Too much focus on external threats could mean IT departments are missing a trick when it comes to their biggest enemy – their own department and users.
According to a damning new report from Cisco, IT is putting too much energy into combatting cybercriminals and hackers and not enough into education, awareness and threats from within.
Employee behaviour is becoming an increasing source of risk, through complacency and lack of awareness, says Cisco, with many believing that security policies inhibit their ability to work together or do new things.
39% of users surveyed expect their company to take care of data security, while a massive 62% think their behaviour has only a low or moderate impact on security.
This attitude may be due to a lack of visibility given to security policies. While 61% of employees thought their company had security policies in place, almost half (48%) said they weren’t concerned about it. Some may even be deliberately circumnavigating them – 37% admitted to low levels of adherence, and twice as many people admitted to being more rigorous about data security at home than at work.
All of those surveyed used company networks to do personal things such as banking (79%), online shopping (75%), and travel (59%).
Employees seem to be looking at IT security as a barrier rather than an enabler to the business, stifling innovation, with almost one in four (22%) believing that the cost of lost business opportunity outweighs the cost of a potential security incident.
User-centric security profiles
As part of the research, Cisco identified four distinct security behaviour profiles, which could give IT departments an insight into what users are doing, and construct a different strategy for each.
The threat aware
These users are the most aware of security risks and try hard to stay safe online, so need the least engagement from security chiefs.
Those who try to adhere to policies but who are ‘hit and miss’ when it comes to implementing them
These users are the thorn in any IT department’s side- they expect a company to provide a comprehensive security environment and so don’t try to take any individual responsibility.
The bored and cynical
Those who believe cybercrime is overhyped, and that IT security just inhibits their performance, so will generally ignore policies or deliberately circumnavigate them to get things done.
‘As cybersecurity becomes more of a strategic risk, organisations are looking to make it a formal business process providing the organisation with a holistic view of cybersecurity risks and the opportunity to improve business practices,’ said Terry Greer-King, director of cyber security for Cisco UK and Ireland. ‘This should be a key part of daily operations to protect the business from internal and external threats.’
> See also: The DMZ as a corporate liability
‘The balancing act of business enablement and protection will require a fundamental shift in how we approach IT security. Businesses that persist with point security solutions will find themselves at greater risk, as this approach is responsible for creating gaps in traditional defences that attackers exploit. Instead, organisations need to implement user-specific protocols which accommodate individual behavioural profiles, allowing them to track the users and devices connecting to networks in order to lower the risk of a breach across the entire organisation.’