Employees are a company’s first line of defense against an impending breach. All it takes is one negligent staffer with bad password hygiene, or an unwary employee falling for a phishing scam, for hackers to gain a foothold in an organization’s infrastructure.
Weak passwords and phishing are two of the most popular attack vectors for cybercriminals looking to steal financial information – in the case of regular users – or sensitive data such as medical records – in situations where bad actors are seeking to profit from extortion or ransomware.
OpenVPN, the group behind the popular virtual private network application of the same name, recently conducted a study to assess employee cyber-hygiene and how it impacts corporate security strategies. It found that 25 percent of employees use the same password for everything (i.e. both work and personal), and 23 percent very frequently click on links without verifying where they lead – one of the main reasons phishing is so successful.
“Cybersecurity breaches are a matter of ‘when’ not ‘if’, and organizations have to be ready to address hackers head on. But with businesses so focused on external threats, they often overlook the role their own employees play in exposing vulnerabilities from inside an organization,” reads the report.
A more in-depth analysis revealed that employees create passwords they can easily remember, trading off security for convenience. However, this tradeoff is exactly what bad actors rely on to infiltrate systems using rudimentary brute force attacks, performing alphanumeric permutations until they guess the user’s password.
“Similarly, individuals who use the same password to protect multiple portals — like their bank account, email and social media — risk compromising both their personal and work information,” according to the report.
Some employers try to curb the effects of bad password hygiene by pushing biometric authentication onto employees, combining security with ease of use. The initiative is somehow successful, with 77 percent of employees trusting biometric passwords, and 62 percent saying they believe this type of authentication is stronger than traditional alphanumeric codes. However, in practice things are a bit different: user adoption is lagging, with just 55 percent using biometric passwords.
Employers have a responsibility to teach their employees good cyber habits, just like parents teach their children healthy habits from a young age, according to the surveyors.
“Instead of employing fear tactics to scare employees off weak passwords and phishing schemes, employers should consider rewarding or acknowledging individuals who embrace good cyber strategies,” OpenVPN recommends. “When smart online habits become second nature, both employers and employees can better prevent hackers from taking advantage of otherwise stagnant security environments,” OpenVPN researchers said.
Security experts agree that workers who are incentivized through positive feedback regarding their cybersecurity hygiene are less likely to shy away from security training.