Risky user behaviour and poor security practices threaten Irish organisations
A Microsoft survey of organisations on the island of Ireland has found that poor, inconsistent security policies, processes and procedures, create bad habits amongst employees, which could compromise critical data and cause disruption with serious consequences.
The survey of 700 organisations of 100 users or more, carried out by Amárach, called “Securing the Future”, found that despite the bulk of security breaches being attributable to compromised user credentials, people are still employing poor password practices, as almost a quarter (22%) are still writing down passwords, while 43% use the same password across multiple applications and services, and 38% engage in password recycling.
“The most common and least detected sources of data breaches,” said Des Ryan, report author and solutions director, Microsoft, “are compromised identities. Passwords can be hacked, guessed, leaked, or lost. New technologies like biometrics can deliver the robust security needed, and accompanied by consistent training, enforced policies, and better device upgrades, employees can deliver the productivity needed for successful transformation with a minimum of risk to the organisation.”
Data governance is also an area of concern, according to the survey report. Data is the currency of modern economics, and companies are gathering more data and using it as a differentiator, said Ryan.
“With the General Data Protection Regulation (GDPR) in full effect, you’d imagine that people would be protecting their data, or at least being more conscious of it, but the survey found that 36% of people had backed up data from their corporate supplied device onto a thumb-drive or back-up device of some description that was not corporate supplied.”
“So, you have to ask, what was that data that was being backed-up? Why was it being backed-up? Where was it being moved to and who is controlling these non-corporate supplied devices?”
“I believe that organisations need to be paranoid about personal devices in the workplace,” said Ryan.
“BYOD is important for some organisations, and I certainly wouldn’t say you shouldn’t do it, but I would be suggesting, from this research, that it is not being done well.”
Remote working was also highlighted as an area of risk.
More than half of people (56%) said they work from home at some point, but almost half (49%) of these say there is no restriction on accessing corporate files. Furthermore, almost a third (32%) admitted to using personal email or online services, such as Gmail, iCloud and Dropbox, to send, receive or edit work related materials.
The implication, said Ryan, is that remote access controls are not as tight as they should be. Almost a quarter (24%) of remote workers have accidentally shared corporate files with the wrong people.
More than half (56%) of respondents admitted to using free or public Wi-Fi for work related purposes when they are away from work or from home, a figure which increases for those that work from home at least once a week, with 73% of these respondents admitting to using free or public Wi-Fi. However, the report clarifies by saying the figure does not necessarily suggest that those who work from home are more likely to engage in risky behaviour, but is more reflective of the fact that they are exposed to riskier situations more often.
All of this is within the context of hardware being less than cutting edge, introducing a further risk element. Almost half (47%) said that hardware was rarely updated. Half of public and private sector employees in Ireland claim their personal device is better than their work device, says the report.
Some 44% of respondents have experienced problems with phishing, hacking, cyber fraud or other cyberattacks, while almost three quarters (70%) have been notified of a data breach and personal data being accessed. And yet almost half (46%) of public and private sector employees in Ireland have had no training in last 12 months on combatting cyberattacks.
Education on security should be mandatory, argues Ryan, but it is constantly changing.
“There must be some formal education,” said Ryan.
Security awareness training needs to be regular and updated for current threats and challenges. Ryan said it is up to organisations to educate their users, but that it is also incumbent on technology vendors to not only keep ahead of the threats but also to make the measures usable.
The report concludes that as digital culture within organisations grows to enable successful transformation for organisations, the boundaries between home and work lives and devices blurs. It will be crucial to enable employees to be more productive on the go and support them with both training and policies that will protect them against data loss, it says.
“It will be increasingly important that employers upgrade their hardware and software to ensure optimum levels of security but also to demonstrate a commitment to current and prospective employees that they are willing to invest in the best and ensure that all steps are taken to guarantee device security, facilitate the development of a productive digital culture,” the report concludes.