Traditional approaches to security that focus only on disparate technology fixes for external threats is exposing UK businesses to heightened risk of attack, a study shows.
Employee behaviour is a weak link that is commonly overlooked, security policies tend to inhibit innovation and many companies lack the ability to anticipate and detect intrusions, a Cisco survey found.
The biggest internal threat stems from complacency and ignorance, the study shows, with just 58% of employees polled being aware of major security threats to personal and company data.
The survey of 1,000 UK employees revealed that 39% of employees expect their company to take care of data security in the workplace, while just 54% believe it is their responsibility to keep data safe.
Sixty-two percent think their behaviour has only a “low to moderate” impact on security which, Cisco says, demonstrates how insulated they are from the extent of threats to company data.
This may in part be linked to the fact that security threats and policies are not giving a profile that is high enough within companies.
The survey showed that, while 61% of employees thought their company had a security policy, 15% did not know if there was a security policy, 48% felt the policy was not relevant to them and 37% said the only indication of a security policy was when they are prevented from doing something by security settings.
As a result, 37% admitted to low or moderate levels of compliance, and only 12% said they were more rigorous about data security at work compared with 24% who said they were more rigorous at home.
All respondents said they use their company’s network for personal transactions, including personal banking (79%), online shopping (75%) and travel (59%).
The survey found that employees across the UK are increasingly viewing IT security as a barrier rather than an enabler for business.
One in eight respondents said the focus on IT security is stifling innovation and collaboration, while 13% said it is making their job more difficult to do.
Almost one in four believe the cost of lost business opportunity outweighs the cost of a potential security breach, resulting in some employees taking steps to circumvent security policy.
More on security awareness
- PCI security council publishes security awareness guide
- ICS security training needed to boost awareness, response
- Cyber security awareness still in its infancy, says Sans Institute
- Compliance standards create false sense of cybersecurity awareness
- Education, awareness key to fighting cybersecurity threats
- Top firms failing on security awareness training, CISOs reveal
- Regulatory compliance requirements for security awareness programs
Half of respondents recognised that their behaviour is second only to cyber crime as a risk to data security.
“This study confirms that the complex challenges facing businesses when it comes to IT security,” said Terry Greer-King, cyber security director for Cisco in UK and Ireland.
“While most employees recognise the threat from cyber criminals is real and worthy of continuous defence, the survey also shows that employee complacency is increasing the risks for UK businesses,” he said.
Greer-King believes that, as cyber security becomes more of a strategic risk, savvy businesses are looking to make it a formal business process.
“Making it a business process ensures that the organisation has a comprehensive view of the risks, which enables it to improve business practices where necessary. This should be a key part of daily operations to protect the business from internal and external threats,” he said.
This approach can also help drive responsibility for security down to the individual, but needs to be supported by security education and awareness programmes so every employee understands their role in keeping data secure.
Based on the research, Cisco has identified four IT security behaviour profiles which could form the basis for behaviour-centric security strategies.
Each demonstrates a different level of threat to data security and requires a specific approach to limit the risk posed, while leaving people free to perform at optimum efficiency and effectiveness:
- The threat aware – those aware of security risks and who try hard to stay safe online.
- The well-intentioned – those who try to adhere to policies, but implement it on a ‘hit and miss’ basis.
- The complacent – those who do not take individual responsibility for data security.
- The bored and cynical – those who believe the cyber security threat is overhyped and that IT security. inhibits their performance and will circumvent policies as a result.
“The balancing act of business enablement and protection will require a fundamental shift in how we approach IT security,” said Greer-King.
This shift in approach includes IT getting more involved with the business and demonstrating to the business how to use technology securely to achieve its commercial goals.
Security is not about technology alone, it is also about processes and people
Terry Greer-King, Cisco
“Businesses that persist with point security solutions will find themselves at greater risk, as this approach is responsible for creating gaps in traditional defences which attackers exploit,” said Greer-King.
“Cisco believes in security that is multi-layered, but this is not necessarily achieved through multiple, disparate products,” he told Computer Weekly.
“Organisations need the capability to detect malicious activity as soon as it starts and shut it down quickly rather than relying on third parties to notify them of breaches weeks or even months later,” he said.
Greer-King said organisations should also implement user-specific protocols that accommodate individual behavioural profiles.
“This will allow organisations to track the users and devices connecting to networks in order to lower the risk of a breach across the entire organisation,” he said.
A business-process approach will also ensure organisations know what data assets they have and where those assets are located.
“As the survey shows, security is not about technology alone, it is also about processes and people, who need to be part of the solution,” said Greer-King.
He believes that cyber attack simulations are an effective tool in enabling employees to understand the risks and potential impact of cyber threats as well as identify the gaps in their capability to respond.
“Security also requires a greater degree of community collaboration within organisations and externally as well because no single organisation can deal with cyber security on its own in isolation,” he said.