Users continue to be CISOs’ cyber-security Achilles heel

To coin a phrase from the well-known broadcaster Anne Robinson, when it comes to cyber-security people are undoubtedly the weakest link. This is a thought-process that’s been established within IT security for many years.
Cyber-security expert Bruce Schneier wrote a book first published in 2000 entitled Secrets and Lies: Digital Security in a Networked World. It includes a now often-used quote about people being the weakest link and goes so far as to saying users are “chronically responsible for the failure of security systems”. Harsh, but you only have to look at the root cause of many cyber-security incidents over the past two decades, and you can see Bruce was on to something.
In spite of new ever more sophisticated technologies coming on stream - many of which are powered by artificial intelligence (AI) and machine learning (ML) - organisations continue to fall victim to cyber-attacks. The unfortunate truth of the situation is that an organisation can deploy the best technology available and employ skilled security professionals, yet the Achilles’ heel of CISOs the world over remains the same - the users themselves.
A new report on user attitudes to cyber-security from BlueFort Security supports Bruce Schneir’s hypothesis. It questioned 2,001 UK office staff working in organisations with 500+ employees. The report found that despite having a good understanding of cyber risk - especially when it comes to the new normal of hybrid working - office workers admitted that they were unwilling to change their behaviour.
Nearly a quarter of those who took part in the study had been subject to a data breach, but a third said they were not prepared to take any extra precautions. Many admitted to high risk behaviour including sharing passwords, downloading non-work-related files and even losing work-owned devices.
A closer look at the data showed that 35 percent had received a phishing email, 24 percent had been subject to a data breach, and 23 percent had been impacted by a virus. Under-resourced and overworked CISOs must be pulling their hair out.
Hybrid working is a risky business
There is no doubt that the past 18 months has permanently changed the way in which many of us now work. When it comes to hybrid working the genie is out of the proverbial bottle. And that brings with it a whole host of challenges, many of which users are surprisingly aware of, despite many choosing not to adapt their behaviour to minimise the resulting risks to their employer.
The use of personal devices within the working environment (BYOD) brings greater security risks than a ‘traditional’ setup. This has increased further as many of us work from anywhere - a fact recognised by both IT security teams and users alike.
A study from HP Wolf Security looked at hybrid working from the perspective of IT professionals. 83% of IT professionals polled in that study described hybrid work as a ticking time bomb for a network breach.
Cyber savvy officer workers
The survey found that over a third (34 percent) believe cyber-security awareness is the biggest issue when it comes to hybrid working. 33 percent cited personal use of company devices as another significant risk. Looking more closely at the use of company devices, 18% of respondents admitted losing a company-owned device whilst working from home and 22 percent said that they have taken home company devices without the company’s knowledge.
And office workers also believe that managing cyber risk in the future will only become more complicated. The reasons for this include the threat surface becoming wider and more disparate (39 percent), managing a remote workforce is more difficult (35 per cent), and it will be less clear where endpoints are (26 percent).
Old habits die hard
The long queues that have built up at petrol stations recently echo a significant challenge that CISOs have when it comes to cyber security. People inherently know the best course of action - but they choose not to take that path. In the case of filling up our cars, panic buying wasn’t the best approach.
And so, with cyber security. Most users know that downloading non-work-related files whilst working from home isn’t cyber smart (23 percent of the BlueFort survey said this); and 23 percent admitted that they have not backed up files onto the company system. Yet, despite knowing the risks they did it anyway.
It’s frustrating that despite being aware of the risks, so many office workers are seemingly unwilling to make even small changes in their behaviour to help their largely overworked and under-resourced cyber-security colleagues. And the fact that many have fallen victim to a cyber-crime themselves makes the situation so much worse.
The results of this latest study underline the importance of continued cyber-security education, combined with technology that protects sensitive data wherever it is, be that on an end-user’s device, stored on-premise, hosted in the cloud, and increasingly nowadays being shared via an online collaboration tool.