1. Extra Categories
  2. Editor's Pick
July 30, 2021updated 06 Aug 2021 3:17pm

Are you reading this on a personal device? Yes, you’re the problem

By Robert Scammell

It only takes one mistake for a cyberattacker to gain access to an organisation. Yet four out of five employees have admitted to engaging in risky cyber behaviour that increases the risk of a breach, according to a survey conducted by cybsersecurity company ThycoticCentrify.

The global survey of 8,000 employees found 79% of employees had engaged in at least one risky IT practice in the last year, such as reusing a password across multiple services.

The most common risky cyber behaviour (35%) was saving passwords in the autofill box of their internet browsers on all their devices, instead of using a password manager. It means that an attacker compromising one device will then be able to gain access to multiple services.

“If the employee has saved multiple passwords within the internet browser, the attacker can readily see whether they are all the same or simple variations such as one character difference,” the report notes. “With this information, they can use password cracking tools and wordlists to create all possible combinations of an employee’s password choices.”

Recent high-profile hacks against SolarWinds and Colonial Pipeline both stemmed from a single compromised password and went on to cause tens of millions of dollars in damage.

The next most common behaviour was connecting to public Wi-Fi networks, which 32% of employees admitted to doing.

The mass shift to remote working caused by the Covid-19 pandemic has often blurred the lines between home and work life. This has created headaches for security professionals who have had to protect organisations out of the more controllable confines of the office. One of the main threats is the use of personal devices to conduct work, a behaviour that 23% of respondents admitted to doing.

Among the least likely mistakes to be made were accessing the dark web or adult content (11%) and allowing family members to use company devices (11%).

Of those surveyed some 1,000 were based in each of the UK, US and Germany.

Despite admitting to making cybersecurity faux pas, the majority – 86% – of employees agreed that they have a personal responsibility to keep their organisation safe from cyber threats.

Less than half (44%) of respondents said they have received cybersecurity training in the past year, a figure that decreases among small and midsize businesses.

“We’d urge employers to redouble efforts to encourage the best possible digital security practices in staff and remind them of the risks of failing to secure networks,” said Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify.

“A ransomware attack or major breach has major consequences which can last for years, so every organisation needs to establish security processes and work to ensure they resonate with employees.”