A new study by CompTIA (Cyber Secure: a Look at Employee Security Habits in the Workplace) examined the “technology use, security habits and level of cybersecurity awareness” of workers across the US and concluded that “reckless behavior persists” and “worker cybersecurity knowledge and habits still lag behind” the pace of technology innovation and the increasingly complex threat landscape.
The research found that:
- 63% of employees use their work mobile device for personal activities
- 94% of employees connect their laptop/mobile to public Wi-Fi networks
- 49% of employees have at least ten logins, but only 34% have at least ten unique logins
- 45% of employees receive no cybersecurity training from their employers
Interestingly, in addition to the survey, “CompTIA commissioned a social experiment to more directly observe the behaviors of consumers in real-world settings”.
Viruses such as the Stuxnet worm spread by infected USB sticks, quickly infecting devices and infrastructure. CompTIA wanted to determine the extent to which workers put their data at risk – in spite of their apparent awareness of cybersecurity risks.
The report explains:
“200 unbranded USB sticks were dropped across high traffic public spaces – such as airports, coffee shops and public squares in business districts – including Chicago, Cleveland, San Francisco and Washington D.C. The sticks were preprogrammed with text files prompting anyone who plugged the found USB sticks in to email a specific address or click through a trackable link.”
CompTIA found that “17% of consumers picked up and plugged the USB sticks into their devices” and emailed the address or clicked the link. Most alarmingly, “consumers’ technology literacy was not a determining factor” in their behavior. Of the 17%, some were IT workers, some worked in the security office of a large multinational, and a handful of respondents even asked if the USB stick had a virus on it.
In conclusion: “even the most IT literate end users can make precarious decisions when faced with potentially suspicious technology, demonstrating how challenging it can be to instill strong cybersecurity habits (not merely knowledge).” Insiders are regularly found to be the biggest information security threat that organizations face. To combat this threat, a combined approach is required.
Combating insider threats
That 45% of employees receive no cybersecurity training from their employers is simply asking for trouble. Training will make sure your employees are fully aware of the security threats they face, and can act quickly and instinctively to phishing campaigns, spam emails, malicious websites, suspect removable devices, and the like.
In addition to training, comprehensive security policies and technological solutions must combine with education to ensure that all bases are covered. Privilege management processes must be followed to ensure that access to critical systems and information is strictly limited to those who need it; patch management processes must be followed to ensure that all security software is kept up to date; and regular penetration testing should be carried out to determine any vulnerabilities in web applications and network infrastructure that could be exploited by opportunistic criminals.
“Though employees are largely aware of the risks of poor cybersecurity habits, many don’t apply that knowledge.”
If you’re concerned about your organisation’s susceptibility to insider security threats, you need to ensure that everyone in the organisation behaves responsibly. IT Governance’s Information Security & ISO 27001 Staff Awareness E-learning Course enables employees to gain a better understanding of information security risks and compliance requirements in line with ISO 27001, the international standard for information security.
ISO 27001 sets out the requirements of an ISMS (information security management system) – a holistic approach to information security that encompasses people, processes, and technology.
Implementing an ISMS enables organizations of all sizes, sectors, and locations to mitigate the risks they face with appropriate controls, limiting the inadvertent threats posed by untrained staff, inadequate procedures, and out-of-date software solutions.
As CompTIA notes, “In many ways, consumers’ tech savvy is greater than ever, but savvy does not always translate to secure. As IT environments become more complex, and the cost of poor protection rises, consumers need to be both.”
Creating a security culture in which good habits are instinctive is the only way in which organizations can ensure that their employees don’t put their information at risk. For more on creating a security culture, read Build a Security Culture.