Cybersecurity in the Workplace: A Report on Security Behaviors

By Carla Barata • January 31, 2019

Introduction

Cybersecurity and the role the organizations play in safeguarding information are major concerns for businesses. Cyber incidents are growing at an alarming rate and are becoming increasingly complex creating multiples disruptions both in private and public business. With this increasing trend of attacks, organizations are now launching initiatives to better understand the need for cyber intelligence, cyber resilience, and measures to decrease the impact of cyber attacks.

There is a significant number of vulnerabilities in technology that can be used by intrusions agents to get unauthorized access to information. In turn, there is also a known number of methods and mechanisms for intrusion detection and appropriate host-and network-based systems and monitoring and intrusion prevention.

For security to gain the needed support and be properly implemented, the ITC decision maker must first reach across the various departments to gain a holistic view of the enterprise and be a skilled communicator to sell and advance the Cybersecurity position as a contributing partner to the overall mission of the business.

What is the survey goal?


CIONET, decided to launch a survey entitled “The Cybersecurity in the Workplace - Analysis of Corporate Vulnerabilities” that covered the whole Portuguese CIONET community of 560 IT/IS executives with more than 85% of the survey respondents being a decision maker in the organization (either CIO, CTO; CISO or IT Manager). The industries with the highest representation in the survey were: Industry, Public Sector, Financial Services, Logistics, and Transportation and Services. While the most representative sectors on the survey have been from the Finance & Banking, Industry, Logistics & Transportation, Public Sector and Services.

The aim of this survey is to explore security behaviors and promote the design of interventions that can motivate behavioral change. This report provides a holistic outlook on Cybersecurity and associated cyber offenses on the CIONET community, with a perspective on how organizations are preparing for cyber attacks.

The rationale of this survey is to examine social, technical, organizational, and contextual factors that may contribute to at least two forms of Cybersecurity vulnerabilities in the workplace: low maturity of critical information technology (IT) systems, and cyber attacks.

Email Security in the Workplace


Today’s businesses continue to rely heavily on email for internal and external communications and productivity. There are many companies lacking adequate protection against an ever- increasing number of customized and complex attacks.

Thinking about adequate protection means thinking about several aspects of the business triumvirate of People, Processes, and Technology.

1. People

For the People, and with a special focus on internal personnel, but also the main external interfaces in the business ecosystem, it is important to educate and regular train people for a change of mindset towards email. It is a productivity tool, which should be used to the minimum acceptable, and always with the clear notion, for every email, that everyone can be phished, that every attachment can hold hidden malware.

2. Processes

Surrounding People, the process is as important. The internal clearance for sending legal files, or the steps ensured to accept an email from an unknown recipient, the tool for managing support tickets, or the way to behave when sending an Email Marketing campaign, these are just some examples of the complex procedures every organization must implement and any employee must comply.

3. Technology

Finally, we have technology: it is common sense that some solutions protect you more than others, and should have the latest technologies available, such as Dynamic Malware Analysis, Anti-Fraud systems, or DMARC verifications, it becomes a bit less obvious that some characteristics need to be present as well, and contribute to the successful implementation of every solution. For example, the usability and administration features - any solution needs to be streamlined in the internal process and be very easy to operate, i.e., mark an email as bad, or block a user that has been affected by spam sent from a botnet - an over-complex solution will lead to poor adoption and maintenance. The IT staff will avoid using such tools up to a point they become ineffective.

Email Threats and Email Security Solutions 

Another aspect is to look at email threats within the local ecosystem. For instance, Portugal suffers from Portuguese, or Brazilian-Portuguese language phishing attacks, and very focused identity theft. Also, every company related, for example, with the banking sector in Portugal, will likely suffer from variations of a targeted attack on this industry. What this means is that Email Security technology needs to be tailored to given geography, and to given industry sector.

A final aspect, usually neglected, is to understand which users will maintain such a solution. Some organizations allow for bottom-up administration, where every user tunes their whitelists, for example, other solutions are very strict in just permitting an IT/Security group that manages the solutions, and other organizations split the different processes across the organization permitting, for instance, helpdesk roles, or Legal Auditing of the solution usage. Therefore, it becomes important that the solution is adjusted to the process in place.

Conclusions

The survey on Cybersecurity in the workplace (and its role in the organizations) has obtained relevant insights especially the main threats to organizational systems, which were:

  1. Malware: with Engineering and Construction, Industry, Legal Services, Pharmaceutical, and Retail were the sectors that have answered with the most attentive to this threat;

  2. Phishing: was the main threat that has shown to be the most relevant across all sectors with retail and Engineering and Construction the most sensitive to this threat;

  3. Social Engineering: the overall sectors that answered to the survey that was the most aware of this threat were Legal Services, Retail, and Telecommunications;

  4. Ransomware: considering that in 2018, Phishing emails were the most dominant method to distribute malware the Pharmaceutical and Legal services considered ransomware the most relevant threat.

In the end, every business face cybersecurity challenge, no matter the industry or size. That’s why it’s important to proactively build a security ecosystem, and maintain it on a daily basis.


Download Report