Image: © Andrii Yalanskyi/Stock.adobe.com
From password reuse to fears of punishment, Arctic Wolf’s Nick Dyer breaks down the biggest threats to an organisation’s cybersecurity culture.
Last month, cybersecurity company Arctic Wolf released a report examining the behaviours and trends of organisations’ workforces in relation to cyber hygiene.
Conducting a global survey with Sapio Research of more than 1,500 senior IT and security decision-makers and end users (whose roles varied from senior and middle management across departments such as finance, HR, legal and marketing) from 16 countries, Arctic Wolf published a number of surprising statistics when it comes to the cybersecurity practices of employees and in particular, IT teams.
One notable statistic reported by Arctic Wolf was that 80pc of IT and cybersecurity leaders were confident that their organisation won’t fall for a phishing attack – despite 64pc of that same cohort admitting to clicking on potential phishing links at least once. While 43pc of end users said they have clicked on a phishing link, the report does point out that end users could be less likely to realise they have done so, or more IT and security leaders are being targeted.
Meanwhile, in one of the most shocking findings of the report, 68pc of IT and cybersecurity leaders surveyed admitted to reusing system passwords, while 64pc of end users admitted to carrying out the practice.
“It’s a worrying oxymoron,” says Nick Dyer, Arctic Wolf’s sales engineering director for the UK and Ireland. “IT and cyber leaders are trusted guardians of their organisation’s critical data, devices and services, they are responsible for protecting and isolating the crucial elements that makes the organisation what it is, and this is done often by giving them privileged or elevated access to these business-critical components.
“By discovering that a significant portion of those same key decision-makers are reusing passwords from key internal to external third-party websites – which could then be subject to a third-party website leak allowing threat actors to reuse those credentials with ease – compromises the security posture of the organisation at the proverbial first hurdle.”
Nick Dyer. Image: Arctic Wolf
According to Dyer, password credential theft, “brute force” and password reuse are often the easiest ways for threat actors to gain access, exfiltrate confidential data and perform human manipulation for monetary gains.
“It’s no coincidence that in our report that 65pc of those who have experienced four breaches in the past 12 months also said they are re-using passwords.”
Supporting the workforce
With troubling statistics such as these, how can organisations amend poor cyber hygiene in their workforces?
Dyer says that first and foremost, a positive security culture across all employees (not just within IT) along with implementing “well understood” policies and plans. He stresses that a “sensible line” should be drawn between “the rigour of said policies and the art of doing business”, as often the two can conflict and lead to the implementation of shadow IT – which is any software or IT resource used without the IT department’s knowledge or approval.
In terms of education, Dyer says that there should be a continuous programme of awareness education and reinforcement in order to stay up to date with the “cat and mouse” structure of cyberthreats and cyber defence, as threat actor tactics, techniques and procedures are “advancing at a rapid rate”.
“Based on this acceleration, educational content curated six to 12 months ago is already out of date,” he says. “This means much of the content being deployed to user communities today is stale and tends not to protect the latest threats the organisation faces.”
‘The workforce are our biggest asset in the fight against cybercrime when empowered to do the right things’
Fears of punishment
As well as promoting policies and education, Dyer says an important task at hand is building confidence across the entire company to raise the alarm if something suspicious is encountered without fear of punishment.
According to the report, 5pc of end users stated that they weren’t comfortable reporting cybersecurity incidents or suspicious activity. When asked why, 45pc of this cohort said that they were worried it would affect their employment.
It seems this concern is justified, as only 34pc of IT and security leaders said they would rule out termination for an employee who fell victim to a scam such as phishing, while 27pc have terminated an employee for this very reason.
“If end users withhold potentially important information or hesitate/don’t flag something suspicious due to fear of reprimand, the capability of quickly detecting, responding and recovering from an isolated cyber incident is near impossible,” says Dyer. “Not only does this delay the response capability, but in turn escalates the damage caused by the attack beyond the original blast radius.”
The report seems to indicate a disconnect on this topic, as 85pc of IT leaders think employees feel comfortable reporting security incidents – when only 77pc of end users actually do.
In order to build a positive culture of security, Dyer says that pillars of effective communication are required, along with two-way trust and a sense of responsibility for all stakeholders.
“IT and cyber leaders need to step outside of their comfort zone and over-communicate throughout the organisation, using language and terminology that resonates with end users – not deep IT literate technical staff – as well as providing context as to why a risk is prevalent and how a security measure is implemented to prevent it.
“Continually including the end-user in the discussion, from their point of view, is powerful.”
Beyond communication, Dyer says that trust can be built by establishing open lines for support, feedback or reporting incidents without fear of reprimand or blame. “And if there is a security win – publish it and distribute it for all to see and hear – make good cyber practices a force to be celebrated.”
Workforce measures
Reflecting on the disconnect between IT and end users, Dyer says that there will “always be a disparity between the two classes of employees”.
“IT is a core fundamental dependency to allow end users to perform their roles to the best of their ability – delivered as a service for which they consume as customers,” he says. “Users wish to achieve and excel in their employment, and restrictions of IT can be a negative detractor in doing so.
He adds that users are seldom consciously trying to compromise the security of an organisation, and that the incompetence in security hygiene is due to a lack of investment, awareness, engagement or reinforcement.
“It is the job of IT leaders to bridge that gap [and] partner with their respective peers to build a positive security awareness culture where employees feel empowered to speak up if something doesn’t look right and to believe in the mission of effectively securing the organisation from the evolving world of outside and inside threats.”
And to build that culture, Dyer has some advice, such as making policies clearly defined and user-friendly, allowing employees to do their jobs using tech to the best of their ability (with an understanding of the guardrails they have) and instructing them on what to do should something suspicious happen.
In terms of resources, he says that organisations should implement tech such as password managers, multifactor authentication, and allow users to have personal licences to use in their home lives – thus discouraging the copying of passwords from work to home.
“Finally, cybersecurity needs to be a top-down as well as bottom-up approach. An inclusive, positive culture of security only exists when the leaders and board buy in, and talk the same language about business security when IT leaders aren’t in the room.
“The workforce are our biggest asset in the fight against cybercrime when empowered to do the right things.”
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.
