A Microsoft cyber security survey has revealed that, despite the focus on hackers and other ‘bad actors’, employees are the real risk to organisations’ security. According to the new report, lax working habits, mobility, portable devices, and poor awareness of policy all heighten the risk of data breaches.

With the EU’s General Data Protection Regulation (GDPR) now in force, the financial penalties for privacy breaches and data loss can be severe – up to four percent of turnover, not to mention the risk of damage to reputations and customer trust. As a result, many organisations are investing in new technologies to shore up the enterprise.

However, a new Microsoft research study among over 700 employees in medium to large public and private organisations in Ireland reveals that poor habits increase the risk of data breaches and security risks.

Microsoft commissioned Amarach Research to investigate the security cultures in organisations and understand how employees access and use sensitive data. The survey also looked at what gaps are emerging that could be exploited by hackers or lead to a data breach.

It found that 44 percent of public and private sector employees in Ireland have experienced problems with phishing, hacking, cyber fraud, and other attacks. This does not include cyber attacks that were caught by their company’s own security measures.

Passwords are a particular weakness, according to the survey. Many employees are using the same weak passwords across dozens of different accounts in their work and home lives, making any stolen credentials lucrative to criminals.

Twenty-two percent admitted to writing down their passwords, while 40 percent recycle their work passwords, and 44 percent recycle their personal ones. In total, only 16 percent of employees have updated their passwords in the last 12 months in line with their employer’s policies.

To resolve these problems, 60 percent of the employees surveyed would welcome biometric verification as an alternative, said Microsoft.

Half of employees prefer using their personal or home devices for work, but nearly one-quarter (24 percent) of those working from home have accidentally shared work-related material with friends and family, found the survey.

Using personal devices can increase risky employee behaviour, such as downloading work documents to mobile devices, leaving sensitive data outside of the sight and control of the organisation – but still covered by GDPR.

Fifty-six percent of respondents work from home regularly or periodically. Nearly half (49 percent) of those doing so at least once a week use personal email accounts for saving, editing, sending, or sharing work-related documents. Meanwhile, one-third of respondents use personal accounts for work-related or customer information storage, risking GDPR violations when leaving the organisation.

Thirty-six percent have plugged a non-work USB drive or other portable data device into a work computer, risking serious data or intellectual property loss – either through the device being compromised, or by losing the drive or leaving it on a desk or in a public place.

Microsoft says that 81 percent of major data breaches last year could be traced to employees plugging in non-work thumb drives, back-up drives, or smartphones that didn’t belong to them into work computers.

“The most common and least detected sources of data breaches are compromised identities,” said Des Ryan, Microsoft Ireland Solutions Director.

“We see needless security risks created by employees who are unaware or are working from older devices or older versions of Windows. For example, those who are working in a public Wi-Fi spot who do not have the latest security measures or hardware and are, in effect, broadcasting sensitive data that can be picked up by a hacker.”

His comments are of particular note in the wake of the 2017 WannaCry ransomware attack, which spread through the use of non-updated or patched operating systems, such as Windows 7 and 8.1.
However, some problems are down to organisations’ lack of coordinated management, found the survey. Forty-six percent of respondents said they had received no security training in the last 12 months, and while one in five respondents claim their devices are updated regularly, they aren’t shown how to use the new technology.

So what can organisations do to manage their internal security better?

Top 10 tips to protect your organisation

  1. Training: Ensure consistent training keeps all employees up to date on the latest cyber threats – and their role in keeping critical data safe across work and home devices.
  2. Beware of phishing: Open emailed links only from trusted sources. The same principle applies to responding to information requests.
  3. Beef up your passwords and consider biometrics. Go long – longer passwords are harder to crack – and mix it up with a hard-to-guess combination of upper- and lower-case letters, numerals, and special characters.
  4. Password-protect everything: Anything connected to the Internet is a potential entry point. That includes all employee phones, tablets, and laptops. Multi-factor authentication is best.
  5. Keep software up to date: Older devices and software, especially if they’re no longer receiving security updates, can be vulnerable. Install updates and keep applications fresh.
  6. Keep data safe in the cloud: Making backups behind firewalls with a trusted cloud provider is both smart and surprisingly affordable”, claimed Microsoft.
  7. Take GDPR seriously: Get serious about personal data. Ensure you have robust data-protection policies and training on GDPR, to ensure that everyone in the organisation understands their responsibilities.
  8. Plan device refreshes and updates: Adopt a top-down approach to new staff equipment to ensure that you are updating devices on a consistent basis. This helps to ensure that no device gets too old or is left unprotected.
  9. Encrypt all devices: In Windows, ensure BitLocker is turned on to ensure sensitive data is fully protected in the event of device theft.
  10. Be paranoid about personal devices: Create and enforce a robust BYOD policy, including for back-up drives, and enforce it across every level of the organisation.

Be part of a discussion and connect with like-minded leaders in your sector at our exclusive event series on banking and RegTech.