Global Research Finds Corporate Networks are Vulnerable to Cyberattacks Because Of Hidden Threats and Careless Employee Behavior with Apps
February 2018 by Marc Jacob
The role of IT in defending against cyber attacks is more difficult than ever, with more sophisticated attacks on the rise – and in some cases, attackers have infiltrated corporate networks without IT knowing. But even more concerning to IT departments in defending against attacks is the lack of willingness by employees to take precautionary steps against them, according to the latest results from the A10 Networks Application Intelligence Report (AIR).
The A10 AIR report examines the interaction with applications and the growing security implications that result personally and for businesses and their IT organizations. AIR previously examined the rise in use of apps in our “blended lives,” blurring lines between work and personal business through use of apps at home and in the office.
In contrast to the previous report that looked at the consumer impact of apps in the workforce, today’s announcement addresses the challenges of IT decision makers who are faced with the rise and complexity of cyber attacks, and the sometimes careless attitudes of employees who unwittingly introduce new threats to their businesses. This data is even more disturbing with metrics that found almost half (48 percent) of IT leaders say they agree their employees do not care about following security practices.
Frequency of Known – and Unknown – Cybersecurity Attacks
The report also interviewed IT decision makers about their efforts to defend their corporate networks, users and applications against cybersecurity attacks, finding that half (47 percent) said their company has suffered a data breach at least once.
When it comes to DDoS attacks, more than one third (38 percent) say their company has suffered an attack at least once over the past 12 months, with another 9 percent not aware if they’ve been attacked or not. When projected across the entire industry, this presents an ominous trend, as nearly half of IT professionals have either been a victim of a DDoS attack or don’t know yet if they have been.
As IT defenders are faced with the increasing sophistication of adversaries who are responsible for the size and frequency of these attacks, 44 percent of the IT professionals surveyed in the report expect DDoS attacks to increase over the next year – and 70 percent expect overall cyberattacks to increase or remain the same.
However, one out of three (37 percent) employees surveyed say they aren’t familiar with what a DDoS attack is – with 11 percent not knowing if they’ve been victimized themselves – which makes it hard to protect someone when they aren’t familiar with the dangers or how to prevent attacks in the first place.
The diverse variety of cyberattacks is also cause for concern. On the topic of ransomware, almost one quarter (22 percent) of IT decision-makers say their company has been the victim at least once, and an additional quarter (26 percent) believe it is probable – but ultimately unknown – that their company has been a victim. This equates to nearly half of the industry either having been victimized by ransomware, or not aware if they are already vulnerable to a looming attack.
Help for IT Professionals is On the Way
Perhaps as a direct correlation to the rise of these attacks, the survey revealed that 63 percent of IT professionals believe their overall IT and security budget to increase. Additionally, one third (36 percent) of IT departments are looking to grow their security teams, as security is the top hiring focus, followed by the applications team, which participants expected to see a 17 percent increase in head count.
Who’s Responsible for App Security?
More than half (55 percent) of employees expect the use of business apps to increase, increasing the odds these devices may become part of a larger DDoS attack, which can bring entire businesses to a screeching halt.
But who is ultimately responsible to protect employees who used non-sanctioned apps at work? App developers, IT departments and end users are at odds over who is responsible for application security and best practices regarding the many apps on the phones of employees. With employees, responsibility is low: only two out of five (41 percent) claim ownership for the security and protection of non-business apps they use.
And who is that “someone else” who should be protecting users’ apps in the workplace? Employees think security should be provided by the app developers (20 percent), service providers (17 percent) and their IT department (16 percent).
But if you ask IT decision-makers who is internally responsible, one third say the security team is most responsible for protecting employee’s identity and personal information, followed by the CIO or VP (17 percent) of the company, and 15 percent state “the whole IT department.”
Additional AIR findings include:
Employee Behavior toward the Use of Banned Apps or Sites at Work
• It’s an accepted fact that companies can block apps and websites at work – 85 percent of employees find this practice acceptable, and 85 percent would accept a job that does so.
• However, only two thirds (61 percent) of employees cliaim their companies actually block specific sites or apps.
• One third (30 percent) of employees surveyed knowingly use non-sanctioned apps.
• 10 percent don’t know if the apps they use at work are banned or not.
• Of those who use non-sanctioned apps, over half (51 percent) claim “everybody does it,” while one third (36 percent) believe their IT department doesn’t have the right to tell them what apps they can’t use.
• One third (33 percent) claims IT doesn’t give them the apps needed to get the job done. Perceived Attitudes of Employees and Thoughts on Best Practices
• Almost a quarter (23%) of IT decision-makers think there will be no improvement in security behavior at their company, but 75 percent think optimistically that there will be.
• 88 percent of IT heads say employees need better education on best security practices.
• IT decision makers say their top recommended password policy is updating passwords regularly (76 percent) followed by choosing different passwords for different systems (59 percent), and two-factor or multi-factor authentication (53 percent).
• Password policies are communicated to employees through email reminders (66 percent) followed by employee orientation (50 percent), internal meetings (48 percent), and communication from a manager (44 percent). Challenges and Needs of IT
• When protecting their company, the biggest challenge noted by IT professionals is lack of corporate commitment to policy and enforcement (29 percent).
• Forty-one percent of IT leaders are only slightly optimistic about their ability to stop threats and protect their company.
This data is consistent with a recent A10 Networks report that found the average company suffers 15 DDoS attacks per year, with average attacks causing at least 17 hours of effective downtime, including slowdowns, denied customer access or crashes. Attacks are also getting harder to defend, with average peak bandwidths of 30 to 40 gigabits per second (Gbps) and many exceeding that mark.
Mohammed Al-Moneer, Regional Director, MENA at A10 Networks says, “A10’s AIR report shows how employees too often unknowingly weaken cybersecurity and the use of unsanctioned apps. With often poor understanding of corporate security policies, this behavior increases the risks that come with a growing reliance on disparate and app-dependent workforces.”