Bad Behavior at Work: Protecting Employees from Themselves

Written by

Historically, bad employee behavior would fall squarely into the responsibility of HR. But, like everything else in the 21st century office, questionable staff actions have also become digital, and so have the risks. The responsibility of mitigating these risks now lies not with HR, but with IT and security teams.

Looking to find out what employees are up to, we recently conducted a survey of 1000 UK adults asking if they had engaged in common online malpractice at work. We weren’t surprised to find that almost half (46%) openly admitted that they had.

Some confessions might be considered shocking. For example, one in ten admitted to visiting adult websites from a work device or using the work internet connection, and further 13% admitted to downloading or viewing pirated content.

The negative results from these activities are relatively obvious. At best, companies are losing valuable employee time; at worst, inappropriate content is making it into the office and onto computers, and the company could be held responsible. But perhaps the biggest risk is a security breach. Adult and pirate websites are often cesspools of malware and viruses, which employees are potentially bringing into the network.

Other confessions seem boring by comparison, but just as risky from a security perspective. For example, 25% said they use their work email account to access personal services, such as games, productivity apps, or social media. While this sounds comparatively harmless, this means employees are putting their work credentials into the wild.

As ever, the survey also exposed the risk of employees using shadow IT. One in five admitted to uploading confidential work documents to Dropbox, Box or Google Drive without permission. Beyond the usual “enterprise” offenders, even more people (22%) had shared work documents over personal chat applications such as WhatsApp, Telegram, or Facebook Messenger.

This might not turn the heads of many in the IT department, but what employees are doing with the files when they get there might. Eight percent said they’d accidentally shared a link to confidential files - most probably breaching data protection regulations. 

While these are some of the worst uses of shadow IT, the reality is there is often no malicious intention behind it at all - it’s simply in people’s nature to find the easiest way to get their job done, and often that won’t be the company approved app. Regardless of motive, it’s a gateway out of the building for your sensitive data and a way in for hackers, and security teams can't afford to leave those gates unlocked.

Whether it’s watching unsavory content at work, or simply sending sensitive information via WhatsApp, it is now the security team’s job to account for the whole spectrum of human fallibility. So what os the best tactic?

Blocking is the most obvious and most deployed tactic - many companies blacklist websites and applications over typically some but not all channels. However, as these results show, blacklisting enterprise applications has just pushed people to consumer equivalents, and the fringe sites employees go to are likely to be darker and more dangerous.

Only by using granular monitoring which gives security teams an understanding of each specific dangerous action that touches their data, such as sharing files or clicking links inside messages, and stopping these from happening can the problem be addressed.

Blanket blocking of Google, Microsoft, Dropbox or Box, is likely to be impractical. These services are so wildly used that users will almost certainly have a legitimate business need to download files from them that have been shared with them by a third party. Solutions need to allow download but prevent upload of files to anything other than the chosen sanctioned app.  

The desire to communicate is hardwired into humans, but with thought - and the deployment of appropriate technology - risk can be mitigated or avoided without impacting productivity or morale.

In short, companies have to make sure all the major bases are covered. This means communication channels – including email, web and cloud apps - are being monitored and controlled so that threats can be quickly identified and addressed.

While this survey may have confirmed all of a security team’s worst fears about what employees are getting up to at work, like an IT security equivalent of the grief cycle, acceptance is the first step in addressing this problem.

In order to protect against employee’s actions, businesses have to accept that this is what employees are doing, and be clever in watching them and bringing them into the fold. 

What’s hot on Infosecurity Magazine?