Heightened IT security risks caused by a culture of employee complacency are widespread in the UAE, a report said, adding that people expect the company’s security settings to take care of daily threats.

An increasing number of employees feel that security policies are inhibiting innovation and collaboration, and are making it harder for them to do their job effectively – to the point where some employees take steps to circumvent the policy, added the latest UAE workplace Security research findings by Cisco and Gulf Business Machines (GBM).

The research shows that there is an urgent need to evolve security policies so that they continue to provide the best possible defence to attack from outside the organisation while simultaneously adapting to different types of employee behaviour.

Employee behaviour (57 per cent) was second only to organised cybercrime (61 per cent) when employees were asked to identify the top two greatest sources of risk to data security. All of those surveyed use their company’s network for personal transactions – the most popular was personal banking (74 per cent) closely followed by travel bookings and online shopping (63 per cent).

A culture of complacency and ignorance

According to the study, the biggest internal threat stems from a sense of complacency with employees assuming that the company will protect them online.

The survey revealed that 41 per cent of people expect their company’s security settings to protect them from any risk; while (46 per cent) believe it is either the company’s or a joint responsibility to keep personal and company data safe. Over half (52 per cent) seem so insulated from the true extent of threats that they think their behaviour has low to moderate impact on security.

This attitude may be a result of policies – and the threats that drive them - not being high profile. While 66 per cent of employees thought their company had a security policy, 14 per cent did not know if there was one or not.

Over half, 52 per cent said they weren’t bothered about the policy in any event as it didn’t affect what they do and, 35 per cent said they only notice one exists when they are stopped from doing something by the security settings.

As a result 47 per cent admitted to low or moderate levels of adherence to the policies that were in place and more people admitted to being more rigorous about data security at home (25 per cent) than at work (18 per cent).

Furthermore, an astonishing 62 per cent of people are not aware of recent high-profile security breaches such as Heartbleed. As a result, 26 per cent of respondents made no change to their security behaviour and 50 per cent say they still don’t have different passwords for every site and application.

“An effective security strategy helps to protect an organisation before, during and after an attack. Worryingly, the survey shows most employees feel so immune to attack that they do not change their behaviour. This needs to be addressed urgently,” said Rabih Dabboussi, managing director for Cisco in the UAE.

Outmoded approaches to security

Employees in the UAE are increasingly looking at IT security as a barrier rather than an enabler for business. The survey revealed that over a third (39 per cent) think IT security is stifling innovation and making it harder to collaborate and 20 per cent believe it is making it harder to do their job. One in five (20 per cent) believe that the costs of lost business opportunity outweigh the costs associated with a potential security breach.

“This study confirms the complex challenges facing businesses when it comes to IT security. The results show most employees recognise that the threat from cybercriminals is real and worthy of continuous defence but it also reveals that employee complacency about IT security is increasing the risks for businesses in the UAE. An employee who blindly trusts is one amongst several ‘weak links’ in the security chain,” Dabboussi said.

“These expose an organisation to greater risks by providing enterprising hackers with multiple doorways that can be unlocked and potentially lead to sensitive data. While better communication and education will help, it won’t solve the culture of complacency uncovered by this study.  IT leaders will be compelled to establish more user-friendly security policies that accommodate each behavioural profile in order to lower the risk of a breach across the entire organisation.”

Hani Nofal, executive director at GBM, said: “The way in which people are choosing to work in modern society does not correlate to the investment companies are making in their IT security strategies. These results highlight that employees are aware that existing security policies need to change in order for businesses to maintain a culture of innovation and collaboration, whilst keeping the corporate network, devices and the cloud safe from external attacks.”

“As cyber security becomes more of a strategic risk, organisations across the GCC must take a holistic view of the risks and continually improve cyber security practices and procedures. For many organisations his has become a key part of daily operations in order to protect the business from internal and external threats, and to ensure weak links, caused by employee behaviour, are minimised, helping to facilitate business agility, innovation and growth,” Nofal concluded. – TradeArabia News Service