Companies can spend untold funds on the latest security software, keep their firewalls and security infrastructure up-to-date, monitor networks, and employ the highest level of IT talent all in the name of security. However, it can all be rendered useless by one simple thing – employees choosing to ignore basic regulations.
When end-users have bad habits, there is no software or system in the world that can protect against a breach or attack. The most complex of password policies is null when the password is written on a neon green sticky note and stuck to the monitor. Enterprises often look to guard against sophisticated attacks on their IT networks, but simple bad habits can be the undoing of entire security systems. CIOs need to assess what everyday actions are threatening their system’s security.
The end game is still to thwart the advances of those looking to infiltrate a company’s network. Without these bad actors threatening the system, the bad behaviour of employees would be little more than human folly. However, as hackers are a very real threat to any enterprise, companies and employees need to put their bad habits in check. This is particularly true for those with high-level administrative access. C-level employees may have access to a system, but may not be properly trained to use that access responsibly. Because of their greater access to valuable information, C-level employees are often the desired target of behavioural engineering and must be keenly aware of their actions while on the network.
Glen Ogden, Regional Sales Director, Middle East, A10 Networks, details the most commonly seen slip-ups perpetrated by C-level employees. “Using weak passwords or the same or similar passwords for personal and work accounts is a common one,” Ogden explains. “Also, not vigilantly reviewing email sources or file types before opening email attachments.” C-level executives deal with a high traffic flow of communication, but failure to remain vigilant may cause serious risk.
Ogden continues, “Another common example of bad behaviour is browsing risky websites from corporate computers. Browsing dangers can range from visiting social media sites, forums, and other non-business sites, to incorrectly typing URL domains and inadvertently accessing phishing or malware-laden sites.”
Anthony Perridge, Security Sales Director, Cisco, agrees that the C-suite must be especially cautious when it comes to behavioural security risks. “Many C-level executives tend to exhibit similar bad habits, like many other users, that may compromise the company’s security. Their smartphones and mobile devices carry a lot of data, which could be stolen should the device be misplaced or lost, putting the company’s data at risk.”
He goes on to explain, “The C-level executive may not use a secure network while using the device for transferring data, which makes the data susceptible to interception. In addition, mobile malware is growing rapidly which further increases the risks.”
Clearly, the C-suite needs to exhibit responsibility when it comes to security risks, however, every staff member with access to the network needs to understand their individual role in protecting the system. As technology becomes a ubiquitous part of every department, employees at every level, from entry to leadership, must afford the time to think and act like an IT employee.
“Everyone is responsible for security in an organisation. This concept should be embedded into the very culture of the company,” says Nader Baghdadi, Regional Director, Enterprise, Fortinet. “There are several things that employees do on a regular basis that could compromise the company’s security such as leaving laptops in their cars, sharing passwords or using weak passwords, and ignoring company’s security policy.”
However, these violations are often not a deliberate thwarting of a company’s security policy that causes problems. “Complacency and recklessness play a large part in data breaches,” says Simon Mullis, Global Technical Lead for Strategic Alliances, FireEye. “It is absolutely imperative to address these issues in the workplace in order to avoid any fallout from a cyber-attack. Even the smallest steps, such as changing passwords often, being careful about anonymous emails and not leaving crucial information in easily accessible places, can go a long way in beefing up security in an organisation.”
The first step in solving any problem is identification. Once this bad behaviour is on the radar, companies need to ask what they can do to correct it. David Emm, Principal Security Researcher, Global Research and Analysis Team, Kaspersky Lab, places a key role in education, awareness, and open door policies. “It’s vital that companies develop an internal security awareness programme that makes staff aware of how attackers may try to use them to penetrate the company’s defences and explains what they can do to reduce the risk,” Emm explains. “It’s not uncommon for companies to create a security policy document, and require new staff to sign-off on the document. It’s less common for them to develop an ongoing programme that doesn’t just use the written word, but uses posters, comic-strips, competitions, etc. to reinforce the message.”
Prevention and awareness is only half the battle according to Emm. The ability for employees to feel comfortable approaching the appropriate departments in the event of an incident is also key. “It is important to encourage staff to report problems,” he says. “If, for example, they accidentally click on a link or attachment, before thinking, they should be encouraged to report it to IT, rather than trying to brush it under the carpet. Only through such openness will staff become a positive element of corporate security.”
Mullis suggests, in addition to education and openness, that companies consider restriction policies to aid in security against bad behaviour. “Restricting the usage of apps, services or web pages, or even the devices themselves, certainly lowers the likelihood of any data compromise as a result of bad behaviour.” He does acknowledge however, “while limiting the attack surface cuts down on the opportunity for bad behaviour, employees must still remain vigilant.”
At the end of the day, a robust security infrastructure and policy are essential. However, as employees gain increasing access to company networks, it is imperative that CIOs address awareness and education. Even the strongest of padlocked doors is useless if someone simply gives a thief the keys.