A new survey has revealed that despite a major rise in phishing attacks on organisations, a significant percentage of employees are still using the same passwords for all accounts, are setting easily-guessable passwords, and are clicking on external links without verifying where they lead.
The survey, carried out by OpenVPN, also revealed that the adoption of biometric authentication has been less than optimal so far, thereby putting the privacy and security of enterprise and customer data at risk.
While 25 percent of employees are reusing the same password for all applications that require authentication, 23 percent of them are frequently clicking on links before verifying whether such links are genuine or malicious.
"Cybersecurity breaches are a matter of ‘when’ not ‘if’, and organizations have to be ready to address hackers head on. But with businesses so focused on external threats, they often overlook the role their own employees play in exposing vulnerabilities from inside an organization," the firm noted.
Non-adherence to IT security policies
Earlier this year, a survey carried out by Dr. Lee Hadlington at the Leicester-based De Monfort University also revealed that employees at UK organisations are less likely to follow IT security practices and protocols while surfing the web, clicking on various links and visiting social media platforms.
Such non-adherence to IT security policies by employees, not maintaining password hygiene and trusting emails sent by unknown persons expose organisations to immense risk. Research by M-Files had revealed last year that at least 23% of businesses in the UK suffered data breaches because of non-compliance with company security policies by their employees.
A major reason behind such non-compliance is the lack of specific cyber security training that needs to be imparted to employees from time to time. A survey of 2,000 workers by Accenture recently revealed that over half of them (55%) did not remember receiving specific cybersecurity training from their employers.
Kirill Kasavchenko, principal security technologist, EMEA at Arbor Networks, said that every employee should not only be provided training on password hygiene, but also specific cyber security training that will help them understand how different attacks work and how to recognise social engineering tactics.
He added that while prevention is the best practice, businesses should also train employees on how to minimise the damage once a breach occurs. “Regular employee training on IT security will become even more of a necessity once GDPR and the new UK data protection bill come into effect. Businesses need to look at why their staff do not feel adequately trained and put a training plan in place," he said.
Employees following best practices must be rewarded
According to OpenVPN, employers should not stop at merely imparting specific cyber security training to employees, but should also ensure compliance with cyber security policies by rewarding employees who follow the best practices.
"Employees may be a company’s first line of security, but many fail to report cyber attacks out of fear of retribution. Instead of employing fear tactics to scare employees off weak passwords and phishing schemes, employers should consider rewarding or acknowledging individuals who embrace good cyber strategies.
"Employees are less likely to shy away from security training and are more incentivized to change their approach to cybersecurity when they are sent encouraging messages for safe internet behavior," the firm said.
"Building a work culture centered around good cyber hygiene takes time, but will ultimately protect companies in the long run from online threats. When smart online habits become second nature, both employers and employees can better prevent hackers from taking advantage of otherwise stagnant security environments," it added.