Much is written about the corporate threat from shadowy remote hackers. A cybercrime economy worth trillions has certainly made this disparate bunch of financially motivated threat actors a major force to be reckoned with. But the biggest risk to corporate data and cybersecurity may in fact be closer to home.
New research reveals the nature and extent of this risk: a combination of naivety and negligence worsened by the trend for home working. When insider threats like this come knocking, protecting the data itself, wherever it is located, would seem the natural place to begin risk mitigation.
What we found
The research itself, commissioned by UK insurer Superscript, is compiled from interviews with 1,500 employees. It reveals several alarming attitudes including:
- 40% feel that following security best practice is not their responsibility
- A third (34%) don’t know what preventative security measures their employer has in place
- A fifth (21%) still think that passwords are the most secure way of authenticating
This tells us some important things about employee behavior. Even when organizations put in place expensive technology controls to mitigate cyber risk, they may still be undone by the ignorance and/or negligence of their workers. Many staff seem to find even streamlined security measures like multi-factor authentication (MFA) a block on productivity. They stick to what they know, even if it means exposing their employer to the risk of compromise.
When it comes to authentication, for example, the research found not only a preference for passwords over MFA, but also a prevalence of bad habits. These include credential reuse, sharing passwords with colleagues, changing strong passwords to weaker ones, and even failing to update log-ins after a compromise.
This matters, because once in the hands of threat actors, passwords can provide access to email systems, administrative accounts and much more. It’s only a short hop from there to data theft and potential ransomware compromise.
Home working angle
The insider risk is more pronounced still due to the large number of employees still working from home, for at least part of the week. Security controls often don’t extend as effectively to these distributed environments, and staff can be even less willing to toe the line on security. One report reveals a roll-call of risky behavior including:
- Use of work laptops for internet downloads, online shopping and playing games
- Use of personal devices to access work applications and documents
- Sharing work devices with children, partners and housemates
Partly as a result, 51% of IT leaders surveyed said they had seen evidence of compromised personal devices being used to access company and customer data over the previous year.
Remote workers might also be more prone to clicking on phishing links, as per this study. It found many are more distracted when not in the office environment. That’s not to mention the risk of misdelivery of emails and sensitive documents. This represented over half of financial sector errors leading to breaches in 2021, according to separate research.
Protect the data, protect the company
With the best will, and user awareness training, in the world, human error is inevitable. As the above reports highlight, we are fallible and sometimes selfish creatures. That’s bad news for IT security leaders tasked with mitigating cyber risk to acceptable levels.
In this context, the best way to balance user productivity and security is to let employees work largely the way they always have, but add an extra layer of invisible protection around the data they work with. Data-centric security means the organisation’s crown jewels are protected via encryption or tokenization wherever they are and wherever they travel—from an office based desktop, to a remote working laptop and all the cloud systems in between.
Taking this approach won’t just keep the organization safer from the risks associated with data leakage and breaches. It could accelerate compliance efforts and lower insurance premiums.