CSOs shouldn’t assume employees care as much about security as they do
- 02 June, 2018 15:02
Employees generally want to protect data against compromise but few understand the sensitivity of their data or the role of anything but passwords in protecting it, according to a new study that highlighted the difficulties that over-optimistic CSOs have in building an active security culture.
Although 64 percent of employees use company-approved personal devices for work, a recent Clutch survey found, just 40 percent of employees faced regulations on their use of personal devices – highlighting the continuing exposure of companies to common but problematic bring your own device (BYOD) policies.
High BYOD use was often translating into unintentional security exposure from otherwise “normal” activities such as the use or exchange of documents, the survey found. This ease of access meant that employees often didn’t think about the risks inherent in those activities – compromising their ability to recognise when data is sensitive.
“We've seen that at many companies, employees believe that information that needs to be protected is special, sensitive stuff that's explicitly marked, and most of the everyday communications they receive and send aren't a risk for their organizations,” said PreVeil CEO Randy Battat in a statement upon the survey’s launch.
“The reality is that the majority of communications, and the majority of an organization's intellectual capital, can be found in the ‘ordinary’ email or shared file.”
Passwords not the be-all and end-all
Compounding the problems created by ease of access to potentially sensitive information was the risk of employees’ limited security practices.
Most employees understand the importance of passwords as the primary level of protection of company data: 76 percent reported using password protection techniques, although just 67 percent said their company regularly reminded them to update their passwords.
“It’s likely that some employees are subject to password restrictions or guidelines but are simply unaware of it,” the report’s authors noted. “So, even if they use password protection, they may not be doing so according to policy.”
This gap had led to lower levels of compliance than many employees would even be aware of – yet the discrepancy between actual and best practices was glaring.
Use of security tools was one glaring example: a previous Clutch survey for example, found that while 84 percent of corporate cybersecurity policies involve the use of specialised security software, just 48 percent of employees are regularly reminded to install that software – and just 44 percent actually do so.
This level of non-compliance has been a bugbear for CSOs that often assume their employees are as actively concerned about lower-level security measures and policies as they are.
Yet just 59 percent of employees saying they had competed formal security or security-policy training.
“The gap between how decision-makers design policy and how employees enact it underscores the importance of effectively communicating cybersecurity policy to employees,” the report notes.
“Lack of policy recognition and policy are essentially the same in the context of cybersecurity. That is, if a company’s employees don’t realize a policy is present, it is essentially non-existent.
Fixing this issue – which has become even more important in a NDB and GDPR-driven compliance environment hobbled by companies’ chronic inability to identify their data – may require CSOs to more strictly monitor and impose use of mobile device management (MDM) tools capable of forcing updates of security tools, password changes, and other elements of security policy.
“If you’re allowing access to a device that is going to be used at work, whether owned by the employee or the corporation, you also set up an environment where the IT organisation can specify which applications can be installed on that device,” ManageEngine director of product management Rajesh Ganesan recently told CSO Australia.
Low usage of security tools was compromising essential activities such as patch management – which has been “a little bit haphazard”, Ganesan said – but taking a more proactive stance was helping bring devices under control.