring employees are taking the appropriate measures to safeguard information.
The top five items most at risk of fraudsters include:
Mobile devices: One in four breaches in the financial services sector are due to lost or stolen devices, according to a 2016 Bitglass report. While thieves often re-sell stolen laptops, tablets or smartphones, there’s a lot of valuable information saved on these devices, too. Employees should ensure they never leave their device unattended, password-protect it, and carry it close to their body to avoid being pickpocketed.
Confidential papers, data: Minimize the confidential data employees take with them when travelling, and have them only take documents that are necessary. If possible, employees should securely shred confidential paper documents that are no longer needed. When not in use, Wi-Fi and Bluetooth should be disabled, and a virtual private network (VPN) should be used in cybercafés, public areas and hotels.
Internet of things devices (IoT): Smart devices such as fitness trackers and heart pressure monitors connect to the internet to send and receive information, but it’s important for employees to remember that if they can access their data remotely, it’s possible a cybercriminal can as well. They should take care to never leave gadgets with default passwords, and instead set new and strong passwords and keep the device’s software up to date. Employees should also disconnect IoT devices from the internet (or turn them off completely) whenever they don’t need them.
Travel documents: Confidential information is stored on boarding passes and passports, millions of which are reported lost or stolen around the world every year. Before a business trip, employees should scan a copy of their passport and email it to themselves.
They should also lock passports in the hotel safe and never leave travel documents — such as boarding passes, car rental documents and airline tickets — behind. Travel documents should be securely shredded when the trip ends.
ID and credit cards: Credit card theft and identity theft both involve a criminal assuming a false identity. Credit cards can be kept safe by employees packing only essential ID, credit and debit cards, using safe ATMs in public areas, shielding PIN entry and monitoring credit cards regularly while abroad.
Considering that employees are less likely to be diligent with data security while they’re out of office, it’s critical for HR professionals to prioritize information security training for travelling employees.
Eighty-six per cent of C-suites and 60 per cent of small business owners agree that the risk of a data breach is higher when employees work off-site, according to a 2018 global study from Shred-it.
And while most C-suites in Canada (91 per cent) provide training on information security to employees, only 35 per cent of small business owners have a policy in place for storing or disposing of confidential information while working off-site. Fifty-four per cent have no policy at all, found the survey of 1,002 small business owners and 100 executives.
With remote work becoming a growing workplace trend, it is critical that businesses adopt a remote work policy to keep proprietary and confidential information secure at all times.
These steps can help with the implementation of such a policy:
Gain buy-in from senior management: It is best to have the support of senior management to encourage adoption and compliance.
Work with IT: Work with IT to ensure employees can connect to a secure VPN to remotely access their data. Make sure they are available to support remote workers throughout the day.
Create a communication plan: To share the new policy with team members, plans should take into account the specific communication methods at an office. For some, email may be enough; but for others, the communications may involve posters or town hall meetings.
Develop a breach notification process: Ensure there is a clear and well-understood process for employees to follow if a breach does occur. This is important as it will allow the employer to act quickly to minimize the damage and take further preventative action.
Monitor and update policy: Conduct regular pulse surveys to monitor policy adoption and flag any concerns that arise. Be sure to update the policy to reflect the feedback of employees.
Finally, to help keep employees and the organization secure, consider adding a component to employee training that covers information security while travelling or relocating.
Paul Saabas is vice-president of Shred-it Canada in Toronto. For more information, visit www.shredit.com.