Recipe for a Breach: Uncontrolled Employee Access + Poor Security Habits Employee Security Habits Reveal Risky Imbalance

Transcription

1 Survey Report Recipe for a Breach: Uncontrolled Employee Access + Poor Security Habits Employee Security Habits Reveal Risky Imbalance November 2017

2 INTRODUCTION When thinking of insider threats, we often think of the malicious insider the person who purposely causes harm to an organization whether by sabotage or stealing information for personal gain. But this malicious insider is only a small percentage of the total Insider Threat. The everyday employee is causing much more risk than many companies realize. The threat comes from employees at every level in the organization. And it goes beyond users continuing to click on phishing links even though they should know by now that its a bad idea. Human nature motivates us to enhance productivity, make things easy, find workarounds and to crave information that is being kept from us. How do these motivations change the way people work? Do they know they are putting their company at risk? Do IT Security teams need to understand basic psychology to protect their organizations? A survey commissioned by Preempt revealed some startling insights. The survey explored current employee IT security behaviors and habits. These findings are based on a survey of 203 independently identified enterprise employees in a management or higher role. All work at companies with over 1000 employees. Questions were asked on range of subjects including use of passwords, whether their credentials were exposed in a breach, bending the rules to get things done and accessing restricted data. The result? Employees have more access than they should and a large majority of them have poor security habits even when they think they don t. This combination is dangerous to organizations because it leaves their business exposed. 1

3 KEY FINDINGS Employees Look for Shortcuts and Find More than They Should. Employees Have Poor IT Security Habits and Awareness. Employees are Overconfident in Their Security Habits. 1 out of every 3 employees admit to having bent the rules or found a security workaround in order to get something done for work with more than 10 percent of respondents having done so regularly or on multiple occasions. 25 percent of employees have tried to access data at work that they weren t supposed to. Of those 25 percent, close to 60 percent were successful at accessing that data. 41 percent of employees use the same passwords for personal and business accounts Nearly 80 percent don t know or aren t sure if their username and password were exposed in a breach. Of the nearly 20 percent that did know their username and password were exposed in a recent breach, 63 percent claim they only changed their password for the account that was breached showing they are not aware of the full consequences of a password leak. Over 90 percent of all employees have weak password update practices. Nearly 25 percent of respondents confirm there are accounts in their office or group where multiple users share a username and password. 41 percent rate themselves in the top 25 percent in their organization when it comes to security awareness proving a large portion of employees think they are much more security aware than they really are. 2

4 FINDINGS IN DEPTH: Employees Look for Shortcuts and Find More Than They Should Bending the Rules is Commonplace Among all survey participants, it was found that approximately one out of every 3 employees has bent the rules or found some kind of security workaround in order to get something done at work. While only 3.9% of respondents say that they regularly do this, another 7.4% have done it on multiple occasions and 22.7% say they have done it once or twice. Have you ever bent the rules or found a security workaround in order to get something done at work? Clever people will find ways around things. By nature, humans like to take the easy way out. Work smarter, not harder is a common mantra. Essentially these employees are internal hackers who poke holes at things in order to find a way to do their tasks faster. They may not be acting maliciously, but they are showing how exposed organizations are in terms of lacking proper security controls. 3

5 Organizations Have More People Snooping Than They Think 1 out of every 4 employees has been curious and tried to access data at work (files, applications, other) that they were not supposed to and/or did not have privileges for. Organizations inherently trust their employees. However, at some point just about everyone has wanted to see the forbidden. Motivation to see blocked or privileged information can be driven by many factors: finding out what a colleague is getting paid, learning more about that closed door meeting that they weren t invited to, wondering what their boss is working on, or getting access to any myriad of sensitive company information. And for some this curiosity could be very costly. Even if they aren t doing it for purely malicious intent, they know what they are doing is wrong and if caught, it could be damaging to their reputation or career. For IT Security teams, it shows the importance of being able to ensure secure access to data, applications and other sensitive resources. Have you ever been curious and tried to access data at work (files, applications, other) that you weren t supposed to and/or didn t have privileges for? Snoops are Highly Successful Those same 25% who said that tried to access data that they weren t supposed to were asked if they were ever successful in obtaining it. A whopping 58.8% answered that yes, they were successful at accessing the data they weren t supposed to. The prevalence of successful attempts to access off-limits data and resources is startling and should be a major concern for IT Security teams. The data exposed can put a company and its employees at significant risk of damage to business operations and reputations. Businesses to be able to better assess employee risk factors which can change over the course of their employment. For IT Security these results point to a growing need for being able to better understand how to assess trust and risk of employees and having real-time adaptive access controls to ensure data is protected. Were you ever successful at accessing the data you weren t supposed to? 4

6 FINDINGS IN DEPTH: Employees Have Poor IT Security Habits and Awareness Password Laziness is Prevalent When survey respondents were asked if they use the same passwords for both work and personal accounts, 29.1% said yes, 12.3% said sometimes and 58.6% said no. For many employees, keeping track of a lot of different passwords is annoyingly difficult. So to make things easier, they use the same password for everything. This means that hackers can easily take over many accounts once they have obtained a single set of login credentials. Do you use the same passwords for both work and personal accounts? Many Employees Not Sure if Their Password was Exposed in a Breach Of those who were asked if they knew if their username and password was exposed in a public breach (eg. Yahoo!, LinkedIn, Equifax, other), 37% said they weren t sure. 20% said yes, they were and 42% said no, their username and password were not exposed. More than a third of employees had no clue if their username or password was exposed in a public breach. This shows that many people either don t care or don t know how to find out if their username and passwords were compromised in a breach. If an employee is using the same password for personal and business accounts and it was exposed in a breach, the organization is at risk. The password is listed in a database known to hackers and could be used in a breach attempt. The weak password puts the enterprise at risk until it is changed. Do you know if your username and password were exposed in a public breach? (eg. Yahoo!, LinkedIn, Equifax, other) 5

7 Employees Don t Know the Impact of Stolen Credentials in a Breach It is evident from this report that employees don t have a clear understanding of the impact of how their breached password can put other accounts they have at risk, and what the impact might be for their employer. Survey respondents whose passwords were exposed in a breach were asked if they updated their password at the affected site only, updated their work accounts, or updated all of their accounts. Alarmingly, 63% only changed the password where it was breached and 37% changed the password everywhere it was used. Employees obviously still lack understanding of how a breach of their password can do harm in a broader sense. Many seem to believe that all they need to do is change the password in the breached account and they are safe. They don t realize that the breached password is now publicly available and can be used in other attacks and attempts to breach them (or their company s network) through their other accounts. Because so many employees use the same passwords for work and personal accounts, the enterprise is endangered by their lack of security awareness. For IT security teams being able to proactively find weak passwords is a high priority. If you used the same password that was exposed in a public breach for work-related accounts, did you update your password only for where it was breached or for those work-related accounts as well? 6

8 Poor Password Practices Abound When asked about practices for updating passwords, 46.8% said they use a variation of a current password (changing a letter, character, etc), 45.3% say they pick something more complex and write it down somewhere, 4% use a password manager and 3% say they use a sentence or a phrase. Simple changes to passwords rarely reduce the overall risk to an organization. A simple change of characters, letters or adding a number (password1) is a notoriously weak password habit that is easily cracked by attackers. Another worrisome finding is that those that do choose something more complex also write it down. This often means that it s written on a sticky note and posted on their monitor or the wall in front of their computer, or taped to the monitor. This habit is widespread and it raises the chances of accounts being compromised internally. Someone walking by can simply copy down or take a photo of the password and have access. For IT Security teams, given that people have such poor password hygiene, it is extremely important to be more proactive about identifying and rejecting weak passwords. Forcing regular password changes for everyone has become ineffective. NIST has reset their recommendations admitting that complexity doesn t really matter any more. If a complex password was in a breach, it can be just as easily cracked. A password should be reset not based on some arbitrary time frame, but rather based on real-world evidence that it has been compromised. So finding better ways to identify the weak passwords in realtime and enforcing contextual password updates when they are actually needed will be more effective. When you update your password, do you use multiple variations of the same passwords (changing a letter, character, etc.) or do you pick something very different/more complex? 7

9 Shared Accounts are Prevalent in the workplace 25% of people surveyed confirmed there are accounts in their office shared by muliple employees (i.e., the account s username and password are used by multiple people). Shared accounts have two major security risks. First, sharing accounts makes monitoring and tracking usage extremely difficult because you may have multiple people logging in at the same time from different locations and different devices. If there is a threat to the account, it makes it very difficult to prevent the threat or to investigate incidents because the behavior starts to look normal. The second is around the shared password itself. If multiple people are sharing the account, it makes updating passwords difficult and you can t guarantee that passwords are kept secure if there are multiple people who know what it is. In these cases, passwords rarely change making the shared credentials a tasty target for an attacker. For IT Security, reducing and eliminating shared accounts or setting policies for restricting access can reduce or close off this risk. Are there accounts in your office or group where multiple users share a username and password? 8

10 FINDINGS IN DEPTH: Employees are Overconfident in Their Security Habits Employee Security Practices Remain Low, Yet Confidence is High When asked how they rate their personal IT security health awareness and maintenance compared to the rest of their colleagues, 40.9% rated themselves in the top 25% of their organization, 49.8 rated themselves as average in the 25-75% range and 9.4% admitted they were below average in the bottom 25% of their organization. The results of the survey clearly show that employees don t completely understand their work habits and decisions put their organization (and themselves) at risk. Having overconfidence can lead to greater risks. When employees don t understand that their behaviors and habits are risky, they aren t likely to change them. This leaves the burden on IT Security to pick up the slack. Gaining a better understanding of identity, behavior, and risk, can help IT be more proactive at preventing threats, enforcing policies, securing access, and finding areas to reduce risk. How do you rate your personal IT security awareness and maintenance compared to the rest of your organization/colleagues? SURVEY METHODOLOGY AND PARTICIPANT DEMOGRAPHICS: In the fall of 2017, independent professionals (management level and above) were invited to participate in an online survey on the topic of employee IT security behaviors. A total of 203 qualified participants completed the survey. All participants were from organizations with more than 1000 employees. A wide range of job levels, company sizes, and vertical industries were represented. 9

11 LEARN MORE ABOUT HOW YOU CAN PREVENT INSIDER THREATS AND IMPROVE PASSWORD SECURITY FREE PASSWORD SECURITY ASSESSMENT TOOL Every day, your employees are using passwords remarkably similar to those in their personal accounts. Attackers know this, and use that as an opportunity to decipher passwords for their other accounts, including those in your business. Preempt Inspector is a powerful application that quickly assesses your organization s password health, including exposure to high profile security breaches, and provides actionable results to reduce your company s risk of a credential-based attack. DOWNLOAD NOW AT INSPECTOR.PREEMPT.COM HOW TO USE ADAPTIVE THREAT PREVENTION TO ELIMINATE INSIDER SECURITY THREATS In our increasingly digital world where the traditional network perimeter has dissolved, identity and behavior drives access decisions. Binary options black or white, allow or block will not work becaise every decision carries an element of risk. As information security strategies shift to become more continuously adaptive, responding in real-time to threats will require more situational context based on identity and behavior. A continuous risk assessment of these attributes allows for more accurate identication of anomalies. Anomaly detection can then trigger a variety of responses for identity verification that match the behavior, the type of user, risk, and application or asset being targeted. The Preempt Platform enables this transformation. The Preempt Platform uses Identity, Behavior and Risk to continuously and situationally adapt to ensure the right level of security at the right time. This approach allows organizations to automatically respond in real-time to anomalous or risky behavior, proactively add secure access control and resolve risk and weaknesses before they are exploited by attackers. The Platform easily integrates with other security solutions to gain deeper context and intelligence for enriched threat detection, and to enable more threat enforcement options for stopping threats before they take a foothold in an organization. No endpoint software agents are required and installation is typically completed in a few hours, providing significant value on day one and increasing value over time for high impact and a low TCO. 10

12 HOW CUSTOMERS USE THE PREEMPT PLATFORM Eliminate Breaches and Compromised Credentials Compromised accounts/ devices Lateral movement Infrastructure attacks Unauthorized 3rd party vendor access Prevent Insider Threats Malicious behavior Abuse of privileges Restricted data access Risky or careless behavior Manage and Protect Privileged Accounts Privileged account discovery Risk assessment of privileged user Business privilege monitoring Privileged identity use Easily Add Identity Based Access Controls Workstation login identity verification High value servers and application access Access based on policy Add MFA to any application Improve Incident Response and Forensics Efficiency Automated reduction of alerts Event triage and prioritization Forensic and behavior chronology analysis Reduce Risk and Support Compliance Unaccessed servers and stale account mitigation Weak, shared, exposed password identification and reset automation Audit and compliance reports To learn more about the Preempt Platform or to schedule a demo go to

13 ABOUT PREEMPT Preempt protects organizations by eliminating security threats. Threats are not black or white and the Preempt Platform is the only solution that preempts threats with continuous threat prevention that automatically adapts based on identity, behavior and risk. This ensures that both security threats and risky employee activities are responded to with the right level of security at the right time. The platform easily scales to provide comprehensive identity based protection across organizations of any size. Preempt 600 California St San Francisco, CA copyright 2017