Brian Jackson - stock.adobe.com
Despite warning against behaviours that might expose their organisations to an increased degree of risk, 55% of security professionals admit that they are no cyber angels themselves and have engaged in risky activities.
One in three participants in the KnowBe4 poll said they had used entertainment or streaming services in contravention of organisational policy, 15% had signed up to too many email subscriptions, and 13% had opened potentially malicious email attachments.
Meanwhile, just under 9% said they had downloaded an unauthorised application that could have been, or was, malicious; 8% had visited a gaming or gambling website; 8% had used removable media such as a USB drive; 8% had used unauthorised cloud backup or storage services for work-related documents; and 3% had used an adult entertainment website.
Far greater numbers of security professionals said that they had observed users supposedly under their protection participating in the same behaviours, with 80% routinely spotting potential violations, with the most common being the use of entertainment or streaming services.
“The findings of this study demonstrate not only a need for regular security awareness training, but of cultivating a strong security culture. This means going beyond educating staff on threats, how to respond and teaching them to identify how they can help prevent them,” said Javvad Malik, lead security awareness advocate at KnowBe4.
“Creating a security culture requires a shift in attitude, behaviour, perception of responsibility and overall organisational norms, so that best practices are embedded into everyday operations and thinking. Cyber security should be recognised company-wide as a priority. If this is successfully achieved, users will be more mindful about what they do, and take the time they need to respond appropriately to potential threats.”
According to data drawn from KnowBe4’s real-time cyber training tool, SecurityCoach, the above listed behaviours are the most common precursors to a cyber attack or breach – ranging from falling victim to scams or fraud, to full-blown data breaches or ransomware attacks.
Therefore the fact that so many security professionals are catching people engaging in them should be of significant concern, particularly when so many cannot be said to be above reproach when it comes to their own security habits.
Just under half of respondents to the survey said they believed people indulged in risky behaviours because they were not aware that doing so was a problem, while 36% of security pros said they thought users were perfectly well aware that they shouldn’t be doing what they were doing, but did not actually care – a perennial problem when it comes to security awareness training.
Sales teams in the dock
KnowBe4 also asked respondents which of the staff they are tasked with protecting were the most likely to try to dodge security best practice, and found that 26% said those in the sales and marketing functions tended to be the most slapdash when it came to cyber hygiene.
Also in trouble was the C-Suite – albeit somewhat theoretical trouble in their case – with 17% saying their organisation’s leaders were playing fast and loose with cyber security, and possibly unsurprisingly, the IT department, which 11% said were most likely to flout the guidelines.
Read more about insider threat
- Insider threats extend beyond employees within your company to include people working at partners and third parties. Learn about these insider threats in the software supply chain.
- From disgruntled employees to compromised users to third-party vendors, here are six types of insider threats and best practices to mitigate the issues.
- A thorough insider threat programme includes plan preparation, threat assessment, and plan review and renewal. Learn how to implement this three-step model to protect your company.