In Intermedia’s 2015 Insider Risk Report, we surveyed more than 2,000 office workers in the US and UK to find the riskiest users.
The first thing that jumped out at us was the scope of the problem:
But if you’re a business owner, IT manager or compliance officer, you need to get deeper. What are the demographic trends? Are some employees creating greater risk than others?
So we sorted our 2,000+ responses across employee age, job title, tenure and industry. And with a margin of error ±2.17% at a 95% confidence interval, the results fly in the face of conventional wisdom: it’s the workers that are most familiar with technology that often cause the biggest risks.
This page contains highlights from our report. The full report is available for download below.
Of all the job roles in this survey—HR, marketing, operations, finance, sales—it was the people in IT who reported the poorest security habits in their responses.
I was surprised by this. As an IT services provider, my company is on the front line against intrusions, hacks and interruptions caused by these exact kinds of practices. One of our biggest priorities is to keep data secure and confidential, and it shocks me that other IT people wouldn’t share the same outlook.Mike Maendler, CEO, Technology & Beyond
You’ve heard the saying, ‘100% of men say they’re better than the average driver.’ It’s the same thing. ‘100% of IT people say they’re better than average at security.’ You’ll also hear people say things like, ‘Why put on a seatbelt? I’ve been driving a long time without one and I’m still not dead.’ It’s the same mentality.Jonathan Levine, CTO, Intermedia
The ex-employee access is really scary. What are they walking away with when they leave? If they go to a competitor, what kind of damage can they do? Usually people delete stuff when they leave, which is bad enough—but it’s really bad when they can come back a few months later and do damage. Especially if it’s IT people with that access. That bothers me the most.Felix Yanko, President, ServNet
Of all the industries we surveyed—legal, healthcare, finance, and so on—it was people who work in technology who reported the most risky security practices.
It’s nearly always that technical people are the worst offenders. They know how to get around various controls that an IT team will put in place. It’s sometimes done with the best intent, but nevertheless with a complete lack of consideration for the risk or security implications.Richard Walters , VP of Identity & Access Management, Intermedia
The biggest vulnerability businesses face, by far, is using the same password in multiple systems. Unfortunately, tech people have more systems than the other industries. Some of the tools they use, like old Cisco gear that requires crazy passwords, force people to write the passwords down. Other systems don’t offer individual accounts, so everyone shares the administrator account.Martin Dunsby, CEO, Hybridge Inc
In most cases, Millennials know more about the apps they’re installing than IT does. Why would they ask whether or not it’s OK to install Spotify when the IT guys are still stuck in the 80s? These findings aren’t about insecure practices so much as about the confidence levels Millennials show in IT, and how much they view IT as a partner in their business versus a blockage to be avoided and worked around.Martin Dunsby, CEO, Hybridge, Inc.
Everyone who is growing up now has grown up with social media, and the well-worn muscle is ‘share everything’. People share when they’re going on vacation, where they are, and how long they’ll be gone—which is like saying, 'Go to my house and rob me—I’m not there!' Whereas my generation grew up with a little more wariness. For younger people, their first experience is that ‘tech equals fun’. They don’t equate technology with anything serious or consequential.Ryan Barrett, VP of Security and Privacy, Intermedia
Young people grow up with technology, so it comes more naturally to them. Older generations have an inherent fear of technology, which is actually a really good thing when it comes to IT security practices.Eric Aguado, COO, ThrottleNet
I think it’s a primal thing. When you’re new, your reputation is new, and if you screw up in the beginning, it can cost you your social standing. But if you’ve established yourself within the organization, you can probably survive even a really flagrant mistake. For new employees, the community won’t support you if you transgress, at least not as much as they would rally around an established veteran.Ryan Barrett, VP of Security and Privacy, Intermedia
As people stay longer with a company, they get more comfortable. And they get into a routine. They don’t realize that hackers have gained the ability to hack deeper. They get complacent because they’re still doing the same job even as IT and technology are advancing around them.Mike Maendler, CEO, Technology & Beyond
A lot of companies don’t have dynamic security policies. The policies don’t change much. They don’t refresh the training. So they gradually become irrelevant. If you don’t make the corporate tools evolve in lockstep with the consumer tools, then people learn from the consumer tools and try to figure out ways around corporate restrictions.Jonathan Levine, CTO, Intermedia
Regarding company size, the data showed no correlation between business size and user security habits. In some instances, employees at small businesses showed worse habits; while in others, it was big business employees showing worse habits.
We spotted only one significant trend: smaller businesses seem to offer less training and tools to bolster user security, as shown below.
My last company had 80,000 employees, and everything was far more regimented. From the day you start, you get rigid IT training. But in the end, human habits are human habits, no matter what company you work for. If a person with bad IT habits leaves a small business to go work for a large company, why would their habits change?Eric Aguado, COO, ThrottleNet
It doesn’t matter how big your organization is, a computer is still a computer and a person is still a person. That’s why it’s up to security staff to craft policies that protect against user behavior.Mike Maendler, CEO, Technology & Beyond
When it comes to security, the more you can leverage technology to automate security, the better. ALL human beings are prone to errors and mistakes.Eric Aguado
Businesses and individuals need to be aware of the basics of social engineering. Tech has gotten so far ahead some folks. They need “street smarts”. You educate each person to their level, look at the risks they create and design the training to combat that risk. At the same time, put technology in to protect people from themselves.Felix Yanko
It’s important to provide tools that make it easier to follow the rules. Single sign-on, enterprise-class file sharing. Security is best done if you don’t even know you’re following a protocol.Jonathan Levine
IT should be leading with new technology. They should be coming to users and saying, ‘We found the great next-gen thing, and we’re going to help you roll it out.’ If IT was much more eager to help folks take advantage of the treasure trove in the cloud, they wouldn’t find employees trying to actively bypass them.Martin Dunsby
Make security continually new for everyone. Keep changing and updating the guidelines, so that nobody can lay claim to immunity. But keep it interesting—don’t just change the policy, change the experience. Remind people WHY it’s important.Ryan Barrett
VP of Security and Privacy, Intermedia
Employees aren’t doing this maliciously. They want to be more productive or cut through red tape. IT needs to shift from dictating what you can and can’t do to acting as a trusted advisor.Richard Walters
VP of Identity & Access Management, Intermedia
The bad practices described here are symptoms, so we need to go after the root cause. We put in safeguards that protect users from themselves. You can’t teach common sense. So we develop technology that overcomes a lack of common sense.Mike Maendler
CEO, Technology & Beyond
What it does. This two-in-one app offers both file backup and file sharing & syncing, while giving business managers full control over access and a full audit trail.
How it helps. SecuriSync improves user security practices in many different ways.
What it does. This service stores passwords on a user’s behalf and provides a single portal for easy access to all their web apps. It logs them in with just one click.
How it helps. AppID lets you connect employee credentials to third-party web apps via Active Directory, enabling you to prevent ex-employee access by disabling their logins with a single click.
AppID also prevents insecure password practices because users simply don’t have to remember passwords.
What it does. AppID Enterprise’s patented App Shaping technology enables admins to set policies that determine exactly which pages or elements within any web app users can access or see. For example, you can remove or grey out exporting functionality; hide or redact sensitive data; define access to features based on user role; and restrict access to ANY element within a web app.
How it helps. This technology helps prevent unauthorized access and data breaches by ensuring that only authorized users are allowed to access sensitive data or perform certain tasks within the web app.
What it does. AppID Enterprise gives you a detailed audit trail of all user interaction with any web app—from login to logout and everything in between, including screenshots. You can configure auditing levels for both individual users and applications as well as groups of users.
How it helps. These features prevent misuse of data because employees know that their actions can be tracked. In addition, it makes it easier to facilitate compliance with regulations designed to avoid data breaches.
What it does. Intermedia’s HostPilot control panel provides a single source of management across 30 business IT apps. This centralized control over your Office in the Cloud offers a number of key security features.
How it helps. HostPilot helps you prevent data theft by offering remote wipe of devices. It also reduces the risk of poor password practices by letting you set policies regarding password length and complexity for Intermedia services.
What it does. Offers centralized control over user identity. Active Directory helps you organize your company’s users, computers and other digital resources.
How it helps. Protects against ex-employee access by enabling you to disable access to all your Intermedia services with just one click.
What it does. Intermedia’s HostPilot control panel gives admins control over the mobile devices that are used to access Intermedia services.
How it helps.
What we offer. Intermedia offers a number of critical security tools, including email security, email encryption, Single Sign-On (SSO) and more.
How it helps.
What it does. Email Archiving captures every email a user sends and receives and stores it in a tamper-proof archive.
How it helps. Email Archiving is “tamper proof,” which means that emails containing critical company data cannot be intentionally or accidentally deleted by either employees or IT administrators. Email Archiving also helps companies easily find and restore information, simplify eDiscovery in the event of litigation, and facilitate compliance with industry rules and regulations.
Intermedia’s Office in the Cloud offers a suite of cloud IT services that are fully integrated, secure and mobile. Our services include business email, phones, file sync and share, single sign-on, security, mobility, archiving and more. They’re all managed through our central HostPilot control panel and backed by a Worry-Free Experience™ that includes a 99.999% uptime guarantee and 24/7 support with typical hold times of less than 60 seconds.
Learn more about Intermedia >>
Survey methodology. This study was commissioned by Intermedia and delivered by Precision Sample, an independent market research organization. Precision Sample has an active proprietary panel of over 3.5M respondents that is routinely validated with a stringent screening process including Verity® and RelevantID® by Imperium®. Results derived from a 10-minute online survey instrument with 34 total questions, fielded August 4-6, 2015. Setup questions were used to ensure that only office workers were in the sample, which was defined as those who use a computer, laptop, smartphone or tablet in their day-to-day work. Overall margin of error of +/- 2.17% at a 95% confidence interval.
HostPilot, Intermedia AppID, AppID Enterprise, Office in the Cloud, SecuriSync, and Worry-Free Experience are either registered trademarks or trademarks of Intermedia.net, Inc. in the United States and/or other countries. Active Directory and Skype are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Imperium, RelevantID, and Verity are either registered trademarks or trademarks of Imperium LLC in the United States and/or other countries.