Much is written about the corporate threat from shadowy remote hackers. A cybercrime economy worth trillions has certainly made this disparate bunch of financially motivated threat actors a major force to be reckoned with. But the biggest risk to corporate data and cybersecurity may, in fact, be closer to home.
New research reveals the nature and extent of this risk: a combination of naivety and negligence worsened by the trend of home working. When insider threats come knocking, protecting the data itself, wherever it is located, it would seem the natural place to begin risk mitigation.
What we found
The research itself, commissioned by UK insurer Superscript, is compiled from interviews with 1,500 employees. It reveals several alarming attitudes, including:
- 40% feel that following security best practice is not their responsibility
- A third (34%) don’t know what preventative security measures their employer has in place
- A fifth (21%) still think that passwords are the most secure way of authenticating
This tells us some important things about employee behavior. Even when organizations put in place expensive technology controls to mitigate cyber risk, they may still be undone by their workers' ignorance and/or negligence. Many staff seem to find even streamlined security measures like multi-factor authentication (MFA) a block on productivity. They stick to what they know, even if it means exposing their employer to the risk of compromise.
When it comes to authentication, for example, the research found not only a preference for passwords over MFA but also a prevalence of bad habits. These include credential reuse, sharing passwords with colleagues, changing strong passwords to weaker ones, and even failing to update log-ins after a compromise.
This matters because once in the hands of threat actors, passwords can provide access to email systems, administrative accounts and much more. It’s only a short hop from there to data theft and potential ransomware compromise.
The insider risk is more pronounced due to many employees still working from home for at least part of the week. Security controls often don’t extend as effectively to these distributed environments, and staff can be even less willing to toe the line on security. One report reveals a roll-call of risky behaviour, including:
- Use of work laptops for internet downloads, online shopping and playing games
- Use of personal devices to access work applications and documents
- Sharing work devices with children, partners and housemates
Partly as a result, 51% of IT leaders surveyed said they had seen evidence of compromised personal devices being used to access company and customer data over the previous year.
As per this study, remote workers might also be more prone to clicking on phishing links. It found many are more distracted when not in the office environment. That’s not to mention the risk of misdelivery of emails and sensitive documents. According to separate research, this represented over half of the financial sector errors leading to breaches in 2021.
Protect the data, protect the company
With the best will and user awareness training in the world, human error is inevitable. As the above reports highlight, we are fallible and sometimes selfish creatures. That’s bad news for IT security leaders tasked with mitigating cyber risk to acceptable levels.
In this context, the best way to balance user productivity and security is to let employees work largely the way they always have but add an extra layer of invisible protection around the data they work with. Data-centric security means the organization’s crown jewels are protected via encryption or tokenization wherever they are and wherever they travel—from an office-based desktop to a remote working laptop and all the cloud systems in between.
The post "Why Data Protection is the First Step to Mitigating Insider Risk" is authored by Thomas Stoesser.