Of the many questions asked of cybersecurity personnel almost always includes “What is the single most dangerous threat to a user or company in the cyber field?” While answers do vary, it’s been my experience the best answer is people. The end user is potentially the most dangerous to themselves and to their organizations. Whether it be from a lack of security knowledge for their own safety, a lack of understanding company security policy, disregard for security practice altogether or all the above.
Interestingly, a recently released poll (by one of our security partners Proof Point 2018 User Risk Report) included many unfortunate, and not so shocking, user trends appear. Some of the most important things to take away from this report are the following statistics. From the 6000 people polled across six countries, the global average of the poll showed these:
What are some ways that you as a company can help remediate these kinds of issues? Security awareness training is a big step in the right direction. A solid foundation of security awareness training that includes password best practices, physical security, common cybersecurity threat knowledge (such as ransomware, phishing, malware, etc., VPN information and usage for both personal devices/phones and company devices/phones, and cybercrime information) can help build up a person’s likelihood of using what they learn to protect themselves and their organizations. The training needs to cover company policy as well as ways that they can better protect themselves at home and (by extension) their company.
Another way to help remediate some of the human risks is to take another look at the company security policy and look for ways to improve the policies and or incentivize employees to comply with those policies in place already. With the high number of BYOD and IoT devices on your network, it opens the door for company policy to be forgotten or disregarded because a person will use their own device as they want even if company work is done on it.
A final thought on ways to remediate end-user risk is to include in security awareness training, personal device security awareness. As a vast percentage of employees use a personal device on a company network and or use a personal device for work on a home network, the ability for that employee to be able to better protect their personal device is important to them and their company. Mobile device security best practices for a company and for the employee are a great step towards improving security.