Who's the biggest threat to your enterprise's security? It might be the guy or gal sitting right next to you.
Your fellow employees are, unsurprisingly, the deadliest cybersecurity risk that organizations face today. That's the finding of a new study released by Finn Partners Research, "Cybersecurity at Work." The report is based on questions sent to 500 full-time office employees across the US.
The survey was completed in June, and the respondents held full-time positions in an office environment that had more than 100 employees.
For example, the study found that nearly two in five workers admitted to clicking on a link or opening an attachment from a sender they did not recognize. (See Email-Based Attacks Still Wreaking Havoc on Enterprises, Study Finds.)
Additionally, more than half of employees -- 55% -- are using their personal devices for work, thanks to the BYOD effect. This means an increased vulnerability to hackers, malware and data breaches because of the unsupervised environment of the devices. (See ISF: Balance Is Key to Mobile Security.)
Further illustrating poor practices, only 26% of the surveyed employees changed their login credentials and passwords for personal and work applications at least once a month.
Jeff Seedman, a senior partner at Finn Partners, noted in a statement:
The fastest and easiest way for bad actors to gain access to sensitive organizational data is for employees to click on nefarious links -- we know that around 40 percent of our workforce is engaging in such behavior. While 31 percent of respondents have already been a victim of a breach or attack, the behavior patterns to elicit security breaches remain.
However, training by the IT and security departments to counter these behaviors is limited.
In the survey, about 25% of respondents reported that they receive "cyber hygiene" training on a monthly basis from their IT team. This includes the updating of operating systems on devices, checking for security patches, as well as changing passwords.
Another 29% report that they had quarterly training in this area, while 19% receive bi-annual training and 23% receive annual training.
Still, 93% of the respondents believe that their company takes adequate cybersecurity measures to protect their personal and corporate data. Amazingly, 94% of those surveyed believe they are doing their part in helping to keep their company's data secure.
Of course, what specifics "their part" is up to the interpretation of who is evaluating it.
The report also asked respondents if they were dissatisfied with their jobs, would they take the company's corporate security less seriously. Of those surveyed, 79% said no, 16% said yes, and 4% said they didn't know.
Employees also considered themselves at risk from a corporate cybersecurity standpoint. Specially, 37% expressed that their biggest worry from a breach would be that their device would get a virus, as opposed to only 19% who worried most about leaking corporate data or the 19% that thought such a breach would cost the company a lot of money.
This report shows that employees need to be aggressively counseled about cybersecurity. Left to their own impulses they can indulge in unsafe behaviors, perhaps abetted by the BYOD phenomenon.
— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.