The "human factor" | SwissSign
A data security specialist by Swiss Post

Main section

What role does the “human factor” play in IT security? 

When it comes to IT security in the workplace, the oft-cited “human factor” is one of the biggest risks. Lack of knowledge, heavy workloads and lack of awareness of security issues all harbour risks. Reducing these risks should therefore be at the heart of every successful IT strategy. We’ll show you how to transform the “human factor” into part of the solution and simultaneously open up new opportunities. 

Problem 1: People are people

It’s important to understand why people are a company’s biggest IT security risk. There’s a simple reason for this. People act like people, not like machines following programmed logic. Here’s one example: an employee tells an acquaintance from another business that the company is using an outdated version of the CRM. An employee working for a competitor overhears this conversation and makes a note of everything.  

Many hacking attacks start out this way. Another thorny issue is the behaviour of laid-off employees expressing their frustration. Most companies that have experienced attacks would agree that it would not have been possible to carry out a successful hacking attempt without the “human factor”. 

Possible solutions

Make sure your employees are aware of the risks. Regular training is a good tool to cement awareness of IT security. It’s also important to take the issue seriously within the company. Management should lead by example.

Problem 2: Passwords are annoying

An aversion to complicated passwords is another all-too-human factor. Whether it’s the name of the family dog or a three-digit number, many passwords are just easy to guess. On top of that, people often reuse passwords or, in the worst case, note them down somewhere that is publicly accessible – such as on a Post-it. 

Employees are often unaware how dangerous these seemingly normal actions are. All it takes is one small-time criminal pretending to work for the cleaning company to type in a password that’s been left lying around – and steal company data on a USB stick or install malware. If they have a bit more time to try out the password on other PCs or systems, they will very likely be able to access even more critical data. 

Possible solutions

Make sure all passwords consist of at least 8 characters. Do not use ordinary words, common passwords or simple sequences of numbers. Never reuse passwords. Ideally, you should combine numbers, letters and special characters without any discernible logic. Do not store your passwords physically at your workplace. Use a password manager instead. One final important point: do not share your passwords with anyone, not even your manager or the IT help desk.

Problem 3: Humans are social beings

People like to be praised. We like to hear that we’re doing a good job. When they’re in this mood, employees tend to reveal things about their job. An attacker can exploit this human weakness to tease out important information with a bit of skilful questioning. 

In addition, any attacker has access to all information shared on social media. This risk is particularly high for inexperienced or frustrated employees. Speaking of social media, the web applications of popular messaging services pose another risk if they are used on company computers. Every security vulnerability they have can become a gateway for attacks on your company systems. Not to mention, these applications are an easy way to spread dangerous files in the hopes they will be downloaded. 

Possible solutions

Train your employees and impress on them the risks of an attack and possible attacker strategies. Make sure that company devices are not used to access social media, except for company purposes. 

Problem 4: Devices are used for both company and private purposes

Want to provide your employees with WiFi? Great idea! Want to make it accessible for private devices, too? Very bad idea. Your company has no control over the security of outside devices. This opens a doorway for attackers. The same is true of other private devices often used at work, such as USB sticks or external hard drives. This “shadow IT” normally exists without the IT department’s knowledge and is a security risk. 

It can also be dangerous to use company laptops for private purposes. Even normal recreational use increases the risk to the company – for example, if the employee uses private or unsecured public WiFi networks. 

Possible solutions

Be careful about granting access to the company WiFi. The company’s IT department should be familiar with and review the security of all connected devices. Only the company’s own USB sticks and hard drives should be used to store data. Be conservative in granting administrator rights. Only give these to employees who actually need them to work. This will prevent the installation of malware. 

Problem 5: Employees handle data incorrectly

Imagine your accountant has accidentally printed out two copies of the payroll. He throws the extra copy into the bin. Any other employee or – even worse! – a competitor could find it. This is all it takes for strategic company data to get into the wrong hands. 

The same is true of the digital world. Keeping sensitive data which is no longer required on a PC runs the risk of important information being exposed in an attack. Employees also might not report this kind of data loss – if they even remember still having the documents stored. 

Possible solutions

Make sure your employees treat confidential data responsibly. All documents containing company data should be either securely archived or shredded. Make it clear that any data loss must be reported immediately. It is very important to be tactful about this. Employees should not have any inhibitions, much less fears, about reporting data losses.