According to a Cisco study, “The results, which draw on responses from over 1,000 employees in South Africa, uncover two significant issues. The first shows that employee behavior is a genuine weak link in cyber security and is becoming an increasing source of risk – more through complacency and ignorance than malice because companies have so insulated employees (with 16% believing this to be the case) from the scale of daily threats that people (44%) expect the company’s security settings to take care of everything for them.”
Cisco SA Business Development Manager, Kian Ellens stated, “This study confirms the complex challenges facing businesses when it comes to IT security. The results show most employees recognize that the threat from cybercriminals is real and worthy of continuous defense but it also reveals that employee complacency about IT security is increasing the risks for South African businesses. An employee who blindly trusts is one amongst several ‘weak links’ in the security chain. These expose an organization to greater risks by providing enterprising hackers with multiple doorways that can be unlocked and potentially lead to sensitive data.”
Sharon Knowles, CEO of DaVinci Forensics says:
“The goal at DaVinci Forensics is to work with companies and their staff to update the overall attitudes and approaches in the reduction of the potential data risk situation. There needs to be a change in the overall attitude of complacency within the structure of organizations so that a company can establish user-friendly policies for security.”
Outdated methods of employee perspective of IT security needs to be altered from the ‘barrier’ concept and changed to that of a tool to maintain and enable their business practices. This concept extends into upper management who, in some cases, will place the potential of a security breach as a risk analysis when compared to the overall cost that may be associated with prevention. This is a gamble that is already proving to have a high cost as proprietary data can be taken, shared and the damage done before anyone is aware of it. There is a requirement to have a balance between the recognition of external cybercrime potential with the possibilities of the paradigm shift to internal data exposure.
Due to a culture of secrecy, many of the internal information breaches go unreported and are handled in an internal method. SA businesses need to shift directions towards strategies that are threat-concentric so that they can address each of the threat sources so that they don’t continue to experience the kind of high dollar and reputational losses.
Cisco South Africa