New Research from Microsoft and Amarach Shows Poor Security Habits in Public and Private Sector Organisations in Ireland Increasing Risk of Cyberattacks
February 2019 by Microsoft and Amarach Shows
Microsoft Ireland has warned that poor security habits within large Irish public sector and commercial organisations will lead to critical data and intellectual property loss. Following the publication of research across 700 employees working in large Irish organisations employing over 100 staff across both the public and private sector, Microsoft has identified potentially dangerous employee habits which if not addressed, could risk major data loss or theft over the coming year, with severe legal and reputational consequences.
Digital Transformation is enabling and transforming organisations, driving the need to maximise employee productivity, as well as adapting to the explosion in mobile devices and technology innovations. However, in the drive to transform, Irish organisations leave themselves vulnerable to major security risks that range from data and revenue loss to reputation damage, in addition to hindering digital transformation.
Microsoft commissioned Amarach Research to investigate the security culture within Irish organisations to understand how their employees accessed and used sensitive data while at work and on the go. The research also looked at what gaps were emerging that could be exploited by hackers or lead to a data breach.
As part of its on-going efforts to drive better security for organisations, Microsoft invests $1bn each year in security, it analyses more than 6.5 trillion signals daily, processes 630 billion authentications monthly, and scans 470 billion e-mails for malware and phishing monthly.
Inconsistent data security training – only 54% of respondents within large Irish organisations reported receiving training once a year. Only 16% of employees have updated their passwords in the last 12 months in line with their organisation’s policies.
Poor password hygiene by employees: Passwords have become too easy to guess or steal. Nearly a quarter (22%) of Irish employees write down their passwords. 77% of employees rely on their memory for their work and personal passwords. When it came to their password hygiene, 2 in 5 recycle their work passwords, and 44% recycle their personal passwords. Over the course of a year, only half change passwords quarterly, with only half updating their passwords once a year or less.
Employees are potentially using the same weak password across dozens of different accounts in their work and home life, making a stolen password more lucrative to criminals. To resolve this, 3 in 5 employees surveyed would welcome biometric verification as an alternative to passwords.
Home is where the data breach is: Organisations who provide the technology and trust but don’t enforce security and data protection are vulnerable. The research discovered that employees working from home are much more likely to engage in risky security activities that increase potential data loss. Nearly half (49%) of those working from home at least once a week used their personal email account for saving, editing, sending, or sharing work-related documents. 24% reveal that they accidentally shared work-related material with friends and family.
Different practices for those working from home: The research found that one in three are allowed by their company to use their personal device for work purposes. Half of respondents claim their personal device is better than their work device, and almost three in ten of these have used their home device to work on sensitive files.
A quarter of those working from home at least once a week admit to having friends or family access work devices at home, which may violate data policies from their organisation. This is worrying when 56% of respondents reported they work from home, and almost half of these have no restrictions on document access when working from home.
USBs and potential data loss: Worryingly, 25% of those surveyed admitted plugging a USB thumb drive that wasn’t from their company into their work device, 12% connected back-up drives, and 5% connected a smartphone that didn’t belong to them. This increases the chances of employees compromising their identity - Microsoft reported that 81% of major data breaches last year could be traced back to this issue alone.
Devices and security: While 1 in 5 respondents claim their devices are updated regularly, they aren’t shown how to use newly introduced technology. Using personal devices can increase risky employee behaviour such as downloading sensitive documents to mobile devices (e.g. Smartphones and Tablets) which could result in sensitive data being outside of the sight and control of the organisation.
Employees have already fallen victim to cyber hackers; 30% of employees surveyed have been notified about a breach of their personal data, and 44% have experienced problems with phishing, hacking, cyberfraud or other cyberattacks happening in either their personal and professional lives. Interestingly 18% have reported similar issues in the workplace.
“Organisations can invest in robust data protection and security measures, but their employees could, accidently, bring about a potential security disaster for their organisation,” said Des Ryan, Microsoft Ireland Solutions Director, “The most common and least detected sources of data breaches are compromised identities. Passwords can be hacked, guessed, leaked or lost. New technologies like biometric security can deliver the robust security required to protect organisations from most social engineering attacks.”
“Organisations must now ensure they are taking a considered approach to data security, and embrace new procedures and technologies, coupled with consistent training, enforced policies, along with better device upgrades to enable employees to deliver the productivity needed for successful transformation with a minimum of risk to the organisation. We see needless security risks created by employees who are unaware or are working from older devices or older versions of Windows. For example, those who are working in a public Wi-Fi spot who do not have the latest security measure or hardware and are in effect, broadcasting sensitive data that can be picked up by a hacker.”
Microsoft’s top ten tips to protect your organisation:
• Training: Ensure consistent training across the organisation that keeps all employees up to date on the latest cyber threats and their role in keeping critical data safe across all work and home devices.
• Beware of phishing: Open emailed links only from trusted sources. Same for responding to information requests.
• Beef up your password and consider biometrics: Go long — longer passwords are harder to crack. And mix it up with a hard-to-guess combination of upper- and lower-case letters, numerals and special characters (! # >, etc.). Ideally, move to new forms of security, e.g. Windows Hello, which uses biometric data to protect users and their devices from snooping or password exposure.
• Password-protect everything: Anything connected to the internet is potentially an entry point for the bad guys. That includes all employee phones, tablets and laptops. Multi-factor authentication is best.
• Keep software up-to-date: Older devices and software, especially if they’re no longer receiving security updates, can be vulnerable. Install updates and keep applications fresh. Ensure that you run all the latest Windows 10 downloads, and if you have not started, begin the transition from Windows 7 before its end of support next year.
• Keep data safe in the cloud: Making backups behind firewalls with a trusted cloud provider is both smart and surprisingly affordable.
• Take GDPR seriously: Get serious about personal data. Ensure you have robust data protection policies and training on GDPR completed to ensure everyone in the organisation understands their responsibility.
• Plan device refresh and updates: adopt a top down approach to new devices for staff to ensure that you are updating devices on a consistent basis. This helps to ensure no devices get too old and unprotected.
• Encrypt all devices: ensure BitLocker is turned on to ensure sensitive data is fully protected in the event of device theft.
• Be paranoid about personal devices: create and enforce a robust BYOD policy including back-up drives and enforce across all levels within the organisation.
Microsoft offers security products to both private and public sector organisations, leading with Microsoft 365 E5 which provides customers with the most extensive productivity and advanced security solutions. To answer the growing need for security and compliance solutions in an age of increasingly sophisticated cybersecurity threats, as well as complex information protection needs due to regulations like GDPR, Microsoft has now launched two new identity and compliance solutions, called Microsoft Identity & Threat Protection and Information Protection & Compliance, designed to provide customers with simpler purchase, deployment, and adoption. They are based on the Intelligent security Graph, which continuously provides the latest information about cyber security attacks and provides "up to date" security.