Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //


09:35 AM
Larry Loeb
Larry Loeb
Larry Loeb

Employees Remain the Weak Link in Your Company's Cybersecurity Plans

Another report, this time from Finn Partners Research, shows that employees remain the weakest link in the cybersecurity chain.

Who's the biggest threat to your enterprise's security? It might be the guy or gal sitting right next to you.

Your fellow employees are, unsurprisingly, the deadliest cybersecurity risk that organizations face today. That's the finding of a new study released by Finn Partners Research, "Cybersecurity at Work." The report is based on questions sent to 500 full-time office employees across the US.

The survey was completed in June, and the respondents held full-time positions in an office environment that had more than 100 employees.

For example, the study found that nearly two in five workers admitted to clicking on a link or opening an attachment from a sender they did not recognize. (See Email-Based Attacks Still Wreaking Havoc on Enterprises, Study Finds.)

Additionally, more than half of employees -- 55% -- are using their personal devices for work, thanks to the BYOD effect. This means an increased vulnerability to hackers, malware and data breaches because of the unsupervised environment of the devices. (See ISF: Balance Is Key to Mobile Security.)

(Source: iStock)\r\n
(Source: iStock)\r\n

Further illustrating poor practices, only 26% of the surveyed employees changed their login credentials and passwords for personal and work applications at least once a month.

Jeff Seedman, a senior partner at Finn Partners, noted in a statement:

The fastest and easiest way for bad actors to gain access to sensitive organizational data is for employees to click on nefarious links -- we know that around 40 percent of our workforce is engaging in such behavior. While 31 percent of respondents have already been a victim of a breach or attack, the behavior patterns to elicit security breaches remain.

However, training by the IT and security departments to counter these behaviors is limited.

In the survey, about 25% of respondents reported that they receive "cyber hygiene" training on a monthly basis from their IT team. This includes the updating of operating systems on devices, checking for security patches, as well as changing passwords.

Another 29% report that they had quarterly training in this area, while 19% receive bi-annual training and 23% receive annual training.

Still, 93% of the respondents believe that their company takes adequate cybersecurity measures to protect their personal and corporate data. Amazingly, 94% of those surveyed believe they are doing their part in helping to keep their company's data secure.

Zero in on the most attractive 5G NR deployment strategies, and take a look ahead to later technology developments and service innovations. Join us for the Deployment Strategies for 5G NR breakfast workshop in LA at MWCA on September 12. Register now to learn from and network with industry experts – communications service providers get in free!

Of course, what specifics "their part" is up to the interpretation of who is evaluating it.

The report also asked respondents if they were dissatisfied with their jobs, would they take the company's corporate security less seriously. Of those surveyed, 79% said no, 16% said yes, and 4% said they didn't know.

Employees also considered themselves at risk from a corporate cybersecurity standpoint. Specially, 37% expressed that their biggest worry from a breach would be that their device would get a virus, as opposed to only 19% who worried most about leaking corporate data or the 19% that thought such a breach would cost the company a lot of money.

This report shows that employees need to be aggressively counseled about cybersecurity. Left to their own impulses they can indulge in unsafe behaviors, perhaps abetted by the BYOD phenomenon.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-09-18
Teleport before 4.4.11, 5.x before 5.2.4, 6.x before 6.2.12, and 7.x before 7.1.1 allows forgery of SSH host certificates in some situations.
PUBLISHED: 2021-09-18
Teleport before 4.4.11, 5.x before 5.2.4, 6.x before 6.2.12, and 7.x before 7.1.1 allows alteration of build artifacts in some situations.
PUBLISHED: 2021-09-18
Teleport before 6.2.12 and 7.x before 7.1.1 allows attackers to control a database connection string, in some situations, via a crafted database name or username.
PUBLISHED: 2021-09-18
A path traversal vulnerability on Pardus Software Center's "extractArchive" function could allow anyone on the same network to do a man-in-the-middle and write files on the system.
PUBLISHED: 2021-09-17
static/main-preload.js in Boost Note through 0.22.0 allows remote command execution. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which invokes the dangerous openExternal Electron API.