Ahead of his appearance at CISO Online ANZ, ThycoticCentrify’s Chief Security Scientist Joe Carson shares some key findings from a new report on risky employee behaviours from a cybersecurity perspective
Cybersecurity software provider ThycoticCentrify has produced a new global report highlighting the risky behaviours organisational employees are willing to engage in in order to remain productive at work.
The report suggests, among a number of factors, that employees often think they are not important enough to be concerned with security, or believe their company is too small to be targeted by a cyber threat. Some simply assume IT has them covered all of the time.
Cybersecurity awareness campaigns often point to the employee as being a major risk vector when it comes to organisational security, but ThycoticCentrify’s Chief Security scientist Joe Carson, who commissioned the survey, says it’s time to stop thinking of employees as the weakest link.
“That type of language just creates friction between security and employees,” Carson says. “Everyone in a company has different roles to play, different positions, different jobs and different values. They are not hired to be security professionals, they are hired for a specific job.
“So, the problem is when security professionals refer to them as the weakest link, it’s because we’re not doing a good enough job in communicating the right technologies and the right processes and the right procedures to make sure that they are making the safest and most secure choice in doing their job.
“We need to empower them more, we need to provide them with tools that are easy to use and help them be successful in their jobs, and unfortunately security has been overly complex and sometimes slows them down in getting their jobs done.
“We’ve done a lot of research over the past year, primarily focused at the CISO level, this time we decided to take a much broader scope. I’ve always championed listening to employees more, understanding them more, understanding the choices they make and their motivations, and ultimately, this report we have now goes some way to do that.”
Employees take on risk to remain productive
Thycotic, which is a sponsor of Corinium’s upcoming CISO Online ANZ event, identifies three key takeaways from its survey into employees across the world. The first being that despite knowing the security dangers, 79% of employees will still engage in risky behaviours, assuming they are not a target.
“When faced with meeting their goals form a business perspective versus doing something that might be considered risky from a security perspective, employees will weigh up and think, ‘Do I get the job done and meet my department’s goals, which I’m measured on, or do I not meet those deadlines and spend time resetting passwords, logging in, only connecting from certain networks that I should be working in’.
“When they are faced with those tough choices on balance, they’ll take the easy choice. That’s the challenge. Security needs to be aligned with productivity, when you are doing anything with regards to implementing a new security system, you need to really look at what the existing processes are and if what you are going to do makes it better.
“The more we create challenges for the employee to be productive and do their job, they’ll find paths around it.”
SMBs are less concerned about risks
The report’s second takeaway suggests that SMB’s are at higher risk than other organisations because they are more likely to sacrifice security for productivity and less likely to have implemented multi-factor authentication or virtual private networks.
“SMBs are absolutely at a considerable amount of risk compared to large enterprises,” Carson says.
“For a cybercriminal specialising in ransomware, lining up 500 SMBs as victims, who have no choice but to pay in order to get their business back, is much more lucrative than targeting one large organisation that will have multiple defences and multiple backups.
“I’ve seen SMBs that have become victims of ransomware in the past year and the reason why is that they are faced with the challenge of keeping their employees productive and working remotely, while they might only have a one-person security or IT help desk working 9 to 5, five days a week.
“They don’t think they have the resources and the budget to consider security a top priority, they are focused on keeping the business running. But SMBs do have options, there are solutions out there which have much less impact on resources, provide great ROI, there are cheaper and sometimes free solutions that they can use to help them get to a secure path.
“So we need to do better as an industry of providing visibility to their options; that they have a choice.”
Cybersecurity training is improving but there’s still work to go
The third key takeaway of the report is that just 44% of employees surveyed received cybersecurity training in the past year, and that most training is focused on phishing attacks, leading to other threats being perceived as low risk.
“Awareness training should not be approached like a once-a-year checkbox task, first of all,” Carson says.
“The other important thing is though, most training has primarily focused on phishing. So even when it is delivered, it’s making employees think that all they need to worry about is emails. But that’s not the only attack vector.
“When I looked at the research and the data coming back, training is all about phishing, but we’ve forgotten about all the other threats, like logging into websites with credentials, reusing passwords across multiple sites, plugging USBs into laptops, saving passwords in browsers.”
“Training needs to be moving into much more of a behaviour and cultural side of things too. It must be ongoing, taking specific threats and narrowing them down into quick understandable takeaways that will be easily learned.”
Carson says that despite there being a gap in the number of employees receiving awareness training and the problems in existing awareness training, there is progress being made.
“It is improving, people are detecting what they are trained on much better. They also know who to contact when things go wrong, which is a great improvement as well. So awareness training is working, but we must make sure that it becomes much more of a larger, long term initiative rather than short-term checkboxes.”