[BreachExchange] Are Your Employees Putting Your Organisation at Risk?

Fri Mar 2 10:30:27 EST 2018

http://www.itsecurityguru.org/2018/03/01/employees-putting-
organisation-risk/

We’ve just undertaken some new research which shows that UK employees are
unwittingly putting their organisation as risk through their use of
unapproved apps. The problems associated with ‘Shadow IT’, where employees
download apps or use services without the consent of the IT department,
have escalated in line with cloud adoption, and the use of personal smart
devices in the workplace.

Even though the use of unsanctioned apps can be a real security headache
for IT – the apps can act as gateways to the network for cybercriminals
looking to gain access to an organisation’s valuable data – there seems to
be no stopping employees’ actions.

The research  Application Intelligence Report  which was conducted across
ten territories shows the UK has the highest percentage of employees (41
percent) who use apps without permission from IT, or not knowing if those
apps have been approved to use at work.

Of those who use non-sanctioned apps, more than half (57 percent) use the
excuse that “everybody does it” – more than any other European country
questioned in the report.

Other respondents say their IT department doesn’t have the right to tell
them what apps they can and can’t use, while some claim that their
company’s IT department doesn’t give them access to the apps they need to
do their jobs.

The research highlights a notable lack of understanding among UK employees
as to the potential damage they are inflicting on their organisations’
security. In fact, many companies still don’t realise the risks that come
with this growing reliance on disparate and app-dependent workforces.

In the UK, 54 percent of respondents have experienced at least one data
breach, 41 percent have experienced a DDoS (Distributed Denial of Service)
attack, and 30 percent have fallen victim to ransomware attacks – both
higher than the global averages.

As the high-profile data breaches have shown over the past 12 months, all
it takes is one DDoS attack to damage an organisation’s brand, its
reputation with customers, and its revenue stream.

There is also the issue of app security, and who is ultimately responsible
for protecting the personal information and identity of employees who use
approved business apps at work? The application developers, the IT
department or the end users themselves?

Globally, only a fifth of IT decision-makers think employees take
accountability for protecting their personal information and identity. When
it comes to using personal apps at work, 44 percent of IT professionals
assume employees take responsibility for securing their own personal
information.

A third of respondents say the security team is most responsible for
protecting employee’s identity followed by the CIO or VP, and then the IT
department.

Drilling down into individual countries’ attitudes, most German IT heads
believe the CIO or VP (46 percent) is ultimately responsible for securing
employee identity and personal information, while those from Brazil (32
percent) most often place responsibility on all IT practitioners,
regardless of the team.

Brazilian, Indian, Chinese, and US IT chiefs believe that employees place a
greater amount of responsibility on the vendor or developer of the
applications.

So how does the UK compare to other countries? Interestingly, while most
firms globally think IT leaders should be held accountable, the UK’s IT
leaders point the finger at service providers (36 percent), more so than
the company or app developer.

When it comes to app password security, UK IT chiefs have more faith in
their employees than some of their counterparts around the world – 23
percent think employees “always” change their passwords, and 56 percent say
they “sometimes” do so. China and Japan ranked lowest for how regularly
employees change their passwords.

Across the board, more than half of IT decision-makers are agreed that
mobile business app usage will increase in the next fiscal year. By 2020,
most UK IT pros (84 percent) believe that mobile business apps will be used
more than those on a laptop or a PC, almost in line with the global figure
of 88 percent.

The good news is that 20 percent of UK IT departments say they are looking
to grow their security budgets to combat the explosion of threats. The
slightly less good news is that the UK ranks join bottom with Japan for
companies that expect to grow their security budget by 10 percent or more,
at 14 percent, less than the global average of 27 percent.

Globally, security is the top discipline for which IT teams are hiring,
followed by applications teams. More than a third (36 percent) of IT
decision-makers believe the security team is the highest hiring priority –
again with the UK unfortunately ranking lowest worldwide at only 20 percent.

Awareness and education must be a priority. Factoring in employee
behaviour, IT professionals should focus on building enterprise-wide
security awareness and education programmes and implement strong security
and access policies to prevent bad behaviour, and in particular, rogue app
usage.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180302/70e6b6b9/attachment.html>