Employee Carelessness the Greatest Threat to Corporate Security

by Jeff Wiener on February 11, 2014

With extant threats of organized hacker attacks, ineffective cyber-security measures, debilitating malware and disconcerting network vulnerabilities it’s easy to say that today’s IT industry has its hands full dealing with external threats. But while the IT industry has spent so much time and energy focused on such outside attacks, such tactics seem unable to combat the greatest perceived threat to corporate security: careless and reckless employees.

In a recent survey of IT administrators and security professionals 80 percent of respondents indicated that the greatest threat to corporate network security wasn’t some malevolent outside force, it was “end user carelessness.” Such a widespread laissez-faire attitude towards security concerns, however, was found to be only part of the problem, one made exponentially worse by an executive body who “failed to support their security administrators by enforcing computer security policies.”

Simply put, while most of the resources of corporate IT have been spent on preventing external attacks, the struggles of the IT sector seem to uniquely embody the famous Walt Kelly quote: We have met the enemy and he is us.

“The first rule of security is that you cannot trust your end users; they will click yes to anything and damn the consequences,” fumed one IT manager, and she couldn’t be more right.

Blame the BYOD movement, blame the phone, blame what you will, but as this recent survey indicates, those are only tools in the hands of the real culprit, end users with careless disregard for corporate security policies. In fact, IT departments are increasingly becoming frustrated with this widespread nonchalance that seems to accompany corporate attitudes towards network security. If employees don’t care and executives don’t strictly enforce the rules, then how can any company really hope to repair network vulnerabilities?

Now granted that there is no such thing as absolute security; 100 percent network protection simply doesn’t exist. As E-Commerce writer Laura DiDio explains, Security is a process and an ongoing work in progress. Organizations must be ever-vigilant and assume responsibility for their system and network security.”

But the problem is that organizations are multi-layered and multi-faceted entities, meaning that if everyone from top level management to the lowliest temp are not on board with the plan, proactively working to mitigate potential security threats, then that simply creates more vulnerabilities. As the saying goes, a chain is only as strong as its weakest link.

The overarching issue is, of course, that the BYOD movement has effectively neutered the ability of IT to control end points on a corporate network, as suddenly everyone looks at the CEO who now brings his iPhone to work and they think, why not me? If the boss doesn’t care about security protocols, why should I?

So how do companies solve a problem like click-happy nonchalant employees? In a word: education. “Employees remain the biggest single threat to any organization, including ours, and we are very aggressive about increasing employee awareness,” said a security manager at a Midwestern firm, one that routinely provides in-depth security training for its employees and hosts monthly security-focused seminars. That said, even with such efforts that particular company isn’t able to plug all the security holes, but it’s a start.

Comments on this entry are closed.

Previous post:

Next post: