A recent survey conducted by CyberArk reveals alarming trends in employee access behaviors in hybrid work environments across multiple countries. Here are some of the key points from the survey:

• Insecure Access: 80 percent of employees access critical workplace applications from personal devices that lack sufficient security. This poses significant risks to organizational data and security.
• Data Handling: 40 percent of employees routinely download customer data, and 30 percent have access to sensitive or financial information.
• Password Reuse: The widespread reuse of passwords is another major concern, with 49 percent of employees using the same passwords for multiple work apps and 36 percent for both personal and professional use.
• Bypassing Cybersecurity Policies: 65 percent of employees bypass cybersecurity policies, opting for workarounds like using personal devices for work-related tasks. This behavior further exacerbates security risks.
• AI Tools: The rise of AI tools in the workplace introduces additional vulnerabilities, with over 72 percent of employees using these tools without adhering to security guidelines.

https://hrsea.economictimes.indiatimes.com/amp/news/industry/80-of-employees-access-critical-apps-on-insecure-devices-survey-finds/115968759

Commentary

All of the employee access behaviors pose a risk. However, what stands out in the survey is the bypassing of cybersecurity polices.

When employees circumvent established security protocols, they expose the organization to various vulnerabilities. For example, when employees use personal devices or unauthorized applications for work-related tasks, they often lack the necessary security measures. This makes it easier for cybercriminals to exploit these devices and gain access to sensitive organizational data.

It also creates a heightened exposure to Business Email Compromise (BEC) attacks.

BEC attacks involve the unauthorized access and manipulation of business email accounts to deceive employees, customers, or partners into transferring funds or sensitive information. Established security protocols play a crucial role in protecting against these attacks.

• Multi-Factor Authentication (MFA): Protocols requiring MFA adds an extra layer of security by requiring users to provide two or more verification factors to access their email accounts. This makes it more difficult for attackers to gain unauthorized access, even if they have obtained the user's password.
• Email Filtering and Monitoring: Protocols on advanced email filtering and monitoring can detect and block suspicious emails, including phishing attempts and emails with malicious attachments or links. These tools help prevent BEC attacks by identifying and stopping potentially harmful emails before they reach the recipient.
• Encryption: Protocols requiring encrypting email communications ensures that sensitive information is protected during transmission. Even if an attacker intercepts the email, they will not be able to read the encrypted content without the decryption key.
• Dynamic Privilege Controls: Implementing dynamic, granular privilege controls ensures that employees only have access to the information they need. This reduces the risk of unauthorized access and limits the potential impact of a compromised email account.

The final takeaway is that cybersecurity protocols are there for a reason. Organizations should strictly enforce those protocols to prevent attacks, including devastating BEC attacks.