Time and time again we see that employee behavior is one of the biggest data security threats. MedCityNews reports that healthcare employees are using 15 times more cloud services than their IT departments realize.
Of course, cloud usage isn't necessarily insecure. But many cloud providers aren't HIPAA compliant, and some (including iCloud) refuse to sign Business Associate Agreements (BAAs). When employees take IT into their own hands, they potentially expose you and your clients to data breach risks and professional liability. Let's look at what you can do to reduce bad employee habits.
4 Strategies for Reducing Risky Employee Behavior
The average healthcare company uses 868 cloud services, but its IT staff only knows and approves of 60 of them. The rest are what is referred to as "shadow IT." Employees are using non-approved tech to do their jobs, but they may not realize this exposes their company to serious risks – and if your clients are in healthcare, this can lead to HIPAA violations.
Whether or not you work with healthcare clients, you'll see this problem in nearly every workplace. How do you prevent the proliferation of shadow IT and reduce risky employee behavior? Let's look at four strategies to address these problems:
- Discuss cloud programs employees are using (and how they should be using them). An employee might set up a Dropbox account, hoping to improve their productivity and avoid data losses. But Dropbox isn't actually HIPAA compliant. Shadow IT might have minor security flaws or fail to meet commercial-grade standards. Figure out which cloud apps your client's employees are using and see if they need IT to replace it.
- Focus on education rather than punishment. Remember: many employees are simply trying to do their job in a more efficient way. That's the right impulse. As the IT professional, you don't want to be the network police, but rather the consultant who teaches best practices, like only keeping files located in secure network locations. You'll have to teach client employee why your solution is better and more secure.
- Be ready to offer alternatives. That 15:1 ratio is, in some ways, good for you. It shows that many businesses aren't investing in enough cloud services to meet their employees' needs. If a client hires you to be a sys admin or install workflow solutions, come prepared with a list of alternatives to non-secure shadow IT.
- Talk to the people in charge. Corporate boards are looking to spend more on security. So be ready to pitch security to decision-makers outside the IT department. You may have more clients who have questions about their security, so have answers that will make sense for their IT staff and the non-tech business persons.
Why It All Matters for IT Consultants: In A Word – Lawsuits
As we reported in "Oops! Employee Mistakes the Most Damaging Security Lapses," 60 percent of IT professionals name user errors as the most damaging data security incident. The kinds of user-created problems we've been discussing can lead to the most damaging – and costly – breaches. And that's a problem for you.
Costly breaches can lead to lawsuits filed against your business. Even if a security incident can be traced back to an employee error, you could still be sued. A client could allege you didn't train them to use their IT properly and failed to teach them which security settings they need to keep on and which features of a product they should or shouldn't use.
Because of the risks of client data breaches, many tech contractors invest in Errors and Omissions Insurance with third-party cyber liability to cover the cost lawsuits about security incidents and data breaches. To learn more about the cost and limits of this coverage, see our sample quotes and cost estimates of IT insurance.