The results, which draw on responses from over 1,000 employees in the UK, uncover two significant issues. Firstly, employee behaviour is becoming an increasing source of risk – more through complacency and a lack of awareness than negative intent. In addition, an increasing number of employees feel security policies are inhibiting innovation and collaboration, and that the costs of lost business opportunity outweigh the cost of a security breach – to the point where some employees take steps to circumvent the policy.
A culture of assumptions
According to the study, only 58% of employees are aware of major security threats and the risks they present to personal/company data. The survey revealed that 39% of people expect their company to take care of data security in the workplace, while just over half (54%) believe it is their responsibility to keep personal and company data safe. A massive 62% seem so insulated from the true extent of threats that they think their behaviour only has low to moderate impact on security.
This attitude may be a result of a lack of visibility given to policies or even the threats that drive them. While 61% of employees thought their company had a security policy, 15% did not know if there was one or not. Almost half, 48% said they weren’t concerned about the policy as it didn’t affect what they do, and, 37% said they only notice one exists when they are stopped from doing something by the security settings. As a result, 37% admitted to low or moderate levels of adherence and twice as many people admitted to being more rigorous about data security at home (24%) than at work (12%).
Factor in behaviour in a threat-centric approach to IT security
Employee behaviour (50%) was second only to cybercrime (70%) when employees were asked to identify the top two greatest sources of risk to data security. All of those surveyed use their company’s network for personal transactions – the most popular was personal banking (79%) followed closely by online shopping (75%) and travel (59%).
Outmoded approaches to security are inhibiting working patterns and stifling innovation
Employees across the UK are increasingly looking at IT security as a barrier rather than an enabler for business. The survey revealed that one in eight (12%) believe the focus on IT security is stifling innovation and collaboration and 13% say it’s making it harder to do their job. Almost one in four (22%) believe that the cost of lost business opportunity outweighs the cost of a potential security breach.
User centric security policies
As part of the research, Cisco identified four distinct IT security behaviour profiles which could form the basis for behaviour-centric security strategies. Each demonstrates a different level of threat to data security and requires a specific approach in order to limit the risk posed whilst leaving people free to perform at optimum efficiency and effectiveness:
The threat aware – those aware of security risks and who try hard to stay safe online
The well-intentioned – those who try to adhere to policies but who implement on a ‘hit and miss’ basis
The complacent – those who expect the company to provide a comprehensive security environment and therefore do not take individual responsibility for data security
The bored and cynical – those who believe the cyber security threat is overhyped and that IT security inhibits their performance and will circumvent policies as a result.
Terry Greer-King, Director, Cyber security, Cisco UK & Ireland. said, “This study confirms the complex challenges facing businesses when it comes to IT security. The results show that most employees recognise the threat from cybercriminals is real and worthy of continuous defence, but it also reveals that employee complacency about IT security is increasing the risks for UK businesses. An employee who blindly trusts is one amongst several “weak links” in the security chain.”
He continued, “As cybersecurity becomes more of a strategic risk, organisations are looking to make it a formal business process providing the organisation with a holistic view of cybersecurity risks and the opportunity to improve business practices. This should be a key part of daily operations to protect the business from internal and external threats.”
“The balancing act of business enablement and protection will require a fundamental shift in how we approach IT security. Businesses that persist with point security solutions will find themselves at greater risk, as this approach is responsible for creating gaps in traditional defences that attackers exploit. Instead, organisations need to implement user-specific protocols which accommodate individual behavioural profiles, allowing them to track the users and devices connecting to networks in order to lower the risk of a breach across the entire organisation.”