Despite being ripe targets for cybercriminals, most large enterprises lack control over employee data access and follow weak password practices.
According to Preempt’s survey of 200 management-level professionals at organizations with 1,000 employees, employees have more access than they should. A quarter (25%) of employees have tried to access data at work that they weren’t supposed to. Of those 25%, nearly 60% were successful at accessing that data.
“The prevalence of successful attempts to access off-limits data and resources is startling and should be a major concern for IT security teams,” the firm said in the report. “The data exposed can put a company and its employees at significant risk of damage to business operations and reputations. Businesses should be able to better assess employee risk factors which can change over the course of their employment. For IT security these results point to a growing need for being able to better understand how to assess trust and risk of employees.”
Also, a large majority of workers have poor security habits as well. One out of every three employees admits to having bent the rules or found a security workaround in order to get something done for work—with more than 10% of respondents having done so regularly or on multiple occasions.
In addition, nearly 41% of employees use the same password for both personal and work accounts, and 20% of employees are aware that their passwords were compromised in a breach. Even so, 56% claim they only changed their passwords for the account that was breached.
Meanwhile, more than a third of employees had no clue if their username or password was exposed in a public breach or not.
“This shows that many people either don’t care or don’t know how to find out if their username and passwords were compromised in a breach,” the report said. “If an employee is using the same password for personal and business accounts and it was exposed in a breach, the organization is at risk. The password is listed in a database known to hackers and could be used in a breach attempt. The 'weak' password puts the enterprise at risk until it is changed.”
Despite the bad behavior, when asked how they rate their personal IT security health awareness and maintenance compared to the rest of their colleagues, 41% rated themselves in the top 25% of their organization, and half rated themselves as in the 25-75% range. Only 9% admitted they were below average, in the bottom 25% of their organization.
“The results of the survey clearly show that employees don’t completely understand their work habits and decisions put their organization (and themselves) at risk,” Preempt said. “Having overconfidence can lead to greater risks. When employees don’t understand that their behaviors and habits are risky, they aren’t likely to change them. This leaves the burden on IT security to pick up the slack. Gaining a better understanding of identity, behavior, and risk, can help IT be more proactive at preventing threats, enforcing policies, securing access and finding areas to reduce risk.”