December 20, 2018
Huge numbers of employees have or have had access to mission critical company systems which should be reserved only for staff that require it, claims a new study by CyberArk. Specifically, it found that almost half (48 percent) of employees have or have had access to sensitive financial documents; 46 percent to confidential HR information; nearly a third (29 percent) have or have had direct access to company bank account and over a third (37 percent) access to research and development plans or blueprints for new products/services. Credential theft remains the most common and effective route to a successful cyber-attack.
A lax approach to protecting high-value ‘privileged’ accounts can directly elevate the risk, so managing privilege is essential but, according to the study, many businesses are failing to lock down these key accounts following changes in personnel. One in five (21 percent) office workers admitted leaving a job with login details for at least one confidential company system, potentially allowing ‘ghost’ employees – former staff members with working login details and credentials – unauthorised access to sensitive company data.
These ‘ghost’ individuals pose a substantial threat, according to Rich Turner, VP EMEA at CyberArk: “Ghost employees are a major concern for any organisation – they not only elevate the risk of key company applications, tools and data being breached in the event of a cyber-attack, but also provide a potential route for disgruntled employees or rival businesses to manipulate existing data, causing serious administrative and financial damage.
“These findings are symptomatic of the misguided cyber spending habits of UK PLC. We continue to devote huge sums to perimeter defences when the smarter approach is to assume the inevitable – that attacks will get in – and ensure that their access to sensitive assets and data is contained.”
Being cyber-sensible, but risk remains
However, the study did reveal that employees are developing a more involved approach to cybersecurity, showing that cyber education is having a positive effect and that British businesses can look forward to a more secure future. Nearly four in five (79 percent) office workers would immediately admit to IT if they opened a malicious attachment, while three quarters (75 percent) would voice their concerns if they didn’t understand communications from IT about security. This more involved approach to security is increasing their faith in their IT teams, with nearly three in four (74 percent) confident that their security team is effectively protecting the wider organisation against threats.
However, this confidence contrasts with the behaviour of many existing employees, who are still exhibiting poor cyber practices. Large numbers are still failing to admit their cyber indiscipline to their security teams, according to CyberArk’s survey: it found that more than half (54 percent) don’t admit when they let colleagues use their login details, and 45 percent don’t inform their IT team when they download an unauthorised app onto their work device. Such behaviours are significantly increasing their employers’ risk exposure by leaving their IT systems and accounts vulnerable to the escalation of privileges during a subsequent attack.
Securing the future of the workplace
As well as assessing office workers’ current approach to cybersecurity, the study also explored how evolutions in workplace habits and technologies are changing the security landscape. Encouragingly, it revealed that many organisations are beginning to integrate cutting-edge new security technologies into their strategies, with nearly one in five (19 percent) office workers reporting that their IT security team is experimenting with biometric security techniques, including fingerprint and retinal scans and embedded microchips.
Nonetheless, despite firms demonstrating a willingness to experiment with new forms of authentication, securing innovative new platforms remains a challenge. Smart devices in particular present a great cause for concern, with 40 percent of employees reporting that their IT security team is failing to effectively secure IoT and BYOD devices, providing attackers with another privileged pathway to exploit. As these technologies become more and more prevalent, it’s vital that their access to company tools and applications is managed in the same way as any other device within a corporate network.