Last week, CloudLock, a Massachusetts-based security firm, released a study that found that 1% of employees are responsible for 75% of cloud-related enterprise security risk. Such users often engage in behaviors such as sending out plain-text passwords, sharing files, accidentally downloading malware, http://www.ciodive.com/news/phishing-prevention-phish-own-employees/427343/clicking on phishing links, using risky applications and reusing passwords. People in that 1% are also responsible for 81% of shared files and 62% of installed apps, the study found. And contrary to popular assumption, the risky users were not just lower-level employees. High-risk behavior was also found at the corporate level.
"Cybercriminals try to find the weakest link, the easiest point of access," said Ayse Kaya Firat, CloudLock's director of customer insights and analytics. "The user might not have any malicious intent. They might just want to listen to some music or play a game, but they're opening up the gateway for cybercriminals."
A recent study compiled by Pittsburgh-based Wombat Security Technologies in collaboration with the Aberdeen Group found a lack of employee training can dilute even significant investments in IT security, calling end users "perhaps the greatest evolving security threat."
The good news is the CloudLock study also found that companies can dramatically reduce their exposure just by paying extra attention to risk-prone users.
"By focusing on the right people, you can do a ton with minimum effort," Firat said.
Education is vital
While there are many technology-based approaches businesses can take to shore up security — including putting up firewalls, ensuring users update passwords regularly, installing anti-virus software, etc. — educating and training employees tends to fall lower on the priority list for some organizations.
"Many security officers intuitively know that security education is an important line of defense against cyber crime," said Wombat President and CEO Joe Ferrara. "But they have trouble convincing senior management to spend the money necessary to execute an effective training program."
But the efforts are well worth it. The Wombat study found that increased investment in employee training can reduce the risk of a company's cyber security attack by up to 70%.
Changing the Status Quo
To reduce risk, CIOs can:
- Support and push for continuous efforts that educate employees about cyber security best practices.
- Provide education to all users, even C-suite executives, about the types of information that are sensitive or confidential and their responsibilities to protect that data.
- Focus on the areas perceived as the biggest risks among employees, which can vary. The most recent Verizon data breach report found stolen credentials or phishing accounted for more than two-thirds of all breaches last year.
- Work with HR to establish a written policy about data security and communicate it to all employees.