A CompTIA study on the state of employee cybersecurity shows why insider threat is still such an issue for organizations.  It’s easy to make a checklist of best security practices, but it’s much harder to change human behavior.

 

The way people use their mobile devices and the knowledge they have on information security topics is limited to their day to day routine.  The same way executives have to get used to making risk management a part of the business process, so do employees when it comes to cybersecurity best practices.

 

Indicators from the CompTIA study that confirm the fact that employees have yet to acquire a behavior that protects the enterprise network from vulnerabilities and security risks include things like: what they do with their work mobile devices; the wireless networks that they access without thinking twice; and their use of technological devices without questioning their security.

 

  • 63% of employees admit using their work mobile devices for personal activities and 94% of them connect their laptop and mobile devices to public Wi-Fi networks.
  • 49% of employees have at least 10 logins, but only 34% have at least 10 unique logins.
  • Out of 200 USB sticks dropped off anonymously in a public area, 17% of them were picked up and used to access the text files on them.

 

As Todd Thibodeaux, CompTIA president and CEO states, “We can’t expect employees to act securely without providing them with the knowledge and resources to do so.  Employees are the first line of defense, so it’s imperative that organizations make it a priority to train all employees on cybersecurity best practices.”  Although the majority of organizations use a mixture of security training methods, 15% of CompTIA’s survey respondents said they continue to receive paper-based training manuals for security education.

 

Organizations can’t expect to get rid of poor cybersecurity habits through theoretical training alone; there has to be more.  CIOs and senior leadership who want to leverage security to protect and grow their business will plan to:

 

  • Instill a company culture that includes best cybersecurity practices.
  • Hold ad hoc meetings to discuss information security with existing and new employees.
  • Have BYOD policies, apply them and revise them as needed.
  • Test security and business continuity policies and procedures by holding monthly or yearly drills (not file them away to pick up dust and only retrieve them when an incident occurs).

 

All of the above seem like pretty simple steps to take, but with studies such as CompTIA’s, we see that organizations still have a long ways to go before instilling good security habits amongst their employees and eliminating a part of their insider threats.  In the meantime, if organizations want to diminish employee security risks, they need to have eyes on their entire infrastructure.  The only way this can take place is with a holistic information security approach.

 
What are some of the challenges you face with improving employee security awareness and habits to reduce data risks?

Photo courtesy of iQoncept