News Pricer.lt

Every eighth SME company hands over employee data to hackers on a silver platter

Co ósma firma MŚP podaje hakerom dane pracowników na tacy
  • 95% of micro, small and medium-sized enterprises process personal data of employees, of which 49% transfer them to accounting and bookkeeping offices.
  • The overwhelming majority of this group (88%) believe that they are properly secured by subcontractors against access by unauthorized persons. On the other hand, however, as many as 45% of respondents fear that they may be stolen.
  • As many as 23 percent of surveyed companies from this group admit that they provide sensitive data of employees in a completely unsecured way – according to a study conducted on behalf of the ChronPESEL.pl website and the National Debt Register under the patronage of the Office for Personal Data Protection.

PESEL better protected. The end of credit frauds?

Read more

PESEL better protected. The end of credit frauds? Over 300 Sites with Fake Olympic Tickets. Cybercriminals Are Not Sleeping

Read more

Over 300 Sites with Fake Olympic Tickets. Cybercriminals Are Not Sleeping

Ignoring basic cybersecurity principles

Although paper documentation is becoming a thing of the past, as many as 38 percent of respondents still provide accounting and bookkeeping offices or HR agencies with documents in this form. SMEs much more often provide employees' personal data in electronic form. Unfortunately, due to the disregard for cybersecurity rules, this convenient form of communication with external staff exposes some employees to danger.

Only 31% of respondents send encrypted e-mails with an attachment protected by a password to access the file. This type of protection is most often used by medium-sized companies (38%), and less often by small and micro companies (31% each). In turn, 22% of entrepreneurs send encrypted e-mails with an attachment, although they are not password-protected. On the other hand, 16% of respondents store encrypted documents in the cloud, which they then share with external partners.

Encrypted email communication is useless if the files attached to it with employees' personal data are not additionally protected by a password. It is enough for the sender to mistake the recipient's address for such data to reach the wrong person and a data breach occurs.

Unfortunately, among SME companies, there are also companies that take a completely irresponsible approach to protecting employee personal data. As many as 14% of respondents send subcontractors unencrypted emails with an attachment without the required password to access the file.

– This is the biggest problem for small companies (23%) from the trade (25%) and transport (21%) sectors, which have been present on the market for over 10 years (32%). They operate much more often as companies (19%) than as sole proprietorships (5%). Unfortunately, despite their extensive business experience, they are very negligent about protecting the personal data of their employees and customers, which in effect are an exceptionally easy target for hackers – warns Bartłomiej Drozd, an expert from ChronPESEL.pl.

Equally reckless are 9% of respondents who store unencrypted documents in the cloud and then provide access to it to external companies.

– This is the domain of medium-sized companies (19%) from the manufacturing (81%) and construction (22%) sectors, which have been present on the market for 5 to 10 years. This is very worrying, because these companies employ from 50 to 250 people. Despite the relatively large scale of their operations, and therefore their attractiveness to cybercriminals, they exceptionally underestimate the threat from hackers. One of the reasons may be the erroneous belief that transferring employee data to an external accounting and bookkeeping office or HR agency releases them from liability in the event of a leak or theft by cybercriminals. This is not the case – adds Bartłomiej Drozd.

Sins of SMEs

This is not the end of the list of SME sins. 5% of them do not take paper employee documents to the accounting and bookkeeping office anymore, but they send them on a pendrive or external drive. If it is lost or stolen, employee data becomes available to third parties.

– Data administrators, i.e. employers, should conduct a risk analysis and identify threats if they transfer data on flash drives. The analysis should show the need to properly secure such devices. There are encrypted flash drives of this type on the market. Files can also be encrypted, which in the event of loss or theft of such a portable drive will prevent or at least make it more difficult to read the data without knowing the password – says Mirosław Wróblewski, president of the UODO.

It is worth knowing that the Personal Data Protection Office has already imposed fines on administrators who suffered a data protection breach due to the loss of a personal drive on which the data was not secured in any way.

– UODO proceedings most often revealed a lack of appropriate risk analysis, which would help realize the need to properly secure such media. Sometimes the analysis was superficial, which resulted, for example, in the implementation of insufficient procedures related to securing data on external media, or a lack of supervision over compliance with the developed rules – adds Mirosław Wróblewski.

Hackers are rubbing their hands with glee

No wonder, because according to the Central Statistical Office, SMEs employ 7.3 million people. For cybercriminals, this means 7.3 million potential victims of attacks.

Micro, small and medium-sized companies most often process the name and surname of employees (86%), as well as the telephone number (80%). Slightly less often, the address of residence and the PESEL number (75% each). Next, the e-mail address (70%), bank account number (68%) and ID card number (62%), as well as health data on absences or illnesses (43%). As a result, due to the poor level of security in many SMEs, hackers can very easily steal a complete set of personal data needed to commit a crime.

The study was conducted by TGM Research on behalf of ChronPESEL.pl and the National Debt Register under the patronage of the Personal Data Protection Office (UODO) in May 2024 using the online interview technique (CAWI) on a sample of 400 representatives of MSME companies meeting the decision-making criterion and processing personal data.

News source

Dalintis:
0 0 balsai
Straipsnio vertinimas
guest
0 Komentarai
Seniausi
Naujausi Daugiausiai įvertinti
Inline Feedbacks
Rodyti visus komentarus

Taip pat skaitykite: