Technology could make the workplace more secure from human frailties online.
Almost half of UK employees put companies at risk through online activities such as using WhatsApp for sharing corporate documents, streaming illegal content and even watching adult content using company resources.
Just as it is impossible to reason with a temperamental two year old, any efforts to stamp out such bad behaviour from employees have proven futile. In order to protect against employee’s actions, business will have to accept that this is what employees are doing and instead bring them into the fold.
IT security teams have been fighting a running battle to stop their organisation’s employees from engaging in bad online behaviour altogether. The focus has been on limiting the potential damage employees can cause, from data security training to blocking access to certain Internet sites, all without preventing them from doing their work effectively online.
Despite their efforts, our recent survey found that 46 per cent of workers are guilty of at least one malpractice that could put a company at real risk of a data breach or cyber attack.
Some bad behaviour is truly shocking – such as 10 per cent of employees visiting adult websites from a work device – while others seem more inconsequential like using a work email address for personal accounts. No matter where the unprofessional behaviour sits on a scale from the serious to the benign, it could have wide-ranging complications for a company’s data and cyber security.
WhatsApp with data sharing?
Unauthorised app use, or shadow IT, is a security challenge that has increasingly plagued organisations as the lines between consumer and enterprise products have blurred. The likes of Dropbox, Box and Google Drive are common “enterprise” offenders that most security teams are already aware of.
We found that 18 per cent of workers have uploaded confidential work documents to Dropbox, Box or Google Drive without permission with a further eight per cent accidentally sharing a link to confidential files.
However, there is another big offender in town as almost a quarter of employees use messaging apps such as WhatsApp, Telegram or Facebook Messenger to share work documents. To a data or cyber security chief, this is a new level of consumerised IT hell.
Such apps increase the risk of people leaking sensitive data either by accident or on purpose. Most of the time there is no malicious motive behind it. Mentally programmed in tiny increments by millions of messages about weekend plans and combined with a UX that draws users in, people become share-happy.
Any security training employees may have received instantly evaporates as employees click send to get a job done – share a piece of information using the tools they are most familiar with and that are the easiest to use.
But regardless of motive, messaging apps are a gateway out of the building for sensitive data and a way in for hackers. This is compounded when these apps are used on mobile platforms where they are deeply integrated into commonly used work tools that store confidential data. In a single swipe confidential documents can be shared from email, Docusign and other cloud services.
Malicious actors have started abusing these weaknesses by ‘Wishing’ (WhatsApp phishing). Criminals impersonate a person or company the employee trusts on WhatsApp – anything from a work colleague to a supplier – and seemingly legitimately ask for information such as accounts spreadsheets or customer databases. When they get their hands on it they quickly change tactics to target the CEO in a spear phishing attack requesting a bank transfer.
What makes this type of attack so damaging is the fact that most users won’t question the validity of the request when it’s made via a personal messenger platform and thus leave themselves open to wrongdoing by creative attackers.
Personal vs. work accounts
Employees potentially jeopardise their company by failing to separate their personal and professional lives. Our survey found that 25 per cent of workers used a work email account to authorise access to other services such as games, productivity apps or social media when these weren’t needed to do their job effectively.
It might sound pretty harmless to use a work email address for personal accounts, but in doing so employees put their work credentials into the wild. If any of those personal service providers are breached - as Yahoo or TalkTalk were – cyber criminals could harvest the leaked details to attack the company.
Even worse, people frequently use the same login and password for multiple accounts leaving the company vulnerable to brute force attacks.
Adult content in the boss’s time
Employees are also putting their organisations at risk through the websites they are visiting on a work device or while using the work Internet.
One in ten respondents admitted to visiting adult websites from their company device or by using the company’s Wi-Fi. A further 13 per cent said they’d downloaded or viewed pirated content. Whilst Barbara in accounts is enjoying a ripped-off Hollywood blockbuster, somewhere in the building a security admin is crying.
Putting aside the inappropriateness of these activities, adult and pirate websites are often cesspools of malware and viruses. By using them at work, employees are finding a sure-fire way to bring malware onto their company networks. In fact, recent research from Kaspersky showed that one in four mobile users infected with malware were targeted while on adult websites.
Accepting human fallibility
Sadly, bad online behaviour is not going away. Companies like WhatsApp are starting to push enterprise offerings and people will always find a way to use consumer Cloud services in a way that puts enterprise data at risk.
For adult sites, people will work around blocked sites and applications. It could potentially take the company from the frying pan into the fire as fringe sites and apps are likely to be darker and more dangerous.
And so, like an IT security equivalent of a grief cycle, acceptance is the first step in addressing the problem.
Instead of using a heavy-handed approach by blocking all potentially dangerous sites and apps, security teams should instead look to deploy granular monitoring to address the problem.
A multi-layered approach to security enables security teams to monitor and control core threat vectors - email, cloud apps, websites - so that threats can be quickly mitigated. It will give teams an understanding of and the ability to stop each specific dangerous action that touches their data, such as sharing files or clicking links inside messages.
Humans are hardwired to communicate in ways that are most intuitive to them, often without thought for the consequences. While it isn’t usually malicious behaviour, instead just shortcuts to get the job done, organisations do need to think carefully about how they manage the risk. Ultimately, humans aren’t going to change, but with clever technology they can be made safer.
Ed Macnair is CEO of CensorNet.
Thanks for signing up to Minutehack alerts.
Brilliant editorials heading your way soon.
Okay, Thanks!