The need to distribute workforces has broadened the corporate defense perimeter to a point where IT is no longer an island.
Imagine this: your company has a precious treasure to protect, and you have set up the latest defense technology to secure it.
However, the guards on duty were not informed of the treasure; neither were they provided the knowledge of how to navigate the defense systems. Worse still, the guards did not recognize the treasure as something to be protected.
When the enemy came, they easily bypassed the guards, disabled the security systems, stole the treasure, and demanded a large sum of money in return for it.
In the context of cybersecurity for businesses, it is not difficult to guess which elements of the story represent the company data, cyber defenses, employees and ransom, in the instance of ransomware.
The risk from within
While one may dismiss this scenario as silly or implausible, it is an increasingly pertinent issue many companies are facing.
Just earlier this year, over the span of just three months, six cyberattack incidents were reported around the region—a rising and certainly worrying trend.
While it is natural instinct for IT personnel to respond by fortifying their cybersecurity infrastructure in an attempt to contain the breach, this is not the end of it all.
When it comes to cybersecurity, non-IT personnel have been found to be a company’s weakest link. Unfortunately, more needs to be done to ensure employees do not end up becoming a company’s Achilles’ heel. In a survey we conducted, we found that the rush to move employees to work from home had gaps in providing basic IT know-how and refreshers on basic cyber hygiene practices.
Such employees—whether uninformed or plain careless—were potentially allowing malware and viruses to spread. In another study, more than half of respondent firms believed their cyber risk stemmed from within.
Some numbers of concern
The top three cybersecurity worries of a business are often related to employees or human error:
- Sharing inappropriate data via mobile devices (47%)
- Physical loss of mobile devices exposing the organization to risk (46%)
- Use of inappropriate IT resources by employee (44%)
- In cybersecurity incidents faced by businesses in the past year, 11% of respondents mentioned employees falling prey to phishing or social engineering attacks. The simple action of clicking on a suspicious email could lead to disastrous effects of putting their company’s data or systems at risk. This could be avoided had there been proper training on how to behave appropriately and awareness of protecting the business.
While one may point fingers at security systems, which should be able to guard devices from potential malware especially in the event of a misuse of corporate devices, the reality is that many employees use devices with outdated patches, and threat actors know how to exploit these vulnerabilities. In yet another Kaspersky study:
- 64% of employees surveyed who had argued with their IT department were allowed to skip updates or select what aspects of their corporate security systems to update.
- 44% of respondents were less concerned about updating their work devices than personal ones.
- Respondents who were senior executives were 12 times more likely to be targets of cyber threats than other employees. Aside from the fact that they have greater access to privileged information, they may also be granted more lax security concerns than other employees.
- 45% of the surveyed organizations excluded C-suites from their update plans, which increased their exposure and vulnerabilities to cyber threats.
Bring Your Own Dangers (BYOD)?
As employees continue adjusting to their work-anywhere environments, the divide between home and work blurs. Some 49% of employees surveyed had admitted to using personal email accounts for work-related matters, and 38% admitted using personal messengers that have not been approved by their IT departments.
This is the perfect recipe for cybercriminals to breach corporate data and devices. Moreover, in some instances, simply being connected to the same network could even put the most careful worker’s device at risk. Some malwares, such as worms, do not require human help to infect, self-replicate or propagate: they infect their entry point and spread through devices that connects to the same network.
No doubt, during these times of remote-working, when employees are spread across various locations in the country or even world, it is a challenging task for IT personnel to ensure they continue carrying out their jobs well. However, ensuring the continued safety of a company will take not just IT but the combined efforts of all employees.
One of my favorite analogies regarding the prevention of cyber threats, and to demonstrate the importance of businesses shoring up their cyber defenses is simple: if you would never leave the front door of your house open all day with the possibility of someone walking in, think of your computers and cyber defenses the same way. Keep your network access and your systems tightly secured, and do not leave any opportunity for a cybercriminal to get in through open windows or doors.
No one is immune to cyber threats, nor can we prevent the instance of it from happening. However, good cybersecurity system can mitigate its impact or minimize any disruptions faced.