Employees in UK companies are not doing all they should to prevent data breaches – and those in charge of cybersecurity are under no illusions about the impact this is having.
With the World Economic Forum reporting that 95% of cybersecurity issues can be traced to human error, nobody can afford to turn a blind eye to the ‘insider threat’.
In Apricorn’s recent survey of security leaders in large enterprises, 22% said employees had accidentally caused a data breach at their organisation. Worryingly, 20% said employees with malicious intent had been behind a breach, double the previous year. Almost half of respondents admitted remote workers had knowingly exposed data to theft or loss over the last year.
Despite recognising this gap in their company’s defences, the security leaders surveyed don’t appear to be taking the necessary steps to manage the risk. Only 14% of the companies that allow staff members to use their own IT devices when working remotely control how they can access the corporate network and systems. This means data is at risk if a device is left open, stolen or lost, or an employee logs in via an unsecure public wifi network.
Defuse the ticking time bomb
Whether data is exposed due to a momentary slip up, negligence, or deliberate attempt to sabotage the business, steps need to be taken to build (or re-build) a security-first culture. This requires a layered approach that covers people, policy, and technology.
Put protocols in place, and educate employees
In Apricorn’s survey, 28% of security leaders said they struggled with a lack of employee awareness of the risks to data when working remotely. Perhaps the organisation went all-out with cybersecurity training when hybrid working first emerged, but eased off as the model bedded in. Staff may have become ‘desensitised’ to messages around threats and the need to remain vigilant.
It’s important to set out clear and easy-to-follow policies that detail the security behaviours expected from employees, then bring them to life through ongoing training programmes. These should be contextual and relevant to ensure engagement, focused on the threats and vulnerabilities specific to the organisation, and the data being handled. The importance of reminding people of the basics of security hygiene – such as how to spot suspicious emails, and the need to apply software updates – cannot be overestimated.
Ban unmanaged devices
Enterprises should make it a formal requirement that staff members only use approved equipment to access corporate resources, to reduce the attack surface. Policies must be enforced using software controls, and also in hardware, for example locking down USB ports so they can’t accept unauthorised devices.
Embrace encryption
If devices such as USBs, laptops and smartphones happen to end up in the wrong hands, encryption protects the information on them by rendering it unreadable. Apricorn’s survey highlighted a significant jump in the percentage of security leaders planning to introduce data encryption in the future – an average increase across all types of device from 12% in 2022 to 23% this year.
Complacency may well have crept in over the last year or so as employees have become used to the hybrid working model, especially if they’ve worked this way without incident thus far. With cyber-attackers increasingly targeting individuals in order to gain a foothold in corporate networks and systems, this is not the time for the business to adopt a ‘hands off’ approach to cybersecurity. IT teams must now pull tightly on the reins, and apply comprehensive measures to protect data, using education, policy and technology tools to take back control.
Leave a Comment