The role of IT in defending against cyber-attacks is more difficult than ever. It becomes even more challenging when IT departments are forced to tackle the lack of willingness by employees to take precautionary steps against attacks, according to the latest results from the A10 Networks Application Intelligence Report (AIR).
Based on research involving more than 2,000 business and IT professionals at companies from various industries around the world, A10 AIR addresses the challenges IT decision makers face with the rise and complexity of cyberattacks, and the sometimes careless attitudes of employees who unwittingly introduce new threats into their businesses.
Employees Unknowingly Introducing Cyberthreats to Their Companies
The report revealed that employees often unknowingly weaken cybersecurity with the use of unsanctioned apps: one out of three (37 percent) of employees surveyed say they aren’t familiar with what a DDoS attack is, or even aware of how they could unknowingly become victimized.
This data is even more disturbing when almost half (48 percent) of IT leaders say they agree that their employees do not care about following security practices, according to the survey findings. It’s hard to protect someone who isn’t familiar with the warning signs associated with attacks – or willing to learn about them.
With often poor understanding of corporate security policies, this behavior increases the risks that come with a growing reliance on disparate and app-dependent workforces, especially when one third (30 percent) of employees surveyed knowingly use apps their companies forbid.
Of those who use non-sanctioned apps, more than half (51 percent) claim “everybody does it,” while one third (36 percent) say they believe their IT department doesn’t have the right to tell them what apps they can’t use.
Why use unsanctioned apps in the first place? One third (33 percent) of all respondents claim IT doesn’t give them the apps needed to get the job done.
But Who’s Responsible for App Security?
For employees who want to check sports scores or listen to streaming music at work, poorly designed apps with weak security could provide the backdoor for attackers to gain entry into the employee’s corporate network.
While the WireX botnet recently hijacked thousands of devices through seemingly harmless apps, it’s a frightening reminder that it only takes one app with weak security to infect a mobile device. More than half (55 percent) of employees surveyed say they expect the use of business apps to increase, meaning the odds also increase of these devices becoming part of a larger DDoS attack, which can bring entire businesses to a screeching halt.
But who is ultimately responsible to protect employees who used non-sanctioned apps at work? App developers, IT departments and end users are at odds over who is responsible for application security and best practices regarding the many apps on the phones of employees. With employees, responsibility is low: only two out of five (41 percent) claim ownership for the security and protection of non-business apps they use, AIR found.
And who is that “someone else” who should be protecting users’ apps in the workplace? Employees think security should be provided by the app developers (20 percent), service providers (17 percent) and their IT department (16 percent).
But if you ask IT decision-makers who is internally responsible, one third say the security team is most responsible for protecting employee’s identity and personal information, followed by the CIO or vice president (17 percent) of the company, and 15 percent state “the whole IT department.”
Employee Behavior toward the Use of Banned Apps or Sites at Work
It’s an accepted fact that companies can block apps and websites at work – 87 percent of respondents find this practice acceptable, and 85 percent would accept a position at a company that does so. However, only two thirds (61 percent) of employees cliaim their companies actually block specific sites or apps.
Additionally, 10 percent don’t know if the apps they use at work are banned or not, demonstrating a need for better communications from IT, and the survey backs this up: 88 percent of IT heads say employees need better education on best security practices.
Perceived Attitudes of Employees and Thoughts on Best Practices
What other ways are IT professionals reminding employees about best practices when it comes to security? Password policies are communicated to employees through email reminders (66 percent) followed by employee orientation (50 percent), internal meetings (48 percent), and communication from a manager (44 percent).
And when it comes to passwords, IT decision makers say their top recommended password policy is updating passwords regularly (76 percent), followed by choosing different passwords for different systems (59 percent), and two-factor or multi-factor authentication (53 percent).
But overall, what does IT need to do better protect their company? The biggest challenge noted by IT professionals is lack of corporate commitment to security policy and enforcement (29 percent).
But there is good news: although almost a quarter of IT decision-makers think there will be no improvement in security behavior at their company, 75 percent optimistically think there will be.
Frequency of Known – and Unknown – DDoS Attacks
When it comes to DDoS attacks, more than one third (38 percent) say their company has suffered an attack at least once over the past 12 months, with another 9 percent not aware if they’ve been attacked or not.
When projected across the entire industry, this presents an ominous trend, as nearly half of IT professionals have either been a victim of a DDoS attack or don’t know yet if they have been.
Additionally, 44 percent of the IT professionals surveyed expect DDoS attacks to increase within the next year – and 70 percent expect overall cyberattacks to increase or remain the same.
This data is consistent with a recent A10 Networks report that found the average company suffers 15 DDoS attacks per year, with an average attack causing at least 17 hours of effective downtime, including slowdowns, denied customer access or crashes. Attacks are also getting harder to defend against, with average peak bandwidths of 30 Gbps to 40 Gbps and many exceeding that mark.
Ransomware Reigns Larger Than Perceived
The diverse variety of cyberattacks is also cause for concern. On the topic of ransomware, almost one quarter (22 percent) of IT decision-makers say their company has been the victim at least once, and an additional quarter (26 percent) believe it is probable – but ultimately unknown – that their company has been a victim.
This equates to nearly half of the industry either having been victimized by ransomware, or not aware if they are already vulnerable to a looming attack.
Help for IT Professionals is On the Way
Perhaps as a direct correlation to the rise of these attacks, the survey revealed that 63 percent of IT professionals believe their overall IT and security budget will increase.
Additionally, one third (36 percent) of IT departments are looking to grow their security teams, as security is the top hiring focus, followed by the applications team, which participants expected to see a 17 percent increase in head count.
Still, optimism is fairly low: 41 percent of IT leaders are only slightly optimistic about their ability to stop threats and protect their company.
The A10 AIR Report
The intent of A10 Networks in commissioning the AIR research is to explore the interaction of employees with applications and the growing security implications that result personally and for businesses and their IT organizations. Earlier this year, AIR examined the rise in use of apps in our “blended lives,” blurring lines between work and personal business through use of apps at home and in the office.
AIR was commissioned by A10 Networks and conducted independently by strategic research firm Provoke Insights. It involves more than 2,000 business and IT professionals with the intent to provide education for organizations and their IT departments that can help them reassess corporate policies and ultimately protect their businesses – and their applications – by simply becoming more aware of the behavior of their employees.
The research was conducted in 10 countries, representing some of the world’s largest economies and fastest growing populations of technology adopters: Brazil, China, France, Germany, India, Japan, Singapore, South Korea, the United Kingdom and the United States.
The complete findings are available at www.a10networks.com/AIR.
About the Author
On Special Assignment to Cyber Defense Magazine for this report, Mohammed Al-Moneer is the Regional Director, MENA at A10 Networks. He is an experienced Regional Director with a demonstrated history of working in the Networking and Security industry. Skilled in Negotiation, Business Planning, Sales, Services, and Data Center. Strong sales professional with a HD focused in Electrical, Electronic from Damascuss University.