British businesses are still failing to lock down access to key, business critical data, as nearly half of UK employees have or have had access to sensitive company information, according to a new study by the IT access security product company CyberArk. Its survey of more than 1000 UK office workers,, suggests that organisations’ cyber security practices are enabling a heightened insider threat. Specifically, it found that many employees have or have had access to mission critical company systems which should be reserved only for staff that require it:
•Almost half (48pc) of employees have or have had access to sensitive financial documents (48pc)
•46pc have or have had access to confidential HR information (46pc)
•Nearly a third (29pc) have or have had direct access to company bank accounts
•37pc have or have had access to research and development plans or blueprints for new products/services
The firm says far more employees have access to critical information than is necessary and there’s a need for UK businesses to limit how employees access sensitive data in order to better protect themselves and their customers.
As seen with nearly every recent major cyber breach, from Uber to Sing Health, credential theft remains the most common and effective route to a successful cyber-attack, the firm says. A lax approach to protecting high-value ‘privileged’ accounts can elevate the risk of such an attack or a major data breach, in the event of employees’ credentials being harvested. Managing privilege is therefore essential but, according to the study, many British businesses are failing to lock down these key accounts following changes in personnel. One in five (21pc) office workers admitted leaving a job with login details for at least one confidential company system such as its internal servers, financial performance data and HR databases, potentially allowing ‘ghost’ employees – former staff members with working login details and credentials – unauthorised access to sensitive company data outside of an organisation’s security purview.
These ‘ghost’ individuals pose a substantial threat, according to Rich Turner, VP EMEA at CyberArk: “Ghost employees are a major concern for any organisation – they not only elevate the risk of key company applications, tools and data being breached in the event of a cyber-attack, but also provide a potential route for disgruntled employees or rival businesses to manipulate existing data, causing serious administrative and financial damage.
“These findings are symptomatic of the misguided cyber spending habits of UK PLC. We continue to devote huge sums to perimeter defences when the smarter approach is to assume the inevitable – that attacks will get in – and ensure that their access to sensitive assets and data is contained. “
However, the study did suggest that employees are developing a more involved approach to cyber-security, showing that cyber education is having a positive effect and that British businesses can look forward to a more secure future. Nearly four in five (79pc) office workers would immediately admit to IT if they opened a malicious attachment, while three quarters (75pc) would voice their concerns if they didn’t understand communications from IT about security. This more involved approach to security is increasing their faith in their IT teams, with nearly three in four (74pc) confident that their security team is effectively protecting the wider organisation against threats.
However, this confidence contrasts with the behaviour of many employees still exhibiting poor cyber practices. Large numbers are still failing to admit their cyber indiscipline to their security teams, according to the survey: it found that more than half (54pc) don’t admit when they let colleagues use their log-in details, and 45pc don’t inform their IT team when they download an unauthorised app onto their work device. Such behaviours are significantly increasing their employers’ risk exposure by leaving their IT systems and accounts vulnerable to the escalation of privileges during a subsequent attack.
As well as assessing office workers’ approach to cybersecurity, the study also explored how evolutions in workplace habits and technologies are changing the security landscape. Many organisations are beginning to integrate cutting-edge new security technologies into their strategies, with nearly one in five (19pc) office workers reporting that their IT security team is experimenting with biometric security, including fingerprint and retinal scans and embedded microchips.
Nonetheless, despite firms demonstrating a willingness to experiment with new forms of authentication, securing innovative new platforms remains a challenge. Smart devices in particular present a great cause for concern, with 40pc of employees reporting that their IT security team is failing to effectively secure IoT and BYOD devices, providing attackers with another privileged pathway to exploit. As these technologies become more and more prevalent, it’s vital that their access to company tools and applications is managed in the same way as any other device within a corporate network.
Comment
David Higgins, Director of Customer Development EMEA at CyberArk, said: “Whether for new wearable devices or more established business development, HR or payroll systems, a lack of credentials management means UK organisations remain vulnerable to the seizure of critical company IP through credentials-based attacks. Forging a more secure digital future begins with adopting an effective privileged access management policy, which limits individuals’ ability to escalate privileges and subsequently reduces their access to sensitive systems – ultimately reducing the number of vectors attackers can seek to exploit.”
