As seen in high profile hacks that exposed more than one million customer details, cybercriminals are finding ways to access networks and private accounts like never before, exposing even the most knowing user to a security breach.
Cisco’s latest Annual Security Report sheds light on the increasingly intelligent and harder-to-navigate threat landscape, particularly in terms of the nature of threats and the key risk factors.
In 2014, spam alone increased in volume by a significant 250%, with the top three trends being: snowshoe spam, web exploits and malicious combinations. The former enables criminals to avoid detection by sending low volume spam to a large set of IP addresses, while web exploits attack less common kits used by security companies. Malicious combinations, such as those shared over both flash and Java Script files, are also making it much harder for security devices to identify and block security breaches or analyse them with reverse engineering tools.
Although businesses are indeed implementing stringent security measures to defend networks from external attacks, many are unaware that an alarming portion of security risk is in fact internal. Research from Cisco has revealed that employee behaviour is the second greatest source of risk to data security, second only to cybercrime at 52% and 60% respectively. What we are now seeing is that despite being victims themselves, users and IT teams are increasingly becoming unwitting players in cyber attacks, either by a lack of awareness or sense of responsibility at the individual level.
Firstly, online criminals are designing malware and unwanted applications that rely on tools users trust in order to infest devices inconspicuously. Employee complacency is also another overlooked risk factor, particularly when it comes to ensuring the latest software versions or updates are installed. Only 10% of those surveyed claimed to be running that latest version of Internet Explorer, which problematically provides cybercriminals avenues to more easily exploit.
As the cyber world evolves, so too do the dynamics of the workplace, in which a greater number of digital natives and tech savvy employees are becoming prominent. As a result, we are seeing an increasing divide between the expectations of employees and the attitudes of the IT department.
Although the majority believe in the necessity of security measures, 12% believe innovation is stifled by what they see as restrictive security policies. A further 13% also believe security protocols inhibit their ability to get their jobs done to the point where 4% will even go so far as to actively circumvent their organisation’s security policies.
If the threat landscape, and the inherent element of employee behaviour, is evolving then it is now more important than ever for organisations’ approach to security to follow suit. As users are increasingly, albeit unwittingly, compromising cyber security, enterprises must decide on how best to make applications and software more intuitive for employees to use.
Security protocols must provide employees the flexibility to work productively and as required, while simultaneously ensuring the mitigation of all consequent security risks. This can involve establishing more user-friendly policies, those that don’t force employees to work around rigid tools that impede their workday.
CISOs and management must also highlight the ways in which all employees play a critical role in ensuring the organisation achieves dynamic protection that supports the business. This necessitates taking the time to educate or train all users, rather than assume their security illiteracy and subsequently bypass them while neglecting their critical position in the organisation’s security chain. In doing so we can start to align user behaviour with user perception, and ensure all individuals view security as an enabler of the business, rather than a hindrance.
Fundamentally, in order to drive change from the user perspective, businesses must adhere to an all-hands-on-deck approach, which embeds security into all operations across the business.
Only through a collaborative approach, and ensuring that security measures are deployed from the boardroom and across the business, will organisations be able to ensure their security policies are not only adequate, but accurately reflect the ever evolving and dynamic nature of cyber security.
Sourced from Terry Greer-King, Cisco