Bosses overestimate staff online security know how

Humans are online security’s weakest link. That’s not news. Yet New Zealand bosses will plug every other hole before they attend to the problem. One problem is that managers have an unrealistic view of worker’s security know how.

Aura, an Auckland-based security company is on to the problem.

From a recent Aura press release:

Businesses can have the best protection available, but if a staff member unknowingly lets a cybercriminal into the system then it won’t matter.Independent research commissioned by Aura Information Security reveals staff are not as secure as their IT managers may think.While 62 percent of New Zealand businesses say they carry out security training exercises with their staff, 37 percent of Kiwis say they have received training on good cyber security practices .

Good password practice

This disconnect is further emphasised by password practice. Many IT managers encourage staff to use password managers. This guards against the most common password mistakes aren’t made.

Yet, few staff take this advice. Aura says a third of employees admit to reusing the same passwords for work and personal devices and accounts.

For me, this gets to the nub of the problem. Companies are happy spending money on things. They buy security software, firewalls and even tools like password managers.

This sets up a false sense of security. It would be unfair to say they buy security products and sit back feeling safe. But there is an element of this.

In too many cases companies don’t train their staff how to use the shiny new security tools. Nor do they check on how things are working in practice. If they do any training it can be out of context. You have to explain why password hygiene is important. People need to understand the risks are and what the consequences could be.

Software updates

Another problem with people not updating their software to the latest versions. Updates include fixes to security recent holes. A lot of the time you can configure software for automatic update, your employees need to know this. They may need to handle the updates themselves.

All this is harder now many people work from home. They may even use their own hardware and software.

Which is why it’s important to educate people on online security basics.

Take phishing – that’s the art of tricking people into sharing private information. It remains the most common attempted online crime.

Phishing relies on people not being trained to recognise security threats. There will be workers who don’t know this, let alone how to respond.

Tools can help online security, but the best defence is to help people develop safe habits. Security know how is like money in the bank. If you’re spending money on online security, think of budgeting at least half of the total on education.