Silent Sector Blog

Employees Are Still Neglecting Cybersecurity Policies

Written by Haidon Storro | Jul 16, 2020 6:58:09 PM

Security awareness increasing, but numbers show employees are still not listening

In light of the widespread adoption of Working from Home (WFH), cybersecurity has become the center of attention for ensuring organizations can carry on with their standard business functions. While security has always been important, securing the remote work force is particularly critical as statistics reveal that cyber criminals show no signs of slowing down and in fact, many are exploiting the conditions brought on by the pandemic to execute their attacks. However, security firm Trend Micro found that despite the persistent efforts and even recent spike of mandatory end user awareness training, employees appear to still neglect cybersecurity.  

Gaining a Better Sense of Cybersecurity during the pandemic

The increase of cybersecurity’s significance is a newfound outcome arising from the COVID-19 lock down. In a survey of 13,000 remote workers across dozens of countries, Trend Micro uncovered that 72% of respondents believed to have gained a better sense of cybersecurity awareness. What’s more is that 81% even agreed that workplace cybersecurity falls partly on their shoulders. From the security industry perspective, and as someone who works directly with less technically oriented people, this is great to hear.

Security is not simply just implementing a firewall, deploying an anti-virus (AV), and monitoring some intrusion detection systems (IDS) – but rather security is best looked at as a layered defense system. In which case, no layer is completely effective alone. This means that even having the priciest cybersecurity and compliance solution does not exempt you from an attack. As security professionals, we can expect that there will be a day when a sophisticated phishing campaign attack is launched and slips through our email security, IDS, and AV. It is moments like these when SOCs heavily rely on employees to deflect the ransomware, credential harvesting, or other malintent objective.  

Employees are the single greatest threat and remedy to an organization’s security. This also happens to be why they are the primary targets of cyber-attacks today. Adversaries recognize they can use employees to circumvent advanced security mechanisms and infiltrate a company’s network. While it unfortunately did take a pandemic for organizations and individuals alike to recognize the importance of cybersecurity, we are making head way in cyber awareness.  

Why are employees ignoring security recommendations?

The first challenge in cybersecurity is awareness, because people don’t know, what they don’t know. It is natural to think that because we have established this, employees would be quick to embrace a security mindset. Unfortunately, what Trend Micro’s report concluded is that awareness does not correlate with employees putting security efforts into practice. Moreover, their findings uncovered that even when personnel are aware of the risks that cybersecurity has on their organization, they are still tempted to overlook the security policies and rules.  

Ignoring security guideline happens for a multitude of reasons and is often not done with a destructive motive. Respondents of the survey believed they could get their job done quicker by skirting the advice from their security team. With 34% even admitting to not caring whether the apps they used were approved as long as they could get the job done. In addition, 29% of respondents asserted the solutions provided by their company were “nonsense.” Leaving them to access work data from a personal device and even 66% admitting to uploading corporate data to an unapproved application on their work device.

Shifting Employees Cybersecurity Attitude

Perhaps one of the answers to encouraging behavior change is to tailor training programs that account for individual values and personalities of employees. For instance, a training about invoice style phishing emails will most likely be irrelevant for an engineer who has no financial roles. Human psychology unveils that it takes a personal conviction to truly boost a transformation. This could be via department-based presentations that include the legal and security ramifications of using unapproved applications. Or it could also be to conduct guidance for scenarios and demonstrations for securely handling data or how to request an application is vetted to be approved for work.

For more stimulating training's, companies can opt for hacking demonstrations that reveal just what the modern threat actor is capable of. It is worth noting that when employers use fear tactics to promote security it harvests little success towards shifting the attitude towards security and instead promotes push back. However, cyber criminals often invoke their targets emotions to launch attacks via email.

Common Phishing Scenarios

Impersonating higher ups

FROM: CEO "I need money wired now"

Invoice type

"monthly invoice is available"

Mail Delivery Statuses

"shipment has arrived"

Clickbait

“5 things you need to know about COVID-19 (#4 will blow your mind!)

Employee Rewards

"I need you to purchase amazon gift cards for the surprise employee party, and keep 2 for yourself"

 

Overall, the report tells indicate that cybersecurity is placed second to convenience. Thus, employee perception of security is somewhat viewed as a hindrance to their role and responsibilities. What we observed is that it takes something catastrophic for individuals to acknowledge an issue, but this alone is not enough to inspire a change in behavior. While, combating the disregard for security is not something that can be done overnight- awareness coupled with frequent relatable training's can certainly increase an organization’s safety.

How is your organization preparing its first line of defense to guard against the exponential growth of cyber threats? Better yet, has your organization conducted a penetration test to validate your defenses?  Call Silent Sector today to learn how you can train your workforce and test your organization to ultimately improve your security posture.