Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/1/2020
02:00 PM
Aviv Grafi
Aviv Grafi
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

'It Won't Happen to Me': Employee Apathy Prevails Despite Greater Cybersecurity Awareness

To protect your organization from all emerging file-borne threats, the security and leadership teams must align to develop a streamlined approach to file security.

With remote working now part of the new business reality, cybersecurity has skyrocketed to the top of the IT to-do list. Companies are investing astronomical sums to upgrade technology, develop security processes, and boost IT staff, yet studies indicate that they may be overlooking the biggest piece of the puzzle: their employees.

Knowledge Is Power … Not!
Recognizing that knowledge is the best weapon when it comes to cybersecurity, many companies have embarked on a mission to raise cybersecurity awareness among employees. From training programs that explain the risk of phishing scams to simulations that clarify the steps to take when faced with a suspicious email, many companies are striving to ensure that every employee within the organization is educated about cybersecurity protocols. Yet despite having this knowledge, apathy about cybersecurity hygiene prevails among employees; most display a lack of interest, enthusiasm, or concern about their organization's cyber health. 

Related Content:

Cybersecurity Bounces Back, but Talent Still Absent

The Threat from the Internet—and What Your Organization Can Do About It

New on The Edge: h2c Smuggling: A New 'Devastating' Kind of HTTP Request Smuggling

A wide spectrum of studies shows that despite greater awareness of cybersecurity dangers, employees still show a lax attitude when it comes to practicing even the most basic cybersecurity prevention methods. Trend Micro reports that despite 72% of employees claiming to have gained better cybersecurity awareness during the pandemic, 56% still admitted to using a non-work application on a company device, and 66% admitted to uploading corporate data to that application, despite knowing that their behavior represents a security risk. The same survey showed that 39% of employees knowingly breach their company's security policies by regularly accessing work data from a personal device. Shockingly, 29% said they believed the solutions provided by their company were "nonsense."

The same level of employee apathy can be seen in the public sector as well. According to a survey by security services firm Dtex Systems, 48% of government employees feel no personal responsibility for the security of their work devices or information. Approximately 50% believe that they could be hacked no matter what protective measures they took, while 43% took the polar opposite approach — they didn't take the threat seriously at all, as they didn't believe they could be hacked.

This lack of concern, care, or adherence to cybersecurity standards is especially worrying with the growth of the work-from-home workforce. In one survey, 34% of IT professionals indicated that their remote staff are not interested in cybersecurity. In another survey of furloughed employees in the UK and Ireland, 48% said they were not concerned about email phishing scams because they say it is IT's responsibility to deal with them. That same number of respondents admit that upon returning to the office, they would power through their inbox as fast as possible, without taking the time to inspect any links or attachments in emails that might be fraudulent.

Four Reasons for Employee Apathy About Cybersecurity
1. Open attitudes toward information:
Millennials and Generation Z, who have been raised in a culture of sharing, are not as wary about protecting their privacy or about interacting with strangers. People who are comfortable sharing with anyone and everyone over social media are less likely to think twice about security procedures standards. In fact, millennials have been shown to use the same passwords again and again, and 60% of this demographic accept connections with strangers "most of the time."

2. Complexities of security technology: The wide range of ever-changing security technologies can be confusing and exasperating for the average employee. Studies show that the majority of Internet users do not have a clear understanding of the latest security standards and best practices, such as two-factor authentication, mobile device management, and VPNs. Often, something not understood is more easily ignored.

3. Time constraints: Even the best laid plans can be cast aside when no one has time to implement them. Employees are busy and may not want to spend the extra time required to check the protocol about suspicious emails or to notify the right party when they accidentally clicked on a "bad link."

4. Negative impact on productivity: Employees often feel that cybersecurity measures adversely affect their productivity. Whether it's due to files being quarantined or because each device, app, and software program has its own layer of security, employees can easily become frustrated with cybersecurity protocols. A Dell study found that 91% of business users feel that additional security measures — including remote-access policies — hamper their ability to get their work done efficiently.

What's an Organization to Do?
With an average of 10 million new malware threats recorded per month, organizations must address employee apathy in light of the growing risks. Trend Micro's report concluded that simply building more workplace security awareness programs for employees isn't the answer, as the findings show that employees were well aware of the cybersecurity risks but disregard their company's security rules anyway.

To protect your organization from all emerging file-borne threats, the security and leadership teams must align to develop a streamlined approach to file security. Such an approach should focus only on allowing safe information to reach an end user rather than attempting to block malicious items. Too often, we see the latter approach accomplished with sandboxing and antivirus software — but this blocked information can also act as an obstacle for many employees as they navigate their primary work responsibilities.

Leadership must evaluate the organization's security posture from all angles, finding gaps and solutions that allow safe files to flow freely — no matter what reaches employees. 

Aviv Grafi is CEO & Founder of Votiro, an award-winning cybersecurity company specializing in neutralizing files of all kinds through Secure File Gateway solutions. Aviv is principal software architect for Votiro's enterprise solution, which is based on a unique Positive ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27974
PUBLISHED: 2020-10-28
NeoPost Mail Accounting Software Pro 5.0.6 allows php/Commun/FUS_SCM_BlockStart.php?code= XSS.
CVE-2020-27975
PUBLISHED: 2020-10-28
osCommerce Phoenix CE before 1.0.5.4 allows admin/define_language.php CSRF.
CVE-2020-27976
PUBLISHED: 2020-10-28
osCommerce Phoenix CE before 1.0.5.4 allows OS command injection remotely. Within admin/mail.php, a from POST parameter can be passed to the application. This affects the PHP mail function, and the sendmail -f option.
CVE-2020-27978
PUBLISHED: 2020-10-28
Shibboleth Identify Provider 3.x before 3.4.6 has a denial of service flaw. A remote unauthenticated attacker can cause a login flow to trigger Java heap exhaustion due to the creation of objects in the Java Servlet container session.
CVE-2020-22552
PUBLISHED: 2020-10-28
The Snap7 server component in version 1.4.1, when an attacker sends a crafted packet with COTP protocol the last-data-unit flag set to No and S7 writes a var function, the Snap7 server will be crashed.