Today, many CISOs take a layered approach to security, with the overarching goal to protect their company's confidentiality, integrity, and availability of the network and the data within it. While their intentions to protect their organization's security posture are in the right place, however, many overlook the most crucial element they must fortify—their employees.
When it comes to fortifying employees, CISOs primarily rely on periodic training and generic email-based phishing assessments. The biggest challenges with this approach are 1) irregular security awareness trainings offer no measurable ROI outside of fulfilling a compliance mandate, and 2) generic assessments shared with all employees do not address the learning needs of each individual, which varies from person to person.
With the rise in remote work, these challenges – and the risks employees expose themselves to - become even more significant. In remote work environments, employees connect to company systems through the Internet to work online, and, often, employees connect to the same systems for both professional and personal work. At the same time, it's become more challenging for enterprises to limit access to specific websites. Studies have shown the severity of the issue as nearly half of the world's most-visited websites leave visitors open to potential dangers. Imposing restrictions on browsing often hinders creativity and innovation, so CISOs are faced with the significant challenge of locking down risky internet browsing while maintaining open environments to keep employees productive and happy.
SecurityAdvisor recently analyzed more than half a million risky website visits by enterprise employees. The analysis revealed the top three risky behaviors enterprise employees engage in due to their online activity, including peer-to-peer (P2P) software and private VPNs, visiting compromised websites, and watching pirated content. If we zero in on each behavior, it's easy to see the security risks posed:
Leveraging P2P Software and Private VPNs: Content is increasingly being monetized by popular newspapers, websites, and studios. Simultaneously, the number of tools that enable free access to content has also increased. Tools such as BitTorrent and Golden Frog allow users to share content, access content in restricted geographies, bypass paywalls, and download movies without being recognized. However, 38% of private VPNs contain malware, and 82% of private VPNs can read their clients' data, which can include corporate data in our remote world.
Visiting Compromised Websites: Cybercriminals are becoming increasingly adept at guiding employees to fake websites, often contacting their targets under the guise of needing to reset their passwords or re-enter confidential information for popular, well-known sites like PayPal. Many of these schemes lead their targets to fake webpages and ask them for their credentials, thereby stealing credit card or authentication data.
Streaming Pirated Content: Our data shows that 3% of users in a typical enterprise watch pirated content through sites like Putlocker, vidcloud, or 123movies. These sites often are hotbeds for malware and can even auto-install malicious software onto users' laptops with just one click.
As businesses make critical data available on cloud platforms to accommodate people working from anywhere, the vast majority of data breaches will continue to be caused by employees, no matter how unintentional. Rather than implementing productivity-inhibiting tools and processes, CISOs should instead empower their employees to identify and remediate cyberattacks by understanding what user behaviors are causing breaches so they can take proactive steps to address these threats.
While each of these threats requires specialized guidance, CISOs can deliver personalized advice to each employee at the exact moment they visit risky websites. Leveraging technologies their organization already invests in – like existing security and IT tools, HR systems, and Active Directory – provides data on an individual worker's risk profile, role, and awareness needs for personalized coaching.
There are simply far too many different types of online risks for CISOs to continue to rely on traditional training. Armed with personalized coaching, CISOs can help employees internalize that their specific behaviors are risky and measurably reduce the number of risks they're bound to face.
About Sai Venkataraman
Sai Venkataraman has more than 12 years of cybersecurity experience, currently serving as co-founder and CEO of SecurityAdvisor. Previously, he was part of the executive management team at Fortscale, which RSA acquired. Before that, Sai worked as a director for product management at Intel Security/McAfee for cloud and data security.