How your employees put your organization at risk

Security threats don't come only from the outside. Employees are accessing content that puts your business at risk.

Security is, of course, a major concern for most companies, but it's often seen as an outside threat. But it turns out that employees are one of the biggest security threats, and apparently most acknowledge their behavior is risky, according to a Blue Coat study.

The Blue Coat study of 1,580 employees from 11 countries uncovered the risky habits of employees accessing - sometimes knowingly - inappropriate content on work devices. Some of the biggest issues include accessing adult content, but social media is also posing a new threat to businesses.

Adult content

According to data from Blue Coat, one in every 20 U.S. employees has accessed adult content on a work device, but naivety isn't an excuse. Eighty percent of those who admitted to doing so also acknowledged it put the company's security at risk. China was the biggest offender, with one in five employees admitting to accessing adult content on a work device.

The danger is more than a potential work-place harassment lawsuit. Most of these sites often hide malicious content within links. That's how websites offering free adult content make their money, through installing malware on your computer **** is Blue Coat the source of this info? ***. So it's less about the content employees are accessing, and more about the threats that lie within the links, according to Joseph Steinberg, cybersecurity expert and author.

Steinberg points out that the threat is greater than websites offering free pornography. It also includes "anything that has pirated software and movies," he says. "A lot of them are actually in the business of putting malware onto computers. So it's not just the blocking for the sake of preventing the employee from doing something wrong, it's also preventing damage to the businesses computers and potentially data."

That means an employee downloading pirated content onto their work computer offers more potential danger than the legalities around accessing that type content. It can cause a business' systems to break, allowing malware to infiltrate the system and reveal sensitive company data.


Phishing poses one of the greatest risks to companies, because a well-meaning employee can quickly - and unintentionally - cause a security threat with the click of a link. Blue Coat found that while the U.S. reported opening fewer unsolicited emails than other countries (17 percent), 80 percent of businesses still view phishing as a major security threat.

Steinberg points out that phishing is nothing new. "It's the same thing that was going on 500 years ago when a guy showed up at a castle and said 'I'm a knight,' and he had killed the real knight and taken his armor. The scams are the same in a different medium, so training can only get you to a certain level. People still fall victim to scams; people still make mistakes."

International risks

Adult content, quite obviously, includes pornography, but international companies have even more risk when considering laws around the world. That's because what's legal in the U.S. might not be legal elsewhere, and vice versa.

"Anything in the U.S. that is classified as over 18 is adult content," says Steinberg, "but different countries have different rules on this kind of thing, and that's something that international organizations need to be cognizant of," says Steinberg.

Adult content can quickly take on more meaning in other countries, and it's something employers need to educate employees about. The security risks become greater if employees are unknowingly accessing illegal content while traveling for business. Companies need to consider the international implications of adult content, and what that might mean for the security of their business.

Social Media

Social media is a new medium for cybersecurity threats and it's difficult for companies to monitor, let alone secure. Blue Coat found that 41 percent of U.S. employees access personal social media accounts at work, which is problematic because malware can easily disguise itself in shortened links. Users might not think twice about clicking out from a tweet or Facebook post, since shortened links have become the norm on social media sites.

As the study states, "an attacker may create a seemingly personalized email targeted at an IT administrator for a large enterprise using information found on social media profiles, such as the recipient's alma mater or favorite sports team."

Social media also poses risks when it comes to what employees share and post, as they can unwittingly give out sensitive data without realizing it.

Steinberg is a co-creator of a technology called SecureMySocial, software that can alert users before they post something potentially harmful. "If you're posting something that looks like its leaking employer data or saying something that by most normative standards might be considered insensitive, it will warn you."

Implementing these types of failsafe resources are one way to help prevent security threats, but when dealing with humans, you can only go so far.

How to help employees understand the risk

The problem with humans as a security threat is that there isn't a perfect solution, but companies can work to help employees understand the risks they pose not only to the company, but themselves. Employers need to understand that workers expect a certain level of access in today's digital age, and completely barring them from social sites or non-work related content, won't offer a solution.

"The reality is that we're on human mind version 1.0," says Steinberg, "your firewall may be version 20, your word process might be version 20, but in the last 20 years the human brain has not evolved. The same kind of mistakes that we were making at the beginning of the Internet era, we're making now."

When it comes to protecting a company from its own employees, there needs to be a balance between reasonable access and security. "Businesses need to find ways to support these technology choices while simultaneously mitigating the security risks," says Hugh Thompson, CTO for Blue Coat.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityBlue Coat Systems

More about Facebook

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Sarah K. White

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place