The old adage that no battle plan survives contact with the enemy is as true of cyber security as it is of any discipline. While reaching for the ideal, companies often fall short of following best in class procedures 100% of the time. A newly released study by Centrify takes a look at the unique challenges that IT Decision Makers face, both external and internal, when trying to keep the corporate castle secure.
No One Is Listening
You could call IT Decision Makers the Cassandras of the office, always warning of disaster, but no one listening. Among US respondents, nearly half said they had to fight management about getting stricter security protocols in place. Over 40% were denied. The figures are lower for UK respondents, but similar – 30% and 27% respectively.
But even when stricter protocols are in place, IT Detection Makers worry that they can’t mitigate all potential threats. While a hack from outsiders tops their list of worries, they are equally concerned about lost devices, accidental breaches, or disgruntled employees causing damage. Yet employees are more likely to hear about free food in the lunch room or kitchen etiquette than they are about security protocols.
No One Is Checking
But even if the will is there, the will is sometimes lacking. Ease-of-use often trumps best practices. Would it shock you to hear that some IT Decision Makers share credentials with contractors over 50% of the time? Even then, those same Decision Makers worry about too many people within their own company have too much access to sensitive files and passwords.
Worse, while they are cognizant of the need to remove access from ex-employees, this step isn’t always taken quickly. Over 50% of US responders said it would be easy for a former employee to gain access, and half also said it can take up to a week to revoke critical access. This is supported in another survey, this time from ex-employees, who said they still had access to vital files, logins and data after they left the company, sometimes for weeks or months after.
Why They’re Right To Worry
A combination of lax protocols puts data and companies at risk. When surveyed about what damage their companies have taken, more than 50% of US IT Decision Makers admitted they’d had a breach and over 40% said that the breaches cost millions of dollars. Potential data compromised includes everything from financial information of clients to employee records, and the most common means of account protection is regular password updates (easily broken) and very few, 14%, use biometric methods.
And don’t discount the damage that a disgruntled ex-employee can do! The FBI has warned companies of the risk disgruntled workers pose. One of the most famous examples of that would be Ricky Joe Mitchell, who trashed his former employer EnerVest, accessing their systems without authorization, deleting company phone systems, accounting data, information validation systems, bringing the company offline for a month. This was right before Home Depot hired him (and look out that turned out). Mitchell isn’t a one-off, either. Insiders are suspected in the Sony and Ashley Madison hacks to rip from the headlines again, but you don’t have to be a big company to be targeted. Back in 2010, a disgruntled ex-employee disabled 100 cars remotely after being fired from a Texas Auto Center. Unmonitored accounts are open doors to ex-employees and external hackers alike.
Is It Any Wonder?
One of the statistics from the survey that’s getting a lot of press is that 28% of US and 14% of UK IT decision-makers would become a hacker for less than $2,000/£2,000. But it’s important to provide the framing question that goes along with that statistic: “Let’s say you are 18 again – how much money would persuade you to go to the dark side and become a hacker?” It’s better to take heart that roughly 50% of both US and UK responders said no amount of money would convince them to turn hacker back then, and probably not now either.
The takeaway from Centrify’s survey is that IT Decision Makers are administering triage as best they can with the tools at hand but they deserve better tools and better support from their companies. Security that works, that protects companies and data, both their own and their clients, has to be an across-the-board practice supported by the best practices and the best tools at hand.