Although we spend over a third of our lives at work, most of us are professionally unsatisfied.
According to Gallup’s State of the Global Workforce report, a mere 15 per cent of workers worldwide claim to be actively engaged in their jobs. While there are regional variations, the figure never exceeds 40 per cent and the productivity cost to the global economy is estimated at a massive $7 trillion annually.
Unfortunately, one of the biggest problems with disengaged staff is that they often neglect or misunderstand cybersecurity security policies and protocols.
IBM’s 2018 X-Force Threat Intelligence report recently concluded that unwitting employee negligence accounted for two-thirds of all records comprised in 2017. In other words, 3 billion records were put at risk by “inadvertent insiders”, with 70 per cent of all lost data due to misconfigured cloud storage servers, databases, network, and backup gear.
It is a prickly problem and one that is only going to get thornier as multi-cloud deployment scenarios become operational prerequisites. The signs are already here; IBM found that records breached due to misconfigured cloud servers rose by a remarkable 424 per cent last year.
Business heads worldwide need to get better at leading by example and supporting continually evolving awareness-raising programmes. At the same time, they need to ensure existing defence postures are rigorously interrogated and enhanced to cope with ever-expanding attack surfaces and increasingly ingenious cybercriminal activity.
Anticipating human fallibility is a far trickier proposition, particularly when it comes to spotting risky behaviours in the workplace. So, with that in mind, here are my top five personas and scenarios – all rooted in reality – to look out for:
Fed-up Fiona – Fiona is in HR and has asked IT if she can work from home. They are working on her request, but she is getting frustrated with the wait. Taking matters into her own hands, she diverts sensitive files to a less secure part of the network that is easier to access remotely. IT is in the dark and hackers duly leap into action.
The pressure is on for businesses to keep up with all the multifarious demands and logistics of flexible working. Employees often believe they have the tech and security smarts to go it alone. They don’t. Remote network access needs to be secure, user-friendly, and fast to set up
So long Susan – Susan has a new job. A few weeks before her last day, she downloads gigabytes of corporate resources and project files. Why reinvent the wheel when you can cut, paste, and adapt? It takes mere minutes to transfer everything to a USB.
Unfortunately, she’s inadvertently swiped large quantities of sensitive company details, which are now vulnerable either at her own home or new workplace environment. She could also lose the USB in a public place (a cursory glance at the news shows that this happens all the time). Expect trouble if you don’t flag employee turnover as a major data risk.
Lazy Larry – Larry is a receptionist. He is gregarious and always aims to please. One day a girl arrives for an interview and asks him to print her CV from a USB pen. Larry obliges and instantly infects his company network with ransomware.
Cybercriminals regularly prey on human emotions and can be disarmingly charming. Seemingly innocuous interactions can soon turn to chaos. Ensure all staff understands the dangers of opening unknown files or plugging in unauthorised hardware. It seems obvious but that is exactly why it is often overlooked.
Coffee shop Catherine – Catherine is rarely in the office. She’s always meeting new business prospects and is well acquainted with public Wi-Fi spots. Mobile data is expensive, and IT is limiting her roaming allowances.
Today, she’s in a rush to send a large attachment before her next client meeting, so she logs in to a public network at a coffee shop. She doesn’t have time to go via her company’s Virtual Private Network (VPN). Big mistake!
Public Wi-Fi is a virtual Wild West for Man-in-the-Middle attacks (hackers intercepting data, lack of encryption, and malware proliferation). Nowadays, even cybercriminal novices can readily obtain software kits and devices to eavesdrop on Wi-Fi signals, as well as set up rogue access points. Make sure top-quality VPNs, multi-factor authentication and common cyber sense are everyday disciplines for all employees working both at home or on the road.
Nigel the Newbie – Nigel is keen to make a great first impression, but first he must navigate hours of online security training.
Surely this can wait? He’s a high-flying salesman with a reputation to uphold and new colleagues to impress. Plus, he’s done this kind of training before at his former workplace. How different can it be?
All cybersecurity training initiatives should be user-friendly, credible, and purposeful, encompassing regular updates, mandatory compliance sessions, and behavioural best practice. It is essential to build a culture of security vigilance and respect for IT. You are failing as a leader if this isn’t already happening.
Recognise any of these characters and scenarios? You surely do, and there are innumerable variations, mutations, and permutations to contend with every day. The key is to stay sharp and do everything you can to quash bad habits before they spiral out of control or become culturally innate.
Employee cybersecurity ignorance will always exist. It is up to those at the top to limit its frequency, ensure adequate security systems are in place and, crucially, that lessons are learned from mistakes and never repeated. Standing up to complacency is a responsibility to change behaviours and, ultimately, it’s character forming.
Paul Dignan, Senior Systems Engineer, F5 Networks
Image source: Shutterstock/Pressmaster