by Nick Kael
Posted on October 4, 2021
Want to interview Nick?Contact
Everyone is in favor of cybersecurity. That is, unless – or more often, until – it gets in the way of what you need to do. Or makes it more inconvenient. And when that happens, users do their best to sidestep or undermine the procedures and safeguards that are meant to protect your business from cyberattacks.
These are some of the disturbing conclusions from a new report from HP Wolf Security, “Rebellions and Rejections.”
With offices reopening following the pandemic-spurred shift to work from home, many employers are moving to a hybrid model of splitting work between office and home. Nearly 40% of users surveyed said they expect to spend half or more of their time working from home long-term. This is a huge shift from just a couple of years ago, when few companies were set up to support large numbers of people working remotely.
The alarming truth is that still, today, the majority of companies are not really set up for remote work – despite the fact that they have been enabling it for well over a year. As a result, IT professionals still widely (and wisely) view work from home as a danger. A staggering 83% of the IT teams surveyed said from-home work constitutes a “ticking time bomb” for a network breach.
Information security and IT professionals are increasingly finding themselves facing a resounding lack of support for their efforts to keep their companies cyber safe. From employees they encounter apathy, frustration, and often-successful attempts to circumvent protections. From management, they feel pressure to take actions that have the effect of compromising security in the interest of business continuity. IT professionals are left feeling like “bad guys,” perceived as making other employees’ jobs more difficult.
The report found that the biggest rebellion comes from the youngest workers: Perhaps because 18-to-24 year olds grew up attached to personal devices, they’re not used to things being complicated or thinking of technology as potentially sinister. 39% of office workers in that age group were unsure of the data security policies of their employers; a majority, 54%, said that they were more concerned about meeting their deadlines than they are about the risks of a data breach.
Nearly half of all office workers say that security measures result in a lot of wasted time and are a hinderance. Over a third consider security policies to be too restrictive. That’s a lot of users who feel that some security measures are an unnecessary waste of time. So it’s not surprising that many employees think they know better than the professionals charged with protecting the organization, and choose to disregard or do an end run around security measures.
Younger office workers are the group that is most likely to try and get around security measures: 31% of workers in the 18-24 year old group confess to having tried to circumvent corporate security technologies or policies.
Management should be very concerned about cybersecurity. High-profile cyberattacks that cost companies millions and/or compromise the personal data of tens of millions of users are becoming increasingly common. Cyberattacks have shut down factories, hospitals, and an oil pipeline. Failing to properly secure customer personal data can result in hefty fines under data protection laws such as GDPR and HIPAA. Yet almost all IT teams – 91% – felt pressure to compromise security for the sake of business continuity. 76% said that security took a back seat to continuity during the pandemic.
Cybersecurity risks may seem a little abstract to most managers. After all, those big cyberattacks that shut down companies and cost millions of dollars happen to other companies, not theirs. And when they can manage it, companies try not to disclose that they were attacked, so many attacks are out of sight and therefore out of mind. Whereas the dangers of losing business, missing deadlines, displeasing customers or disappointing stockholders are known, top-of-mind risks.
Not surprisingly, given the lack of support (if not open hostility) from both users and management, IT teams are feeling dejected. 80% of IT people surveyed said they felt IT security was a “thankless task,” and 69% said that they are made to feel like “bad guys” when they’re just trying to do their jobs.
Cybersecurity is too important to be optional. IT teams are correct to insist on having strong controls. However, compliance rates will be higher – and complaint rates and resistance lower – if cybersecurity doesn’t impose too great an operational burden on users. These are some things that companies can do to make life easier for users while keeping corporate data secure:
This last item – making your cybersecurity approach comprehensive – also enhances security. Cybersecurity should not be easy for users to bypass. A patchwork approach to cybersecurity leaves gaps where users might find ways to bypass corporate data security requirements.
Providing a high level of security with minimum pain to users is one reason why we developed the ZTEdge platform. ZTEdge provides Zero Trust security– in a comprehensive cloud-based cybersecurity platform that protects all of your corporate apps and data wherever they are located, for users that are either in the office or working remotely.
In a recent report, ransomware and BECs take the prize as most-favored types of cyberattacks. A flourishing ransomware-as-a-service market makes attacks easier than ever, and offers a large menu of encryption options.
The recently exposed Microsoft Teams GIFShell technique demonstrates why Zero Trust protection for app surfaces is essential for even the most trusted enterprise apps.
In recently reported Adversary-in-the-Middle attacks, hackers bypass MFA by using session cookies that they illicitly extract from HTTPs requests, via reverse proxies.