Unintentional harm and human factor
Let’s consider several examples of unintentional harm.
- Harm by inaccuracy. When an employee, without wanting to do this, inadvertently harms his own company. The accountant of the finance department received an email with an attached account file, it seemed plausible to her. The letter was received from an unknown addressee and she knew that by all rules it can not be opened. But something confused her at that moment and she decided to open it. As a result, it was launched a program that blocked the computer and paralyzed its work for several days.
- Employees can become an involuntary tool for competition. Different ways are used to get company internal information. To communicate with the employee informally on different topics not related to work in an informal setting. For this the weakest links of the company are most suitable – employees with human weaknesses: negligence, inattention, carelessness, who are not averse to drinking alcohol, to hang out with the company. Having found an approach to such an employee and getting him talking, internal corporate information is recognized. Language will involuntarily tell all the secrets, like an uncontrollable evil.
Dangers of accidental personnel mistakes
Often employees use internal documentation without due responsibility: take away, copy, lose and distribute. If intruders are on the alert – they follow and take advantage of the opportunity to get secrets. Let’s consider frequent flaws in the work of staff.
Access to information
- transmission by mail;
The employee sends a letter to a friend, where he recommend against the use of the company’s products because it was stored in inappropriate conditions and, most likely, was spoiled. The letter is intercepted by competitors and sent to all customers. The company’s sales are down.
- placing on cloud servers and share sites make the information accessible from the Internet;
The employee gives access to the Internet of technological network. Hackers change the settings, production stops, the company incurs losses.
- copying to USB-drives, disks, paper copies;
An employee of a well-known company copied a financial report on a USB stick to work with it at home. Competitors had remote access to his private computer. They copied the report and placed it on the Internet. The company’s problems became known to the public, its shares fell in price.
- recording on a smartphone;
An employee stored on the phone photos and descriptions of flaws and shortcomings of the elite new building. They were stolen and placed on the Internet by competitors. A campaign was launched to discredit. The firm was forced to cut prices.
Modification of corporate information
- loss of information;
Information gets lost, falls into the hands of outsiders or competitors. They can take advantage of it: put it in open access, transfer it to interested parties.
The employee forgot on the train a secret prototype device. As a result, the information became available. The company was forced to change its advertising company based on the novelty of the product.
- information leak;
The employee explained in the circle of friends a new technology. As chain of gossips, it became known to competitors who patented and implemented it. The company lost its know-how, over which it worked for a long time.
- change of information;
The administrator said how to enter the intranet of the company. Competitors took advantage of the information and changed the data, caused harm. As a result it caused downtime in the company’s work, network inoperability.
- information deletion;
The employee put his disk with the virus on the working computer. The virus has deleted important information from the enterprise system. The firm has been restoring it for a long time.
How to reduce threats and the percentage of unintentional mistakes
Will the employee become an accidental saboteur depends on the security policy of your company and the discipline of employees. Of course, in order to get results, the company needs discipline.
Improving security and talking to employees about it
- Pay attention to the selection of employees;
It is necessary to pay attention to the characteristics of candidates, feedback from previous employers, the reasons for termination, so as not to take a potentially dangerous employee: scattered, talkative, leading a friendship with a competitor.
- Provide security training for employees;
Explain everything: what documents may be opened, what not, how to delete, which updates to run, how to choose a password and remember it. Explain what information is confidential, for whom, why, when it ceases to be such, that it is impossible to store it on the phone, to tell relatives and colleagues. To sign a non-disclosure agreement, explain what follows its violation.
- Develop internal safety instructions;
Conduct an instruction against signature of the employee. If there is a discrepancy, go through the training once more, make a test. With regular mistakes, think about whether you need to pull such an employee.
Using technical means and restricting access
- Restriction of access to information;
To provide access to information, data, programs, projects as needed. Not to all employees, but only those who need it for work. After the end of work to deny the access.
- Use of the employees’ monitoring system;
To check what employees do and compare with what is included in their duties, which sites they visit, what programs they use, how they use open access;
- Control of incoming and outgoing traffic: for viruses, spam messages, the size of attachments and control the content of emails if required. If you have a growing number of staff, think about your own security service.
- Enforce a ban on starting and installing programs from the “Desktop” and the “Downloads” folder, this will help to keep the computer from getting infected with viruses;
- Limit Windows user accounts as administrator;
- Enforce a ban on the use of personal devices: laptops, USB-drives, disks, if you give access to confidential data, then register it.
It seems that unintentional harm is harmless, but it is clear from the given examples this is not so. If you are a manager, try to remember that an employee came to you and informed that he sent a financial report by mistake to the client or to someone from the partners, but not to you. Or maybe he said that he accidentally deleted important documents, or infected the computer with a virus, or he could forget to close the access to the retired employee, or put important documents openly without a password.