From password reuse to fear of punishment, Arctic Wolf’s Nick Dyer breaks down the biggest threats to an organisation’s cyber security culture.

Last month, cyber security company Arctic Wolf released a report that examined organizations’ workforce behaviors and trends regarding cyber hygiene.

Conduct a global survey with Sapio Research of more than 1,500 senior IT and security decision makers and end users (whose roles varied from senior and middle management to departments such as finance, HR, legal and marketing) from more than 16 countries , Arctic Wolf has published some surprising statistics regarding the cyber security practices of employees and in particular, IT teams.

One striking statistic reported by Arctic Wolf found that 80pc of IT and cyber security leaders were confident their organization will not fall for a phishing attack – despite 64pc of that same cohort admitting to clicking on potential phishing links at least once . While 43 end-user computers said they clicked on a phishing link, the report notes that end-users are less likely to realize they’ve done so, or that more IT and security leaders are being targeted.

Meanwhile, in one of the report’s most disturbing findings, 68% of IT and cyber security leaders surveyed admitted to reusing system passwords, while 64% of end users admitted to doing the practice.

“It’s a worrying oxymoron,” says Nick Dyer, Arctic Wolf’s UK and Ireland sales engineering director. “IT and cyber leaders are trusted guardians of their organization’s critical data, devices and services, they are responsible for protecting and isolating the critical elements that make the organization what it is, often through privileged access or give them a raise on those. business-critical components.

“Time to discover that a significant portion of those same key decision makers are reusing passwords from key internal websites to external third-party sites – potentially subject to third-party website leaks allowing threat actors easily reuse those credentials – a compromise. The organization’s security situation is the proverbial first hurdle.”

Nick Dyer. Image: Arctic Wolf

According to Dyer, credentialed password theft, “brute force” and password reuse are often the easiest ways for threat actors to gain access, exfiltrate confidential data and perform human manipulation for monetary gains.

“It’s no coincidence that in our report, 65% of those who suffered four breaches in the last 12 months said they are also reusing passwords.”

Support the workforce

With troubling statistics like these, how can organizations remedy poor cyber hygiene in their workforce?

Dyer says, firstly, that all employees (not just within IT) have a positive security culture with “well understood” policies and plans in place. He stresses that a “sensible line” should be drawn between “the rigor of these policies and the art of doing business”, as the two can often be at odds with each other and implementation It results in shadow IT – that is any software or IT resource used without it. knowledge or approval of the IT department.

In terms of education, Dyer says there should be an ongoing program of awareness and reinforcement education to stay up to date with the “cat and mouse” structure of cyber threats and cyber defense, as threat actors’ tactics, techniques and procedures “at progress at a rapid rate”.

“Based on this acceleration, educational content that was curated six or 12 months ago is already out of date,” he says. “This means that much of the content being deployed to user communities today is out of date and usually not protecting the latest threats facing the organization.”

‘The workforce is our greatest asset in the fight against cybercrime when empowered to do the right things’

Fear of punishment

As well as promoting policies and education, Dyer says an important task at hand is building trust across the entire company to raise the alarm if something suspicious happens without fear of punishment.

According to the report, 5 computer end users said they were not comfortable reporting cyber security incidents or suspicious activity. When asked why, 45% of this cohort said they were worried it would affect their employment.

This concern appears to be justified, as only 34pc of IT and security leaders said they would terminate an employee who had fallen victim to a scam such as phishing, and 27pc had seen an employee terminated for that reason.

“If end users withhold potentially important information or hesitate/not notice something suspicious due to fear of retribution, it is nearly impossible to detect, respond to and recover from a remote cyber incident,” a says Dyer. “This not only slows down the ability to respond, but increases the damage done by the attack beyond the original blast arc.”

The report seems to show a disconnect on this topic, as 85% of IT leaders think employees feel comfortable reporting security incidents – while only 77% of PC end users do.

To build a positive security culture, Dyer says the pillars of effective communication are needed, along with two-way trust and a sense of responsibility for all stakeholders.

“IT and cyber leaders need to step out of their comfort zone and over-communicate across the organization, using language and terminology that relates to end users – not technical staff with deep IT literacy – as well as provide context as to why a risk exists. and how a security measure is implemented to prevent it.

“Continuously including the end user in the discussion, from their perspective, is powerful.”

Beyond communication, Dyer says trust can be built by establishing open lines for support, feedback or reporting incidents without fear of reprimand or blame. “And if there’s a security win – publish it and get it out there for all to see and hear – make cyber best practices a celebration.”

Labor force measures

Reflecting on the disconnect between IT and end users, Dyer says that “there will always be a difference between the two classes of employees”.

“IT is a fundamental core dependency to allow end users to fulfill their roles to the best of their ability – delivered as a service that they use as customers,” he says. “Users want to achieve and excel at their jobs, and IT constraints can be a negative barrier to doing so.

He says that users rarely consciously want to compromise an organization’s security, and that incompetence in security hygiene is due to a lack of investment, awareness, involvement or reinforcement.

“It’s up to IT leaders to fill that gap [and] partner with their respective peers to build a positive culture of security awareness where employees feel empowered to speak up if something doesn’t look right and to believe in the mission to effectively secure the organization from the evolving world of external and internal threats .”

And to build that culture, Dyer has some advice, such as making policies that are clearly defined and easy to use, letting employees do their jobs using technology as much as they can ( with an understanding of their guardrails) and guide them on. what to do if something suspicious happens.

In terms of resources, he says organizations should implement technology such as password managers, multi-factor authentication, and allow users to have personal licenses to use in their home life – which discourages copying passwords from work to home .

“Ultimately, cyber security needs to be a top-down and bottom-up approach. A comprehensive, positive security culture only exists when leaders and the board buy in, and are speaking the same language about business security when IT leaders are not in the room.

“The workforce is our greatest asset in the fight against cybercrime when they are empowered to do the right things.”

Don’t miss out on the information you need to succeed. Sign up for the Daily SummarySilicon Republic’s must-have sci-tech news summary.