Lackadaisical employee attitudes to cyber security are the biggest risks to enterprises

By Ronald Sens, EMEA Director, A10 Networks.

  • 6 years ago Posted in
The role of IT in defending against cyberattacks is more difficult than ever. It becomes even more challenging when IT departments are forced to tackle the lack of willingness by employees to take precautionary steps against attacks.
 
Based on new research involving more than 2,000 business and IT professionals at companies from various industries around the world, A10 AIR addresses the challenges IT decision makers face with the rise and complexity of cyberattacks, and the sometimes-careless attitudes of employees who unwittingly introduce new threats into their businesses.
 
The report revealed that employees often unknowingly weaken cybersecurity with the use of unsanctioned apps: one out of three (37 percent) of employees surveyed say they aren’t familiar with what a DDoS attack is, or even aware of how they could unknowingly become victimised.
 
This data is even more disturbing when almost half (48 percent) of IT leaders say they agree that their employees do not care about following security practices, according to the survey findings. It’s hard to protect someone who isn’t familiar with the warning signs associated with attacks – or willing to learn about them.
 
With often poor understanding of corporate security policies, this behaviour increases the risks that come with a growing reliance on disparate and app-dependent workforces, especially when one third (30 percent) of employees surveyed knowingly use apps their companies forbid.
 
Of those who use non-sanctioned apps, more than half (51 percent) claim “everybody does it,” while one third (36 percent) say they believe their IT department doesn’t have the right to tell them what apps they can’t use.
 
Why use unsanctioned apps in the first place? One third (33 percent) of all respondents claim IT doesn’t give them the apps needed to get the job done.
 
But Who’s Responsible for App Security?
For employees who want to check sports scores or listen to streaming music at work, poorly designed apps with weak security could provide the backdoor for attackers to gain entry into the employee’s corporate network.
 
While the WireX botnet recently hijacked thousands of devices through seemingly harmless apps, it’s a frightening reminder that it only takes one app with weak security to infect a mobile device. More than half (55 percent) of employees surveyed say they expect the use of business apps to increase, meaning the odds also increase of these devices becoming part of a larger DDoS attack, which can bring entire businesses to a screeching halt.
 
But who is ultimately responsible to protect employees who used non-sanctioned apps at work? App developers, IT departments and end users are at odds over who is responsible for application security and best practices regarding the many apps on the phones of employees. With employees, responsibility is low: only two out of five (41 percent) claim ownership for the security and protection of non-business apps they use, AIR found.
 
And who is that “someone else” who should be protecting users’ apps in the workplace? Employees think security should be provided by the app developers (20 percent), service providers (17 percent) and their IT department (16 percent).
 
But if you ask IT decision-makers who is internally responsible, one third say the security team is most responsible for protecting employee’s identity and personal information, followed by the CIO or vice president (17 percent) of the company, and 15 percent state “the whole IT department.”
 
Employee Behavior toward the Use of Banned Apps or Sites at Work
It’s an accepted fact that companies can block apps and websites at work – 87 percent of respondents find this practice acceptable, and 85 percent would accept a position at a company that does so. However, only two thirds (61 percent) of employees cliaim their companies actually block specific sites or apps.
 
Additionally, 10 percent don’t know if the apps they use at work are banned or not, demonstrating a need for better communications from IT, and the survey backs this up: 88 percent of IT heads say employees need better education on best security practices.
 
Perceived Attitudes of Employees and Thoughts on Best Practices
What other ways are IT professionals reminding employees about best practices when it comes to security? Password policies are communicated to employees through email reminders (66 percent) followed by employee orientation (50 percent), internal meetings (48 percent), and communication from a manager (44 percent).
 
And when it comes to passwords, IT decision makers say their top recommended password policy is updating passwords regularly (76 percent), followed by choosing different passwords for different systems (59 percent), and two-factor or multi-factor authentication (53 percent).
 
But overall, what does IT need to do better protect their company? The biggest challenge noted by IT professionals is lack of corporate commitment to security policy and enforcement (29 percent).
 
But there is good news: although almost a quarter of IT decision-makers think there will be no improvement in security behaviour at their company, 75 percent optimistically think there will be. 
By Barry O'Donnelll, Chief Operating Officer at TSG.
By Dr. Sven Krasser, Senior Vice President and Chief Scientist, CrowdStrike.
By Gareth Beanland, Infinidat.
By Nick Heudecker, Senior Director at Cribl.
By Stuart Green, Cloud Security Architect at Check Point Software Technologies.
The cloud is the backbone of digital cybersecurity. By Walter Heck, CTO HeleCloud
By Damien Brophy, Vice President EMEA at ThoughtSpot.