Bad habits of employees are significant cyber security risk

20 June 2016 Consultancy.uk

Employees’ bad habits are leaving their employers cyber doors wide open to attack, according to a new study. Improving awareness through communication and training, as well as implementing a range of controls to monitor behaviour, is key.

Cyber security has in recent years grown into one of the chief concerns of business leaders. The growing attention the topic is receiving in boardrooms follows from the scale and impact it is having on businesses across the globe. One study by the Center for Strategic and International Studies, a Washington DC policy research group, and McAfee, a technology security firm, puts the annual cost of cybercrime to the world economy at more than $400 billion, although the researchers say nothing about the wider impact on business reputations and personal lives. According to Gartner, there are over 500,000 cyber-attacks globally every day, and, more worryingly, they believe that the convergence of a range of large technology trends will going forward continue to extend the scale and reach of cybercrime.

For organisations, mitigating the impacts of cybercrime has become serious business, and, as a result, spending on ramping up defences along cyber frontiers is taking off. One analyst firm estimates that cyber spending will hit $86 billion this year, aimed for the most part at technical skills and building an active cyber-defense stance. However, a new report released by Norrie Johnston Recruitment (NJR), a Winchester-based executive search and interim management company, shows that while most of the attention goes to thwarting e-criminals from doing their crooked job, arguably just as much attention should go into educating a company’s own employees. 

Question One: Which of the following have you experienced in the past 12 months?

The research found that staff pose a significant risk to their employer’s cyber security. Just over 50% of employees surveyed have in the past 12 months experienced some kind of scam from a fake email from Paypal, Apple or a bank (29%) to a Facebook scam (12%) to clicking a link that put a virus on a PC (7%). A further 17% of respondents have received scam emails that looked like they were sent by a friend, and 16% have been telephoned by someone about a ‘problem’ with their PC. “It appears that people are bombarded by potential cyber threats in their private lives, and are quite savvy about how to avoid them. Yet when it comes to a work situation they don’t realise that they still need to be security aware. As a result, they are making their employers vulnerable to attack,” comments Graham Oates, Chief Executive of Norrie Johnston Recruitment.

In addition, employees, in many cases due to a lack of awareness about security, tend to portray a range of bad habits which inadvertently are leaving companies’ cyber doors wide open to attack. 23% of employees for instance use the same password for different work applications, while 17% write down their passwords, making their accounts vulnerable to password hacking. Furthermore, 16% work while connected to public Wi-Fi networks and 15% access social media sites on their work PCs.

Question two: Which of the following have you done?

“The biggest threat could be the one right under your nose – your employees,” states Oates. “There’s a clear need to educate staff about the importance of cyber security best practice and how even actions that we all take for granted, like checking our Facebook page at lunchtime, could provide cyber criminals with a way into a business.”

For firms seeking to ramp up their cyber frontier, Oates concludes with an advice: “Cyber security is no longer the territory of the IT team, it’s the responsibility of everyone. It needs close integration between IT, HR and Security; it needs to be embedded in the culture of the organisation and it needs to be built into the entire employment lifecycle starting with pre-employment screening and on-boarding and induction processes.”