Security is, of course, a major concern for most companies, but it's often seen as an outside threat. But it turns out that employees are one of the biggest security threats, and apparently most acknowledge their behavior is risky, according to a Blue Coat study.
The Blue Coat study of 1,580 employees from 11 countries uncovered the risky habits of employees accessing - sometimes knowingly - inappropriate content on work devices. Some of the biggest issues include accessing adult content, but social media is also posing a new threat to businesses.
According to data from Blue Coat, one in every 20 U.S. employees has accessed adult content on a work device, but naivety isn't an excuse. Eighty percent of those who admitted to doing so also acknowledged it put the company's security at risk. China was the biggest offender, with one in five employees admitting to accessing adult content on a work device.
The danger is more than a potential work-place harassment lawsuit. Most of these sites often hide malicious content within links. That's how websites offering free adult content make their money, through installing malware on your computer. So it's less about the content employees are accessing, and more about the threats that lie within the links, according to Joseph Steinberg, cybersecurity expert and author.
Steinberg points out that the threat is greater than websites offering free pornography. It also includes "anything that has pirated software and movies," he says. "A lot of them are actually in the business of putting malware onto computers. So it's not just the blocking for the sake of preventing the employee from doing something wrong, it's also preventing damage to the businesses computers and potentially data."
That means an employee downloading pirated content onto their work computer offers more potential danger than the legalities around accessing that type content. It can cause a business' systems to break, allowing malware to infiltrate the system and reveal sensitive company data.
Phishing poses one of the greatest risks to companies, because a well-meaning employee can quickly - and unintentionally - cause a security threat with the click of a link. Blue Coat found that while the U.S. reported opening fewer unsolicited emails than other countries (17 percent), 80 percent of businesses still view phishing as a major security threat.
Steinberg points out that phishing is nothing new. "It's the same thing that was going on 500 years ago when a guy showed up at a castle and said 'I'm a knight,' and he had killed the real knight and taken his armor. The scams are the same in a different medium, so training can only get you to a certain level. People still fall victim to scams; people still make mistakes."
Adult content, quite obviously, includes pornography, but international companies have even more risk when considering laws around the world. That's because what's legal in the U.S. might not be legal elsewhere, and vice versa.
"Anything in the U.S. that is classified as over 18 is adult content," says Steinberg, "but different countries have different rules on this kind of thing, and that's something that international organizations need to be cognizant of," says Steinberg.
Adult content can quickly take on more meaning in other countries, and it's something employers need to educate employees about. The security risks become greater if employees are unknowingly accessing illegal content while traveling for business. Companies need to consider the international implications of adult content, and what that might mean for the security of their business.
Social media is a new medium for cybersecurity threats and it's difficult for companies to monitor, let alone secure. Blue Coat found that 41 percent of U.S. employees access personal social media accounts at work, which is problematic because malware can easily disguise itself in shortened links. Users might not think twice about clicking out from a tweet or Facebook post, since shortened links have become the norm on social media sites.
As the study states, "an attacker may create a seemingly personalized email targeted at an IT administrator for a large enterprise using information found on social media profiles, such as the recipient's alma mater or favorite sports team."
Social media also poses risks when it comes to what employees share and post, as they can unwittingly give out sensitive data without realizing it.
Steinberg is a co-creator of a technology called SecureMySocial, software that can alert users before they post something potentially harmful. "If you're posting something that looks like its leaking employer data or saying something that by most normative standards might be considered insensitive, it will warn you."
Implementing these types of failsafe resources are one way to help prevent security threats, but when dealing with humans, you can only go so far.
How to help employees understand the risk
The problem with humans as a security threat is that there isn't a perfect solution, but companies can work to help employees understand the risks they pose not only to the company, but themselves. Employers need to understand that workers expect a certain level of access in today's digital age, and completely barring them from social sites or non-work related content, won't offer a solution.
"The reality is that we're on human mind version 1.0," says Steinberg, "your firewall may be version 20, your word process might be version 20, but in the last 20 years the human brain has not evolved. The same kind of mistakes that we were making at the beginning of the Internet era, we're making now."
When it comes to protecting a company from its own employees, there needs to be a balance between reasonable access and security. "Businesses need to find ways to support these technology choices while simultaneously mitigating the security risks," says Hugh Thompson, CTO for Blue Coat.
This story, "How your employees put your organization at risk" was originally published by CIO.