Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/1/2020
02:00 PM
Aviv Grafi
Aviv Grafi
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

'It Won't Happen to Me': Employee Apathy Prevails Despite Greater Cybersecurity Awareness

To protect your organization from all emerging file-borne threats, the security and leadership teams must align to develop a streamlined approach to file security.

With remote working now part of the new business reality, cybersecurity has skyrocketed to the top of the IT to-do list. Companies are investing astronomical sums to upgrade technology, develop security processes, and boost IT staff, yet studies indicate that they may be overlooking the biggest piece of the puzzle: their employees.

Knowledge Is Power … Not!
Recognizing that knowledge is the best weapon when it comes to cybersecurity, many companies have embarked on a mission to raise cybersecurity awareness among employees. From training programs that explain the risk of phishing scams to simulations that clarify the steps to take when faced with a suspicious email, many companies are striving to ensure that every employee within the organization is educated about cybersecurity protocols. Yet despite having this knowledge, apathy about cybersecurity hygiene prevails among employees; most display a lack of interest, enthusiasm, or concern about their organization's cyber health. 

Related Content:

Cybersecurity Bounces Back, but Talent Still Absent

The Threat from the Internet—and What Your Organization Can Do About It

New on The Edge: h2c Smuggling: A New 'Devastating' Kind of HTTP Request Smuggling

A wide spectrum of studies shows that despite greater awareness of cybersecurity dangers, employees still show a lax attitude when it comes to practicing even the most basic cybersecurity prevention methods. Trend Micro reports that despite 72% of employees claiming to have gained better cybersecurity awareness during the pandemic, 56% still admitted to using a non-work application on a company device, and 66% admitted to uploading corporate data to that application, despite knowing that their behavior represents a security risk. The same survey showed that 39% of employees knowingly breach their company's security policies by regularly accessing work data from a personal device. Shockingly, 29% said they believed the solutions provided by their company were "nonsense."

The same level of employee apathy can be seen in the public sector as well. According to a survey by security services firm Dtex Systems, 48% of government employees feel no personal responsibility for the security of their work devices or information. Approximately 50% believe that they could be hacked no matter what protective measures they took, while 43% took the polar opposite approach — they didn't take the threat seriously at all, as they didn't believe they could be hacked.

This lack of concern, care, or adherence to cybersecurity standards is especially worrying with the growth of the work-from-home workforce. In one survey, 34% of IT professionals indicated that their remote staff are not interested in cybersecurity. In another survey of furloughed employees in the UK and Ireland, 48% said they were not concerned about email phishing scams because they say it is IT's responsibility to deal with them. That same number of respondents admit that upon returning to the office, they would power through their inbox as fast as possible, without taking the time to inspect any links or attachments in emails that might be fraudulent.

Four Reasons for Employee Apathy About Cybersecurity
1. Open attitudes toward information:
Millennials and Generation Z, who have been raised in a culture of sharing, are not as wary about protecting their privacy or about interacting with strangers. People who are comfortable sharing with anyone and everyone over social media are less likely to think twice about security procedures standards. In fact, millennials have been shown to use the same passwords again and again, and 60% of this demographic accept connections with strangers "most of the time."

2. Complexities of security technology: The wide range of ever-changing security technologies can be confusing and exasperating for the average employee. Studies show that the majority of Internet users do not have a clear understanding of the latest security standards and best practices, such as two-factor authentication, mobile device management, and VPNs. Often, something not understood is more easily ignored.

3. Time constraints: Even the best laid plans can be cast aside when no one has time to implement them. Employees are busy and may not want to spend the extra time required to check the protocol about suspicious emails or to notify the right party when they accidentally clicked on a "bad link."

4. Negative impact on productivity: Employees often feel that cybersecurity measures adversely affect their productivity. Whether it's due to files being quarantined or because each device, app, and software program has its own layer of security, employees can easily become frustrated with cybersecurity protocols. A Dell study found that 91% of business users feel that additional security measures — including remote-access policies — hamper their ability to get their work done efficiently.

What's an Organization to Do?
With an average of 10 million new malware threats recorded per month, organizations must address employee apathy in light of the growing risks. Trend Micro's report concluded that simply building more workplace security awareness programs for employees isn't the answer, as the findings show that employees were well aware of the cybersecurity risks but disregard their company's security rules anyway.

To protect your organization from all emerging file-borne threats, the security and leadership teams must align to develop a streamlined approach to file security. Such an approach should focus only on allowing safe information to reach an end user rather than attempting to block malicious items. Too often, we see the latter approach accomplished with sandboxing and antivirus software — but this blocked information can also act as an obstacle for many employees as they navigate their primary work responsibilities.

Leadership must evaluate the organization's security posture from all angles, finding gaps and solutions that allow safe files to flow freely — no matter what reaches employees. 

Aviv Grafi is CEO & Founder of Votiro, an award-winning cybersecurity company specializing in neutralizing files of all kinds through Secure File Gateway solutions. Aviv is principal software architect for Votiro's enterprise solution, which is based on a unique Positive ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3035
PUBLISHED: 2021-04-20
An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.26. Checkov 1.0 versions are not impacted.
CVE-2021-3036
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly. This vulnerability applies only to PAN-OS appliances that are configured to us...
CVE-2021-3037
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where the connection details for a scheduled configuration export are logged in system logs. Logged information includes the cleartext username, password, and IP address used to export the PAN-OS conf...
CVE-2021-3038
PUBLISHED: 2021-04-20
A denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalProtect app on Windows systems allows a limited Windows user to send specifically-crafted input to the GlobalProtect app that results in a Windows blue screen of death (BSOD) error. This issue impacts: GlobalProtect app 5.1 versions...
CVE-2021-3506
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...