Most Data Breaches Are Employee Mistakes, or Are They?


Large enterprise organizations are equipped with in-house IT departments. Since the IT guy or gal is just down the hall, these networks are secured in a very different fashion than small businesses with outsourced IT. The user permissions in a large enterprise are usually locked so low that they are not able to cause much damage.

The real risk is the smaller business with an outsourced IT service or no IT support at all. The damage to a company from a compromised system is beyond the comprehension of most companies in that category. The first damage is the loss of valuable data from corruption, encryption, or other virus and malware effects. The second, for many industries, is the required disclosure to your customer base. The trend in regulatory compliance is toward more disclosure, so expect that to become increasingly standard with time. Here are the defensive weapons that Technigogo Technology Services uses to protect a client company.

  1. Secure your internet traffic before the firewall with a threat detection network security platform DNS service. Not only will this keep your staff away from dangerous websites that can load viruses onto your systems but it can also be used to control or block employee access to time-wasting sites such as Facebook, Twitter, personal email, and more.
  2. The next layer of protection is an enterprise-level firewall. There are fantastic options for the small business owner today and it doesn’t mean you have to buy super expensive hardware to do this.
  3. Utilize world-class endpoint protection. These new antivirus products are better than ever but the market changes often so your IT provider must stay on top of what works best.
  4. Backups. This is still the only surefire protection against today’s Ransomware viruses. All servers and critical workstations must have image backups and critical data which are then also backed up offsite to the cloud.
  5. Many small businesses have a server with a domain and this affords detailed Access Control to limit the exposure to your systems and sensitive files.
  6. The last line of defense is training and informing the end-users; the staff itself. This is still helpful but never in exchange for all the steps above.

Why did I place the staff training last? Because training and informing will certainly help, but it won’t eliminate your risk. You absolutely have to employ the 5 steps above that to expect real results. Let me give you an application scenario. We are often told by the owner of a client company that all staff members are required to store all company documents in the _x_ folder or mapped drive and those documents are never allowed in My Documents / Desktop / etc. We can then immediately browse their network and find infractions to the rule over and over again. There has never been an instance that we have not. Not once. So, we utilize technology, programming, and scripts to protect the assets first and then train and inform.

We all make mistakes, but eliminating as much of the human burden for your network security is the goal of achieving peace of mind.

This article was written for

My head feels like it’s about to explode