Report: Employees the biggest threat to cybersecurity

Jan. 24, 2013
CSOs share their top IT security concerns, awareness strategies in Wisegate studies

According to new research from Wisegate, a membership body for senior IT professionals, the biggest threat to an organization’s cybersecurity is the proliferation of IT resources such as devices, applications and services used by a company’s employees that IT departments no longer fully control. In its’ "Preparing for the Top IT Security Threats for 2013" report, Wisegate organized a discussion among its CSO members across a variety of industries to get their thought on the top threats that IT security practitioners need to prepare for this year.

While dedicated denial of service (DDoS) attacks from hacktivist groups like Anonymous and viruses such as Stuxnet and Flame tend to grab all of the headlines, IT security experts believe the biggest threats to organizations stem from the ignorance of their own employees when it comes to cyber vulnerabilities. The following are some of the threats that CSOs expect will continue to contribute to this problem in 2013.

1). Bring your own device (BYOD) policies. Though security mangers have been screaming the warning sirens about the dangers of BYOD for some time now, the fact remains that more and more people are using their own personal mobile devices in the workplace. CSOs acknowledge that workers can be more productive using their own devices, but say they don’t take the proper security precautions and potentially open organizations up to data breaches. Some of the BYOD concerns cited in the report included:

  • Theft, loss or leakage of company data
  • Proper storage and transmittal of company data
  • Limitations of managing devices and how far a company can or should go in locking-down devices
  • Increasing malware and spyware threats against mobile devices
  • And, how to support a growing number of different operating systems, applications, etc. 

2). Social Media. CSOs say that as more employees use social media tools such as Facebook, Twitter and LinkedIn to talk with customers, there needs to be formal polices developed and enforced to ensure that confidential or proprietary information doesn’t wind up in the wrong hands.   

3). The General "Consumerization" of IT. In addition to BYOD and social media, CSOs say that workers are increasingly using applications intended for consumer use for business. For example, employees who rather than use a dedicated FTP server in their company to send large files via email now just use a service like Dropbox instead.

4). IT Security Awareness. According to the report, every CSO who participated in the study said they faced challenges when it came to making employees aware of the importance of IT security practices. The advent of more user-friendly online tools has made this job even more difficult for IT security managers.

5). Cloud Computing. While the cloud has enabled many organizations to shift the burden of hosting massive amounts of data on-site, it also brings some its own challenges to the table in terms of security and reliability. Many CSOs say companies make the decision to use a cloud platform without properly weighing all of the risks.

6). Data Protection. At the crux of IT security for every organization is ensuring the protection of data, but as IT loses control over many of the aforementioned resources that employees use, this task has become increasingly difficult for CSOs.     

"What emerged from the panel of security experts was an agreement that there is no one-size-fits-all answer to awareness training," said Tom Newton, CISO of Carillion Clinic in a statement. "CISOs need imagination and perseverance to get their message across, and often innovative methods of training from third-party vendors can be quite helpful. We must instill in each employee they are ultimately responsible for information security."

In a separate Wisegate report, IT security experts discussed ways that organizations could help alleviate some of these cybersecurity concerns. Among some of the recommendations in the CISOs Share Innovative & Practical Ways to Improve Security Awareness" report included:   

  • Using simple data classification labels with end users, such as "protected" and "unprotected"
  • Have CISOs make themselves more accessible. This encourages employees to openly share issues, and helps CISOs find out how effective their programs are
  • Communicate the organization’s IT security message in a variety of ways to get the message out that accommodates different learning styles.
  • Tapping into in-house experts in marketing and training to help make the awareness program be successful
  • Introducing "security leads" or security champions within and from the different departments that can help to bridge that credibility gap between security and user
  • And, getting help from others inside and outside the organization

"The latest Wisegate report demonstrates the importance of, and difficulty in, addressing security awareness issues and how the average computer user has become an open door for cyber criminals to attack every corporation," said Sara Gates, founder and CEO of Wisegate. 

For more information or to download either of these two aforementioned reports, visit www.wisegateit.com.