What, Me Worry? Lackadaisical Employee Attitudes Resulting in Cybersecurity Calamities and Lurking Attacks
The role of IT in defending against cyberattacks is more difficult than ever. It becomes even more challenging when IT departments are forced to tackle the lack of willingness by employees to take precautionary steps against attacks, according to the latest results from the A10 Networks Application Intelligence Report (AIR).
DOWNLOAD THE EBOOK: ARE YOUR EMPLOYEES PUTTING YOUR ORGANIZATION AT RISK?
Based on research involving more than 2,000 business and IT professionals at companies from various industries around the world, A10 AIR addresses the challenges IT decision makers face with the rise and complexity of cyberattacks, and the sometimes careless attitudes of employees who unwittingly introduce new threats into their businesses.
Employees Unknowingly Introducing Cyberthreats to Their Companies
The report revealed that employees often unknowingly weaken cybersecurity with the use of unsanctioned apps: one out of three (37 percent) of employees surveyed say they aren’t familiar with what a DDoS attack is, or even aware of how they could unknowingly become victimized.
This data is even more disturbing when almost half (48 percent) of IT leaders say they agree that their employees do not care about following security practices, according to the survey findings. It’s hard to protect someone who isn’t familiar with the warning signs associated with attacks – or willing to learn about them.
With often poor understanding of corporate security policies, this behavior increases the risks that come with a growing reliance on disparate and app-dependent workforces, especially when one third (30 percent) of employees surveyed knowingly use apps their companies forbid.
Of those who use non-sanctioned apps, more than half (51 percent) claim “everybody does it,” while one third (36 percent) say they believe their IT department doesn’t have the right to tell them what apps they can’t use.
Why use unsanctioned apps in the first place? One third (33 percent) of all respondents claim IT doesn’t give them the apps needed to get the job done.
But Who’s Responsible for App Security?
For employees who want to check sports scores or listen to streaming music at work, poorly designed apps with weak security could provide the backdoor for attackers to gain entry into the employee’s corporate network.
While the WireX botnet recently hijacked thousands of devices through seemingly harmless apps, it’s a frightening reminder that it only takes one app with weak security to infect a mobile device. More than half (55 percent) of employees surveyed say they expect the use of business apps to increase, meaning the odds also increase of these devices becoming part of a larger DDoS attack, which can bring entire businesses to a screeching halt.
But who is ultimately responsible to protect employees who used non-sanctioned apps at work? App developers, IT departments and end users are at odds over who is responsible for application security and best practices regarding the many apps on the phones of employees. With employees, responsibility is low: only two out of five (41 percent) claim ownership for the security and protection of non-business apps they use, AIR found.
And who is that “someone else” who should be protecting users’ apps in the workplace? Employees think security should be provided by the app developers (20 percent), service providers (17 percent) and their IT department (16 percent).
But if you ask IT decision-makers who is internally responsible, one third say the security team is most responsible for protecting employee’s identity and personal information, followed by the CIO or vice president (17 percent) of the company, and 15 percent state “the whole IT department.”
Employee Behavior Toward the Use of Banned Apps or Sites at Work
It’s an accepted fact that companies can block apps and websites at work – 87 percent of respondents find this practice acceptable, and 85 percent would accept a position at a company that does so. However, only two thirds (61 percent) of employees cliaim their companies actually block specific sites or apps.
Additionally, 10 percent don’t know if the apps they use at work are banned or not, demonstrating a need for better communications from IT, and the survey backs this up: 88 percent of IT heads say employees need better education on best security practices.
Perceived Attitudes of Employees and Thoughts on Best Practices
What other ways are IT professionals reminding employees about best practices when it comes to security? Password policies are communicated to employees through email reminders (66 percent) followed by employee orientation (50 percent), internal meetings (48 percent), and communication from a manager (44 percent).
And when it comes to passwords, IT decision makers say their top recommended password policy is updating passwords regularly (76 percent), followed by choosing different passwords for different systems (59 percent), and two-factor or multi-factor authentication (53 percent).
Overall, what does IT need to do better protect their company? The biggest challenge noted by IT professionals is lack of corporate commitment to security policy and enforcement (29 percent).
But there is good news: although almost a quarter of IT decision-makers think there will be no improvement in security behavior at their company, 75 percent optimistically think there will be.
The A10 AIR Report
The intent of A10 Networks in commissioning the AIR research is to explore the interaction of employees with applications and the growing security implications that result personally and for businesses and their IT organizations. Earlier this year, AIR examined the rise in use of apps in our “blended lives,” blurring lines between work and personal business through use of apps at home and in the office.
AIR was commissioned by A10 Networks and conducted independently by strategic research firm Provoke Insights. It involves more than 2,000 business and IT professionals with the intent to provide education for organizations and their IT departments that can help them reassess corporate policies and ultimately protect their businesses – and their applications – by simply becoming more aware of the behavior of their employees.
The research was conducted in 10 countries, representing some of the world’s largest economies and fastest growing populations of technology adopters: Brazil, China, France, Germany, India, Japan, Singapore, South Korea, the United Kingdom and the United States.
Learn more and see more data in our free ebook.