How to Manage the X-Factor in Cybersecurity for Businesses

Cybersecurity is one of the most important expenditures for modern businesses. The old saying “an ounce of prevention is worth a pound of cure” rings especially true with regards to cybersecurity. Having a professional, well-trained IT and security staff can drastically reduce risks to a company.

Many data breaches and hacks that impact businesses can be traced back to poor security practices, such as not updating the company network with the latest security patches. Implementing unsuitable antivirus, such as antivirus software more intended for home computers instead of an enterprise level company, for example, is a major security risk. You can check out AntivirusRankings to preview which antivirus software is recommended for an SMB (small-medium businesses) and enterprise-level companies.

One of the most difficult things to be prepared for, however, is the element of human behavior that is all too random. This is referred to as the “X-factor” in cybersecurity, and typically it refers to dangerous actions in the workplace by employees who don’t follow safety protocols.

Examples of the X-factor in Cybersecurity

A key example would be an employee who allows their children to play games on their work device at home. If a company device is given to an employee, and it contains sensitive company information, it becomes a massive security risk when non-employees allow family members to do something as innocent as play games on it. Because let’s be honest – an unsupervised child will find a way to download a bunch of apps onto a device, apps which could have malware in them. This is a lot more common than you think.

But even worse than that is the culture of BYOD (bring your own device). This has actually been embraced by a lot of companies, because it fosters a “happier” work environment when employees are allowed to use their own devices in the office. The problem is that BYOD policies exponentially increase risk. Here are some of the top security risks when a company utilizes Bring Your Own Device policies, and allows employees to connect those devices to the company network:

• Lost and stolen devices: In this 2015 report, 2.1 million American smartphones were stolen (or misplaced and reported stolen).
• Poor device security: In the same report linked above, only 46% of survey respondents set a screen-lock method.
• Malicious mobile apps: Personal devices can be infected with malware from “entertainment” apps, which would normally be restricted on company devices. And then the employee connects to the company’s cloud, with malware on their device.
• Non-encrypted data: Again, the average person does not practice even the most minimal of security standards on personal devices, such as end-to-end encryption.

Other examples of the X-factor would be people in the office doing unsafe things on company computers. I don’t necessarily mean browsing unsafe, non-work related websites (though employees are known to do that), but something like a person in the accounting department being tricked into opening an infected “invoice” file.

People fall for phishing emails all the time, and companies are usually hit the hardest. In fact, the FBI reported that emails scams accounted for $676 million in company losses in 2017.

What can you do about the X-factor?

It boils down to vigilance, training, and accountability. You can’t expect employees to be aware of proper safety protocols without proper safety training. Thus, a company needs to train its employees in safely using company devices. This can’t be a one-time thing, either, it needs to be done regularly as new threats come out.

Secondly is vigilance, and strict office rules. For example, checking personal email accounts on a work device should be strictly banned. And finally, accountability – strictly disciplining employees who introduce cyber threats into the company network. There’s no room for laxity here.

At the same time, management should realistically evaluate how aware they are of cybersecurity practices. A culture of cybersecurity needs to come from the top-level down, or else management can blame nobody but themselves when employees don’t follow safety protocols.