Some UK businesses are seeing employees watching adult content at work, according to a survey by an identity management product company. Or, employees are using gaming and gambling websites, or video sharing sites, leaving networks open to phishing scams and viruses downloaded via the use of inappropriate content.
The survey by OneLogin, of more than 600 UK-based IT decision-makers, with influence over their business’s IT security, found a disparity between internet access and security policies. For example, nearly a third (29pc) of businesses neglect to monitor their employees’ use of high-risk websites on the corporate network, providing employees with unrestricted internet access, and potentially impacting the security of sensitive business data.
When it comes to the preventative measures used to monitor external threat vectors, over a third (36pc) don’t invest in security education for their employees and 62pc conduct phishing assessments. In addition to this, three quarters (75pc) don’t use cloud access security brokers and two-thirds (69pc) don’t use Single-Sign-On services. According to the IM firm, organisations appear to be taking the risky approach of simply relying on employees to use their common sense when it comes to cybersecurity, leaving valuable corporate data easily accessible to cybercriminals looking for the easiest way into the corporate network.
These security shortcomings can lead to costs including the unexpected loss of customer business, product discounts, forensic and investigative activities, and legal expenditures. And once GDPR comes into effect in May 2018, penalties related to data breaches will start at €10 million and can go up to as much as €20 million or 4pc of a business’s annual turnover, depending on which is higher.
Alvaro Hoyos, chief information security officer at OneLogin said: “With an influx of employees now choosing to work remotely from personal devices, many remain unaware of security threats and often access the internet forgetting they’re still connected to the corporate network. Therefore, organisations simply cannot afford to rely on employees to know the impact of their personal habits on corporate cyber security, meaning proactive steps must be taken. Emphasis must be placed on IT and security training for employees to understand the need to avoid high-risk websites to preserve corporate integrity.”
