By: Chris Connell, Managing Director, Kaspersky Asia Pacific
Imagine this: your company has a precious treasure to protect, the defences with the latest technology were set up. However, the guards on duty were not informed of the treasure, neither were they provided the knowledge of how to navigate the defence systems. Worse still, the guards did not recognise the treasure as something to be protected. When the enemy came, they easily bypassed the guards, disabled the security systems, and stole the treasure, demanding a large sum of money in return for it. In the context of cybersecurity for businesses, it is not difficult to guess which elements of the story represent the company data, cyber defences, employees and ransom, in the instance of ransomware.
While one might dismiss this scenario as silly or implausible, it is an increasingly pertinent issue many companies are facing. Just earlier this year, over the span of just three months, six cyberattack incidents were reported in Singapore and around the region – a rising and certainly worrying trend. While it is natural instinct for IT personnel to respond by fortifying their cybersecurity infrastructure in an attempt to contain the breach, this is not the end of it all. When it comes to cybersecurity, non-IT personnel have been found to be a company’s weakest link. Unfortunately, more needs to be done to ensure employees do not end up becoming a company’s Achilles’ heel.
The risk from within
For the first time ever last year, companies across the world rushed to pivot online as the pandemic spread across the world. In a span of a few days, employees brought home their work, and as the weeks turned to months, employees got used to working from home – setting up conducive office spaces as a sense of normalcy returned. However, in the midst of setting up office spaces, an important aspect of telecommuting was missed.
In a survey we conducted, around half of respondents had never worked from home before, and almost three quarters of them had not received any guidance or training when it came to cybersecurity awareness. Over time, the physical workstation was all set, but there were gaps in how organisations provided employees with the basic IT knowhow and refresher on basic cyber hygiene practices. While social distancing measures proved to stem the spread of the coronavirus among co-workers, somewhere in the cybersphere, these same employees – uninformed or plain careless – were potentially allowing malware and viruses to spread.
It might come as a surprise to some that employees are one of businesses’ largest vulnerabilities. However, more than half of businesses believe their cyber risk stems from within. The top three cybersecurity worries of a business are often related to employees or human error – sharing inappropriate data via mobile devices (47%); physical loss of mobile devices exposing the organisation to risk (46%); and use of inappropriate IT resources by employees (44%). While one may point fingers at security systems which should be able to guard devices from potential malware especially in the event of a misuse of corporate devices, the reality is that many employees use devices with outdated patches. And threat actors know how to exploit these vulnerabilities.
64% of employees who had argued with their IT department were allowed to skip updates or select what aspects of their corporate security systems to update, and 44% of employees were less concerned about updating their work devices than personal ones. This suggests a gap where employees do not view maintaining cybersecurity as being of high priority. As if not concerning enough, the action – or lack thereof – of senior businesses leaders in the company could potentially further exacerbate the issue of lapsed security systems. Senior executives are 12 times more likely to be targets of cyber threats than other employees. Aside from the fact that they have greater access to privileged information, they might also “enjoy” more lax security concerns than other employees. 45% of the surveyed organisations exclude C-suites from their update plans, which increases their exposure and vulnerabilities to cyberthreats.
BYOD – Bring Your Own Dangers?
As employees continue adjusting to their home work environments, the divide between home and work blurs – more than half of those working from home admitted to watching adult content on the same devices they use for work purposes. While not all employees might exhibit such behaviour to this extent, 49% of employees have admitted to using personal email accounts for work-related matters since working from home, and 38% use personal messengers that have not been approved by their IT departments. This is the perfect recipe for cybercriminals to breach corporate data and devices. Moreover, in some instances, simply being connected to the same network could even put the most careful worker’s device at risk. Some malwares, such as worms do not require human help to infect, self-replicate or propagate, but infect their entry point and spread through devices that connects to the same network.
It may be seemingly innocent for employees to cross use between personal and work devices while working from home. However, with 73% of employees not receiving any IT security awareness training from their employer since transitioning to working from home – this alludes to almost three quarters of remote employees blissfully unaware of the dangers lurking online. Of cybersecurity incidents faced by businesses in the past 12 months, 11% of them involved careless employees and falling prey to phishing or social engineering attacks. The simple action of clicking on the “wrong” email actually sent by threat actors could lead to disastrous effects of putting their company’s data or systems at risk. This could be avoided had there been proper training on how to behave appropriately and awareness of protecting the business.
During these times of remote working, when employees are spread across various locations in the country or even world, it is indeed a challenging task for IT personnel to ensure they continue carrying out their jobs well. Ensuring the continued safety of a company will indeed take the combined efforts of all employees. One of my favourite analogies regarding the prevention of potential cyber threats, and to demonstrate the importance of businesses shoring up their cyber defences is simple: If you would never leave the front door of your house open all day with the possibility of someone walking in, think of your computers and cyber defences the same way. Keep your network access and your systems tightly secured, and do not leave any opportunity for a cybercriminal to get in through open windows or doors.
No one is immune to cyber threats, nor can we prevent the instance of it from happening. However, good cybersecurity system can mitigate its impact or minimise any disruptions faced.