Employees Bringing Increased Security Risks to the Workplace

September 8, 2016

Employees Bringing Increased Security Risks to the Workplace

Cyberattacks are more common and more destructive than ever before, forcing companies to invest in advanced security systems to combat the increasing threat of a data breach. And yet, despite company’s best efforts to prevent an attack, cybercriminals are bypassing companies’ complex IT security measures to prey upon end-users as their foothold into a company.

According to new research conducted by Arlington Research for OneLogin, a May 2016 survey of 1,022 respondents in the United States revealed that employees’ digital device practices are one of the ways attackers are gaining access to company information. The study found that 13 percent of U.S. employees allows their colleagues to use their company assigned device that can access their employer’s network. This might sound benign, but access is typically restricted based on a person’s role in a company, so allowing your colleague to use your device potentially bypasses those restrictions. Even more worrisome, nine percent allow their partners to access their work device, and one percent even permit their children to use it.

Similarly, password-sharing has become a serious workplace issue. In fact, 20 percent of employees share their work email password and 12 percent share passwords to other work applications. Companies might have policies in place against this, but nearly half of all employees are unaware of any company policies around the sharing of work passwords.

The study also reveals that mobile device security is lax. One in five employees do not have any security software on their work devices, beyond what ships with the operating system. Accordingly, what and how employees use their mobile devices has a bigger impact on your company.

Here are three security initiatives that can help HR executives minimize the cyber risks brought on by employees’ careless device practices:

  • Roll out Multifactor Authentication (MFA): With 55 percent of employees accessing work applications outside of the office, employers need to use an MFA solution to ensure that the right people are accessing the right information. This type of authentication tool prompts employees to validate their identity by using their phone or “something they have” when logging into work applications or systems remotely.
  • Develop Digestible Security Policies: Create a security policy based on your organization’s security needs that your employees can understand and easily revisit. Your security policy should align with the company’s security needs while also being easy to digest for employees. In other words, if you have a 50-page policy just to tell employees that they should not share passwords, chances are they are going to fall into the statistic that had no idea there was a policy to begin with. Policies should be a reference that employees can refer to when in doubt and not something that gets presented to them during onboarding or only referred to once in the Employee Handbook.
  • Provide Awareness and Training: No matter how many policies you create, you can’t trust that employees are going to sit down and read them without your leadership. So how do you incentivize employees to actually read the company policies and pay attention during security awareness training sessions? Employees should be made aware of how their security habits impact the company, but they should also know how these same habits impact their personal lives. When employees understand how their actions have consequences on both their work and private lives, they will take security awareness training more seriously.

The increase of remote workers and the use of mobile devices to access corporate applications means that companies cannot rely solely on perimeter security. Instead, HR executives should consider implementing MFA, enforce reasonable company security policies, and generate awareness of how employee’s security practices impact the security of the entire organization. These measures will not guarantee there will not be more attacks, but they mitigate some of the risks brought on by your employees.



The Authors: 

Alvaro Hoyos is the chief information security officer for OneLogin, a leader in cloud identity management solutions, where he architects and leads the company’s risk management, security, and compliance efforts. He has more than 15 years in the IT sector. Prior to joining OneLogin, Hoyos helped startups, SMBs, and Fortune 500 companies with their security, compliance, and data privacy objectives. To learn more about Alvaro Hoyos and OneLogin, please visit: https://www.onelogin.com/. Twitter: @wherestherisk

Comments (1)


Note: Your email will not appear alongside your comment, and you will not be able to delete or edit comments once posted.

Well I really enjoyed reading it. This information procured by you is very practical for correct planning.