Four out of ten employees do not pay attention to IT security in the office
by Tina Siering
The biggest threats to corporate IT security
In surveys and analyses, the top 3 biggest IT threats to businesses regularly include people, malware and a data breach. This shows that digital systems only provide as much security as the user allows. Malware threats or a data breach are also often the result of an employee's faulty actions. These are, for example, a forgotten data backup or the attachment of an e-mail that was opened carelessly.
In this context, it is interesting to note that users behave differently in private than in the office. In a survey, over 52 percent stated that they exercise more caution on their home computer than at their workplace in the company. Nearly 40 percent said they are least careful at the office.
The reasons for this lie in an incorrect or lack of understanding of the threats lurking in the digital space. At home, on the other hand, users are well aware of the consequences if cybercriminals get hold of their own online banking access data, for example. In the office, on the other hand, employees trust that the company's own IT security will guarantee security. Employees also assume that if their own PC fails, for example due to malware, replacing their own computer will be enough to fix the problem. Many are simply unaware that hackers use access to one computer to infiltrate the entire network. Accordingly, this group of employees is careless when it comes to IT security.
What measures are suitable for preventing and responding to this situation?
The key challenge in this situation is to train employees better. The absolute majority of careless employees are not careless about IT security out of malicious intent, but simply out of ignorance.
So the task of management as well as IT security is to make every employee part of the security strategy. This can be conveyed within the framework of training courses and advanced training on the subject of IT security. Only when employees understand what threats exist and what damage they pose will an awareness of IT security develop.
An important part of training continues to be informing employees about the specific threats. Many employees generate cyber incidents because they are not adequately trained in the use of digital systems. Social engineering and phishing are just two of the many threats that employees need to be aware of. Concrete examples can be used to show what a dangerous mail attachment looks like.
Clear rules are also helpful in minimizing cyber threats. If there are no guidelines on what information employees are allowed to give out by phone or mail, cybercriminals can always extract data.
In addition, it is essential that IT Security has the proper tools to identify any security breaches as quickly as possible. This is where many companies and IT security departments continue to have gaps. Active cybersecurity systems, primarily early attack detection, are the appropriate means to ensure a high level of security.
Attack early detection identifies unusual actions that indicate activity by hackers. These are, for example, accesses from command and control servers after an employee has accidentally executed an infected mail attachment. But employees who act as internal perpetrators and transfer confidential data to servers outside the network, for example, also trigger an alarm during early attack detection. Because the system sends these alerts immediately after the incident, IT Security has the ability to respond to these scenarios without delay. Security breaches can thus be stopped directly and damage is averted from the company.
Other helpful measures include precautions that directly prevent or make impossible damage caused by employees' careless actions. This includes, for example, the introduction of an internal communication platform such as Microsoft Teams. This separates internal communication from e-mail, where criminals repeatedly impersonate company employees to tap data or launch phishing attempts. It also makes sense to use group policies and access restrictions to limit the scope of user accounts to the bare minimum. It is also helpful to disable ActiveX controls in the corporate network, as these are often the target for malicious code.
Conclusion on IT security in everyday office life
Once again, surveys and statistics show that IT threats to corporate networks come from all directions. So companies that focus exclusively on external threats have major gaps in their cyber defenses.
The key to a high level of security in IT is a security strategy that takes all potential sources of danger into account. This includes the company's own employees. Targeted training and security solutions such as early attack detection can significantly increase the level of IT security.
Increasing digitization and dependence on IT make it necessary to adapt the IT security strategy accordingly and to equip IT security adequately.