What to Do When Your Biggest Threat to Security is a Well-Intentioned Employee

By: Rick Derouin, TAC Executive Consultant

We all make mistakes. Often, we don’t realize the full ramifications of our actions until we have that “oh no” moment after something has already gone wrong. In a business environment, there may be a large number of employees with enterprise access and multiple platforms, and society’s constant impetus to move to the latest device (which may not be an “official” device) poses a constant threat to security; especially from well-intentioned but security-challenged employees.

Unfortunately, employees tend to forget or disregard policies, especially mobile security policies, so they may engage in risky behavior without thinking about it. They’re generally unaware of the potential risks, and often treat their mobile device like their company PC, assuming it’s secured by IT. In an interview with The Wall Street Journal, the chief information security officer of Blackstone Group LP stated, “The No. 1 most significant risk to every organization is your well-intentioned, non malicious insider who is trying to do the right thing for the organization and makes a stupid mistake.”

What Makes Well-Intentioned Employees Dangerous

Employee threats are sometimes hard to spot, but there are a few warning signs you can look out for. Does the employee instantly access information on their device? There’s a good chance they’re not using a passcode. Were they hired recently or do they miss meetings regularly? They may not have been counseled on the mobile security policy. Do they use multiple devices or a different device type than you’re managing? You may have an unsecured device problem.

Most employees aren’t malicious. They aren’t a deliberate security threat; they just don’t understand that what they’re doing is wrong. Here are the top six mistakes well-intentioned employees make that are a threat to security:

  • Accessing unsecured Wi-Fi
  • Using login credentials on shared or unsecured devices
  • Failing to use a passcode on devices
  • Saving company information to personal devices or cloud storage
  • Inadvertently forwarding sensitive information
  • Taking company information or login credentials with them when they leave

Mitigating the Risk Well-Intentioned Employees Represent

From a security perspective, people are hard to manage; they do all sorts of things when you aren’t looking and you can’t watch them every minute of every day. Still, there are some things you can do to educate employees and manage devices for a more secure mobile environment. Here are four steps you should take to mitigate the risks of a well-intentioned employee:

  • Create well-defined policies.
  • Set device limits.
  • Implement a mobile device management solution.

The nice thing about malicious threats to security is that dealing with them is black and white. They don’t have good intentions, and you don’t want them anywhere near your data. Dealing with the threat of well-intentioned employees is more difficult, because you want them to have access to information, but there’s always a chance that they might misuse it. It can be hard for IT personnel to understand why employees do the things they do, but remember that not everyone understands the risk. Try to put yourself in their less-educated shoes, and safeguard against their mistakes before they make them.

Rick Derouin, TAC Executive Consultant, has more than 35 years of experience in the IT and telecommunications industries, with the past 12 years focused on increasing clients’ business benefits from investments in communications technology and services and ensuring clients need what they have and are paying the best possible price. He has designed and implemented innovative approaches to performance measurement, benchmarking, and alignment of technology for increased communications (voice and data) effectiveness. Mr. Derouin began his career with 10 years at IBM, in the last 15 years of his vendor career he was Senior Vice President of TeleGlobe, Vice President of AT&T Public Sector Markets, World Wide Vice President of Steltor, and Global Vice President of Oracle’s SWAT Team.