The human fail factor – Wi-Fi and tech support
Two reports find that 83 per cent of security staff spend time fixing general IT issues, while the risks of C-level execs being targeted via Wi-Fi have been assessed…
A pair of new surveys have focused on the major common denominator in any IT security environment - the human factor. One survey found that the vast majority of IT security professionals claim that colleagues in other departments turn to them to fix personal computer problems, significantly cutting into their working effectiveness. In fact, an enormous 83 per cent reported this to be the case, with a further 80 per cent stating this is taking up more than an hour of their working week, which in a year could equate to more than $88,000.
For some organizations, eight per cent of professionals surveyed were helping colleagues out five hours a week, at a potential cost of more than $400,000. Organizations are potentially paying qualified security professionals salaries upwards of $100,000 a year and seeing up to 12.5 per cent of that investment being spent on non-security related activities, according to the survey from FireMon.
While the dedicated security team are being diverted from their actual jobs, a second report has found that C-level executives are increasingly the weakest link in the human security chain. In fact, four in ten organizations in the US and Western Europe believe C-level executives are the most at risk of cyber attacks when working outside the corporate perimeter.
More than nine in ten (93 per cent) say they are worried about security, with 47 per cent saying they are "very" concerned (up from 36 per cent last year). As a result, more than two thirds (68 per cent) have banned employees from using public Wi-Fi "to some extent”.
Almost a third (31 per cent) of businesses ban the use of public Wi-Fi at all times (up from 22 per cent in 2016), with an additional 37 per cent banning their use sometimes. Furthermore, 14 per cent of organizations plan to introduce a ban on public Wi-Fi hotspots in the future. This is down from 20 per cent in 2016, which might suggest that many organizations have introduced a ban in the last 12 months. Highlighting regional trends, the report from iPass found that the UK is the most trusting of public Wi-Fi, with nearly two thirds of businesses (62 per cent) not currently banning hotspot use and an additional 44 per cent saying that they never plan to. In stark contrast, this figure is only 10 per cent in the U.S. and 8 per cent in Germany.
So, will banning Wi-Fi make businesses safer? Clearly not entirely, as a similarly desperate move was the anecdotal 90’s response to the dangers of infected USB sticks, which was gluing all USB ports in the enterprise shut.
Ilia Kolochenko, CEO of High-Tech Bridge, believes that the biggest security risk lies elsewhere within the organisation. “I think the biggest problem is inappropriate risk assessment, management and mitigation. Many organizations significantly underestimate the importance of web application security and still believe that web applications are "just a front-end". Another factor here is outdated or missing web application inventory - quite a lot of web applications are still running in production after the end of their life-cycle, opening doors to cyber gangs. Many of the largest data breaches and targeted attacks in the past years were conducted via abandoned, forgotten or flawed web applications.”
While it is certainly true that allowing high-level employees unfettered access to the internet on devices that are also given trusted access to enterprise data is a high risk strategy, it sounds more likely that execs will inadvertently click a ransomware link in a carefully crafted email, or suffer a targeted attack via their own (compromised) site, rather than be hacked through public Wi-Fi. Either way, the mitigation steps are the same - as Kolochenko has said before: “Companies spend millions on emerging security technologies, being partially misguided by market hype around new technologies, forgetting to mitigate the very basic and fundamental risks. Comprehensive and holistic risk assessment remains vital for every company regardless its size, otherwise any spending on cybersecurity will be useless.”
So, while humans may be the weakest link in the security chain, getting holistic risk assessment right throughout the enterprise will go furthest in mitigation - whether your real bugbear is application or Wi-Fi-based...