South African businesses need threat-centric security strategies and policies to address all sources of threat whilst also enabling agile working

Critical company data is at risk in South Africa as a result of organisations focusing IT security policies and resources more on external threats, such as cybercriminals and hackers, and not enough on the threat from within the business.

November 5, 2014
  • An astonishing 70% of people are not aware of recent high-profile security breaches (such as Heartbleed) 
  • 66% of employees believe employee behaviour is one of the top two biggest threats to data security, with organised cybercrime second at 59%  
  • 62% believe their company has an IT security policy in place but 12% don’t know 
  • 36% have low to moderate levels of adherence to the policy and one in 14 people actively circumvent their company IT security policy
  • 43% believe IT security is stifling innovation in their organisation and that the cost of lost business opportunity outweighs the cost of a security breach

Critical company data is at risk in South Africa as a result of organisations focusing IT security policies and resources more on external threats, such as cybercriminals and hackers, and not enough on the threat from within the business, according to research released today by Cisco.

The results, which draw on responses from over 1,000 employees in South Africa, uncover two significant issues. The first shows that employee behaviour is a genuine weak link in cyber security and is becoming an increasing source of risk – more through complacency and ignorance than malice – because companies have so insulated employees (with 16% believing this to be the case) from the scale of daily threats that people (44%) expect the company’s security settings to take care of everything for them.

The second shows that an increasing number of employees feel that security policies are inhibiting innovation and collaboration, and are making it harder for them to do their jobs effectively – to the point where some employees take steps to circumvent the policy.

The need to factor in behaviour in a threat-centric, platform-based approach to IT security

The research shows that there is an urgent need to evolve security policies so that they continue to provide the best possible defence against attack from outside the organisation while simultaneously adapting to different types of employee behaviour. Employee behaviour (66%) – such as using the company network for personal transactions- pushed organised cybercrime (59%) into second place when employees were asked to identify the top two greatest sources of risk to data security.

Kian Ellens, Business Development Manager, Cisco South Africa, said: “This study confirms the complex challenges facing businesses when it comes to IT security. The results show most employees recognise that the threat from cybercriminals is real and worthy of continuous defence but it also reveals that employee complacency about IT security is increasing the risks for South African businesses. An employee who blindly trusts is one amongst several ‘weak links’ in the security chain. These expose an organisation to greater risks by providing enterprising hackers with multiple doorways that can be unlocked and potentially lead to sensitive data.

“The results also indicate that the IT security strategies in place at the moment do not correlate with the way people prefer to work today. Employees are telling us existing security policies need to change in order for businesses to maintain a culture of innovation and collaboration, whilst keeping the corporate network, devices and the cloud safe from external attacks.

A culture of complacency and ignorance

According to the wide-ranging security study, the biggest internal threat stems from a sense of complacency with employees (44%) assuming that the company will protect them online.

This attitude may be a result of policies – and the threats that drive them – not being high profile. While 62% of employees thought their company had a security policy, 12% did not know if there was one or not. Over half (53%) said they weren’t bothered about the policy as it did not affect what they do and 36% said they only notice one exists when they are stopped from doing something by the security settings. As a result, 36% admitted to low or moderate levels of adherence to the policies that were in place.

Furthermore, an astonishing 70% of people are not aware of recent high-profile security breaches such as Heartbleed. As a result, 34% of respondents made no change to their security behaviour and 50% say they still do not have different passwords for every site and application.

Outmoded approaches to security are inhibiting working patterns and stifling innovation

Employees in South Africa are increasingly looking at IT security as a barrier rather than an enabler for business. The survey revealed that a quarter (23%) think IT security is stifling innovation and making it harder to collaborate and 10% believe it is making it harder to do their jobs. One in five (20%) believes that the costs of lost business opportunity outweigh the costs associated with a potential security breach.

“While better communication and education will help, it won’t solve the culture of complacency uncovered by this study. IT leaders will be compelled to establish more user-friendly security policies that accommodate user behaviours in order to lower the risk of a breach across the entire organisation”, says Greg Griessel, Consulting Systems Engineer Security Solutions, Cisco South Africa. “If employees continue to believe that IT security is making their job more difficult or remain unaware of the dangers their behaviour can place on the organisation, businesses will continue to play a game of Russian roulette with their IT security, which could lead to a very costly security breach.”