Case Studies

Employee behaviour the risk

by Mark Rowe

Critical UK business data is at risk as a result of organisations focusing their IT security policies and resources more on external threats, such as cyber-criminals and hackers, and not enough on education and awareness of potential threats. That is according to the IT firm Cisco.

The networks product firm points to two issues, drawing on responses from over 1000 employees in the UK. First, employee behaviour is becoming an increasing source of risk – more through complacency and a lack of awareness than negative intent. And, more employees feel security policies are inhibiting innovation and collaboration, and that the costs of lost business opportunity outweigh the cost of a security breach – to the point where some employees take steps to go round the policy.

A culture of assumptions
According to the study, only 58pc of employees are aware of major security threats and the risks they present to personal/company data. The survey found that 39pc of people expect their company to take care of data security in the workplace, while just over half (54pc) believe it is their responsibility to keep personal and company data safe. Some 62pc seem so insulated from the true extent of threats that they think their behaviour only has low to moderate impact on security.

This attitude may be a result of a lack of visibility given to policies or even the threats that drive them. While 61pc of employees thought their company had a security policy, 15pc did not know if there was one or not. Almost half, 48pc said they weren’t concerned about the policy as it didn’t affect what they do, and, 37pc said they only notice one exists when they are stopped from doing something by the security settings. As a result, 37pc admitted to low or moderate levels of adherence and twice as many people admitted to being more rigorous about data security at home (24pc) than at work (12pc).

Behaviour

Employee behaviour (50pc) was second only to cybercrime (70pc when employees were asked to identify the top two greatest sources of risk to data security. All of those surveyed use their company’s network for personal transactions – the most popular was personal banking (79pc) followed closely by online shopping (75pc) and travel (59pc).

Outmoded approaches

Employees across the UK are increasingly looking at IT security as a barrier rather than an enabler for business. The survey found that one in eight (12pc) believe the focus on IT security is stifling innovation and collaboration and 13pc say it’s making it harder to do their job. A good one in five (22pc) believe that the cost of lost business opportunity outweighs the cost of a potential security breach.

Cisco identified four distinct IT security behaviour profiles which could form the basis for behaviour-centric security strategies. Each demonstrates a different threat to data security and requires a specific approach, the IT firm said, to limit the risk posed whilst leaving people free to perform at optimum efficiency and effectiveness:

The threat aware – those aware of security risks and who try hard to stay safe online
The well-intentioned – those who try to adhere to policies but who implement on a ‘hit and miss’ basis
The complacent – those who expect the company to provide a comprehensive security environment and therefore do not take individual responsibility for data security
The bored and cynical – those who believe the cyber security threat is overhyped and that IT security inhibits their performance and will circumvent policies as a result.

Terry Greer-King, Director, Cyber security, Cisco UK and Ireland. said: “This study confirms the complex challenges facing businesses when it comes to IT security. The results show that most employees recognise the threat from cybercriminals is real and worthy of continuous defence, but it also reveals that employee complacency about IT security is increasing the risks for UK businesses. An employee who blindly trusts is one amongst several “weak links” in the security chain. As cybersecurity becomes more of a strategic risk, organisations are looking to make it a formal business process providing the organisation with a holistic view of cybersecurity risks and the opportunity to improve business practices. This should be a key part of daily operations to protect the business from internal and external threats.”

“The balancing act of business enablement and protection will require a fundamental shift in how we approach IT security. Businesses that persist with point security solutions will find themselves at greater risk, as this approach is responsible for creating gaps in traditional defences that attackers exploit. Instead, organisations need to implement user-specific protocols which accommodate individual behavioural profiles, allowing them to track the users and devices connecting to networks in order to lower the risk of a breach across the entire organisation.”

Related News

  • Case Studies

    Wall walk for charity

    by Mark Rowe

    Eight staff from Mayflex, the distributor of products including cabling infrastructure, electronic security and network IP will be taking on a challenge…

  • Case Studies

    London consultation

    by Mark Rowe

    The Police and Security Group Initiative (PaS) has published the conclusions from its consultation conducted earlier this year. The consultation’s aims were…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing