CensorNet has announced its research into the application and internet habits of 1000 UK adults, through personal data and insights platform CitizenMe. The survey found that 46 percent were guilty of at least one of the following bad practices, that could potentially put company data or the work network at great risk:
- 22 percent have shared work documents over chat applications such as Whatsapp, Telegram, or Facebook Messenger
- 18 percent have uploaded confidential work documents to Dropbox, Box or Google Drive without permission. A further 8 percent have accidentally shared a link to confidential files
- Shockingly, 16 percent used Dropbox, Google Drive, or similar to take company information to a new job
- 10 percent visited adult websites from a work device or using the work internet connection, and a further 13 percent admitted to downloading or viewing pirated content
- 25 percent used a work email account to authorise access to other services such as games, productivity apps or social media
Unauthorised app use, or shadow IT, is a security challenge that has increasingly plagued organisations as the lines between consumer and enterprise products have blurred. The likes of Dropbox, Box and Google Drive are common “enterprise” offenders that security teams may be aware of but, as the research shows, more people have actually shared documents over messaging apps like Whatsapp.
“IT teams might not have even considered that staff are using personal messaging accounts to send work files, but they will now,” said Ed Macnair, CEO of CensorNet. “As we see here, these apps increase the risk of people leaking sensitive data by accident or on purpose. Often there is no malicious motive behind it, it’s simply in people’s nature to find the easiest way to get their job done. But regardless of motive, it’s a gateway out of the building for your sensitive data and a way in for hackers, and security teams can’t afford to leave those gates unlocked.”
Employees are also putting their organisations at risk through the websites they are visiting on a work device or while using the work internet. Adult and pirate websites are often cesspools of malware and viruses, which employees are potentially bringing into to the network. Furthermore, while using a work email address for personal accounts sounds comparatively harmless, this means employees are putting their work credentials into the wild. Should one of those personal services be breached, as Yahoo or TalkTalk was, their leaked details could be harvested by cyber criminals to attack the company. People frequently use the same login details for multiple accounts, leaving the company vulnerable to brute force attacks.
“Sadly, it is shocking, but not surprising that employees are viewing and downloading adult or illegal content at work or on a company device – but it is the security team’s job to account for human fallibility,” said Macnair. “Simply blocking sites and applications isn’t enough – people will always find a work around, and fringe sites and apps are likely to be even more dangerous. In order to protect against employee’s actions, businesses have to accept that this is what employees are doing and bring them into the fold. They should take a multi-layered approach to security, making sure all of the core threat vectors – email, cloud apps, websites – are being monitored and controlled so that threats can be quickly mitigated.”