Aaron Reiter By Aaron Reiter • May 2, 2018

Employees: Your Weakest Security Link

Three Minutes
The personal information of 146 million people was exposed last year following a data breach at Equifax, one of the country’s three largest credit bureaus. That number alone is staggering, but there is a number associated with the breach that is even more unbelievable: one
One employee failed to install a software patch that would have prevented the data breach from ever occurring. It came down to one person. 
Too often, human error is to blame when it comes to data breaches and sensitive information being exposed. Employees get lazy with passwords. Warnings to update software go unheeded because it would take time and force someone to restart their computer. Individuals use their smartphones or tablets to connect email or access company networks and then hand those devices to their kids at restaurants so they can enjoy a moment of peace (you've been there, you know what I'm talking about). The list goes on and on. 
The 2016 Cyber Security Intelligence Index included a study by IBM that revealed 60% of intentional infrastructure attacks were inside jobs! Even worse, three quarters of those resulted from malicious intent.  That's just the intentional or complicit activities. Far greater numbers of breaches occur due to plain old human error or complacency. Research from a London-based consultancy last year indicated that up to 90% of all data breaches occur because of human error. 
 “The simple truth is that a data compromise is more likely to come from an employee leaving a laptop on the train than from a malicious criminal hack.”
                                                                                -Anthony Dagostino, Head of Global Cyber Risk | Willis Towers Watson
Equifax CEO testifying - tell me this guy looks happyThe importance of data security can not be understated. All you need to do is look at a picture of the former CEO of Equifax testifying before Congress to see what is at stake when you’re handling the personal information of individuals, especially their financial information. Collection agencies may not be anywhere as large as Equifax and may not have as much data, but deferring to a “what are the odds that a hacker is going to care about me” is not a smart strategy. 
Data needs to be backed up - preferably in real time. It needs to be accessible and it needs to be secure. More creditors, especially in the financial services space, are requiring these types of controls. As a result, more third-party collection agencies are undergoing audits and certifications to attest to the policies and procedures they have in place.  The day that one of your customers demands you meet HITRUST is coming (it's here for some of you) - and that's more work than FedRAMP, FISMA, or HIPAA with requirements that an old PIC system is just never going to meet.
When is the last time you "rolled down" a window?
Collection agencies have been slow to adopt technology, hanging on to legacy systems that are already paid for and that employees are already trained on. That's understandable, but so is your dad who waxes on and on about how his 1978 Oldsmobile is paid for and he doesn't mind rolling down the windows himself because he believes that hand crank will last longer than any power window. New systems, with bells and whistles and modern capabilities are considered to be unnecessary luxuries, but pretty soon Dad's not going to be allowed to drive that 74 Olds on roads dominated by self-driving cars. He'll be rolling his windows up and down in his driveway with nowhere to go.
These capabilities aren't luxuries any longer. Modern communication strategies are necessary to reach younger generations. Data enrichment and business analysis tool integrations are necessary to stay lean and efficient. Security and compliance audits are getting expensive and onerous, but there are options that alleviate those responsibilities. Process automation is absolutely crucial to keep staff working on revenue-generating tasks.
I have fully digressed into a soapbox rant about modernity that goes beyond security, so I'll refocus and sum up. If all it takes is one employee forgetting to do one thing one time for the personal information of 146 million people to be exposed, everyone should be taking security more seriously. That starts with people and training, of course, but it can only be ensured with infrastructure that meets modern standards, accommodates future changes and gives admins the oversight necessary to identify problems.