By Brian Rutledge, Principal Security Engineer at Spanning
In the first half of 2018, more than 4.5 billion digital records were compromised in data breaches, according to research from Gemalto’s “2018: Data Privacy and New Regulations Take Center Stage” report. With the value of each lost or stolen record set at roughly $148, the financial and operational impact of data loss has never been so costly. This is why it’s no surprise that the National Cyber Security Alliance deemed the month of October National Cybersecurity Awareness Month (NCSAM), 15 years ago.
Most workers are familiar with well-known security breaches, like Target or Equifax, which compromised millions of individual’s personal data, thanks to widespread coverage of the incidents. Attack approaches, such as ransomware, are also fairly well-known, like the attack that severely impacted the City of Atlanta earlier this year. Employees might even understand how hackers get as far as to access this data, by infecting systems with malware through phishing emails.
But, do workers understand how hackers penetrate an organization’s security system to infect malware to begin with? How is this understanding and their subsequent behavior contributing to the threat of a security breach at the enterprise level?
A recent survey of 400 full-time U.S. workers aimed to answer these questions. Respondents were prompted with queries which gauged each individual’s cybersecurity risk awareness and their tendency towards risky online behaviors. The results of the survey found that, while many employees have a general understanding of security risk, most demonstrate worrisome online behaviors. Four key findings of the survey included:
Workers understand the cybersecurity basics – More than 80 percent of workers expressed that they would never share passwords over text or email. They also reportedly use a mix of letters, numbers and symbols in their passwords. This percentage of employees exhibiting safe behavior is encouraging, however, this still leaves a 20 percent vulnerability gap, in which a hacker can more easily gain access to an organization’s data.
Employees shop on the clock – More than 52 percent of all employees and 62 percent of admin holders surveyed admit that they shop online from their work computer. Further, over 30 percent were unable to identify an unsecure e-commerce website, and more than 50 percent of those who were, could not identify a broken padlock as a key indicator of an unsecure site. Shopping online on its own is not risky, but if employees are using work devices to do so without a full understanding of what makes a website unsecure, they could be unknowingly entering information where it’s not safe to do so, leaving an organization susceptible to an attack.
Kindness takes priority over security – When asked if they would allow a colleague to use their work computer to complete a task, nearly half of all respondents admitted they would. Amongst those with administrative access, only 35 percent said they would refuse to allow a colleague to access their device. Again, this behavior could lead to a breach, as the most common culprit of insider threat is accidental exposure by employees. Further, unlocked devices are considered by cybersecurity professionals as one of the biggest enablers of an accidental insider influenced threat (44 percent).
Individuals continue to take the bait of phishing attacks – When presented with a visual example, only 36 percent of all employees polled correctly identified a suspicious link as being the key indicator of a phishing email. As these kinds of attacks increase in frequency and sophistication, employees must be educated on the risks associated with clicking malicious links and understand the only real way to ensure a link is secure is by hovering over it to confirm the link goes to a site they know and trust.
Workers have a general understanding of security risk and demonstrate good security behaviors online, overall. However, as security threats become more sophisticated, this baseline level of understanding will be put to the test and organizations can find themselves at an increasing risk of data loss.
Much like businesses scale their operations, employees’ threat intelligence must also grow with the advancement of modern-day threats. Unfortunately, human error is inevitable, and even the most knowledgeable staff can still be tricked or make mistakes. For this reason, it is crucial that organizations have their critical data backed up, as it is the only way to ensure that an enterprise’s information is safe following a data loss event such as accidental deletion or a ransomware attack.
It’s up to IT leaders to ensure employees understand all of the ways that hackers can gain access to critical data. To effectively do so, they must look to their employees’ behaviors to pinpoint these risks. Additionally, IT leaders must ensure ongoing education of the newest and most sophisticated threat approaches and invest in technology solutions to ensure continuity of operations in the event that a breach leads to data loss.