CIOs agree: lack of staff security knowhow a critical problem

Nearly two-thirds of workers fail to change passwords frequently, creating vulnerabilities

Image:
Nearly two-thirds of workers fail to change passwords frequently, creating vulnerabilities

Staff reuse passwords, share devices and cannot tell the difference between fake and legitimate emails.

All IT leaders are facing a hiring crisis today, presenting a huge challenge in recruiting skilled employees.

But just as important is a lack of knowledge among existing staff, opening security holes into your network.

Failing to change passwords frequently is one example of a classic mistake that can cost an organisation time, money and its reputation.

Suzan Sakarya, senior manager at Jamf, said, "A recent survey showed that 61% of workers don't set a passcode to make [their devices] more accessible to friends and family. The same survey showed that 28% of corporate devices are running a vulnerable OS. If you don't have a passcode or if you're running an old OS, a hacker doesn't need to work very hard to exploit your device."

Craig Lurey, co-founder at Keeper Security, agreed, "The cybersecurity habits of a business's workforce can often be its undoing. Password security issues alone account for over 80% of all data breaches and about 75% of ransomware attacks, so businesses are at a far greater risk of being compromised if employees ignore (or are unaware of) the importance of password hygiene."

Lurey adds, "According to Keeper research, almost half (44%) of people admit to reusing passwords across personal and work-related accounts.

"Education about the importance of strong password security must become an essential component of digital security policies for businesses across the world and across all industries.

"With the number of passwords each individual uses on the rise (now an average of more than 100), the need for an effective password manager to support basic password hygiene becomes more obvious."

Another critical problem is staff being unable to tell the difference between fraudulent phishing emails and legitimate messages.

FourNet's Rob Brown highlights this point: "Don't assume that your staff should know when an email is malicious. Even highly trained security staff sometimes don't recognise the difference between a genuine email and a malicious one.

"Regularly test your employees using phishing simulation techniques and, crucially, ensure they understand the part they play in the security of your company. This is essential."

Mark Benson, CTO of Logicalis UK&I, agreed with the need for better cybersecurity training, and also raised the downsides of home and hybrid working: "At the top of the security agenda must be educating employees about basic cybersecurity. Without this education, organisations are often opening themselves up for increased vulnerabilities.

"With employees working from home, and the increase of bring your own device, the biggest threat organisations are facing are the vulnerabilities brought about by the distributed workforce and the challenges this brings for corporate network visibility and control."

Inadequate levels of cybersecurity awareness amongst staff is a common problem that firms must work on. It is a key source of vulnerability to cyber attacks. No easy, fix-all solution exists, but training is an important first step to take.