SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
Story image
UK employees jeopardise workplace cybersecurity with unauthorised downloads
Thu, 9th Nov 2023

New research conducted by Armis, the asset intelligence cybersecurity company, highlights an unattended risk posed by UK employees using personal devices at work. The findings reveal that 67% of these workers are potentially jeopardising businesses by downloading apps and software without consent, often beyond the knowledge or management of IT or security teams. Furthermore, the report indicated that 78% of IT and security teams are unaware of the risk, reporting a lack of control and management over employee-owned devices.

The study, surveying security and IT decision-makers, found that employee behaviour without consent contributes to risk. Two in three (67%) organisations' workforces introduce risk by downloading applications and software without authority, unknowingly creating potential security vulnerabilities.

Simultaneously, close to two-fifths (39%) of organisations confessed their challenge in managing the UK's increasingly complex regulations and governance requirements. Companies need to rapidly comply with new stringent regulations that are shifting more towards enforcing responsibilities than traditional check-the-box obligations.

"Lack of policy enforcement can contribute to gaps requiring urgent remediation while also further complicating an organisation's attack surface. Preventing material compliance and security breaches requires a focus on the foundational, with the business in mind: policy adoption and enforcement, contextual asset visibility and monitoring, exposure and vulnerability prioritisation and remediation," said Curtis Simpson, CISO at Armis.

The critical findings from Armis' research, commissioned with Vanson Bourne, encompass the following aspects:

Many assets within the company environment remain unseen and unmanaged, lacking appropriate security measures. This incomplete visibility of the attack surface endangers the company's security environment. Without the correct asset context and policy enforcement, only a partial view of the attack surface is achieved.

Also alarming is that, on a typical business day, around 45,000 assets are connected to UK organisations' networks, with 39% of respondents indicating a lack of complete visibility over company-owned assets connected to the business environment. Furthermore, 42% reported a lack of control and management over these assets.

Almost four in five (78%) respondents confessed a lack of control and management over employee-owned assets connected to the business environment, with a similar number (77%) indicating a lack of visibility over these assets. A lack of effective BYOD (bring your own device) policies puts organisations at risk, with only just over half (51%) enforcing a BYOD policy across all employees.

Last but not least, 25% of UK cybersecurity teams reported that they feel overwhelmed by the cyber threat information they receive daily. Besides, 39% of UK organisations suffered a security breach as a result of a cyberattack in the last 12 months.

"Organisations need to prioritise security across the entire organisation, including employee-owned devices, to mitigate risk", stresses David Critchley, Regional Director UKI, Armis. He added, "This can't be done manually, there are just too many assets with potentially unknown vulnerabilities. That's why automation is absolutely key to help bridge the security skills gap, manage the security posture at scale and see, protect and manage the entire attack surface."