IT Security Fatigue is Widespread in the UAE, Although Employees Still Accept the Need for Stringent Security Policies
Survey Identifies the Four Employee Security Behaviour Profiles Most Likely To Put Business Data at Risk
- An astonishing 62% of UAE employees are not aware of recent high-profile security breaches (such as Heartbleed)
- 57% believe employee behaviour is one of the top two biggest threats to data security – second only to organised cybercrime at 61%
- 66% believe their company has an IT security policy in place but 14% don’t know
- 47% have low to moderate levels of adherence to the policy and one in 12 people actively circumvent their company IT security policy
- 59% believe IT security is stifling innovation and collaboration in their organisationand making it harder to do their job
GITEX, Dubai – 13th October 2014 – The latest UAE workplace Security research findings were unveiled at Gitex today at a press conference hosted by Cisco and Gulf Business Machines (GBM). The results, which draw on responses from over 500 employees in the UAE, uncover two significant issues.
- The first shows that employee behaviour is a genuine weak link in cyber security and becoming an increasing source of risk – more through complacency and ignorance than malice - because companies have so insulated employees from the scale of daily threats that people expect the company’s security settings to take care of everything for them.
- The second shows that an increasing number of employees feel that security policies are inhibiting innovation and collaboration, and are making it harder for them to do their job effectively – to the point where some employees take steps to circumvent the policy.
The need to factor in behaviour in a threat-centric platform based approach to IT security
The research shows that there is an urgent need to evolve security policies so that they continue to provide the best possible defence to attack from outside the organisation while simultaneously adapting to different types of employee behaviour. Employee behaviour (57%) was second only to organised cybercrime (61%) when employees were asked to identify the top two greatest sources of risk to data security. All of those surveyed use their company’s network for personal transactions – the most popular was personal banking (74%) closely followed by travel bookings and online shopping (63%).
A culture of complacency and ignorance
According to the wide ranging security study, the biggest internal threat stems from a sense of complacency with employees assuming that the company will protect them online. The survey revealed that 41% of people expect their company’s security settings to protect them from any risk, while (46%) believe it is either the company’s or a joint responsibility to keep personal and company data safe. Over half (52%) seem so insulated from the true extent of threats that they think their behaviour has low to moderate impact on security.
This attitude may be a result of policies – and the threats that drive them - not being high profile. While 66% of employees thought their company had a security policy, 14% did not know if there was one or not. Over half, 52% said they weren’t bothered about the policy in any event as it didn’t affect what they do and, 35% said they only notice one exists when they are stopped from doing something by the security settings. As a result 47% admitted to low or moderate levels of adherence to the policies that were in place and more people admitted to being more rigorous about data security at home (25%) than at work (18%).
Furthermore, an astonishing 62% of people are not aware of recent high-profile security breaches such as Heartbleed. As a result, 26% of respondents made no change to their security behaviour and 50% say they still don’t have different passwords for every site and application.
Dabboussi said, “An effective security strategy helps to protect an organisation before, during and after an attack. Worryingly, the survey shows most employees feel so immune to attack that they do not change their behaviour. This needs to be addressed urgently.”
Outmoded approaches to security are inhibiting working patterns and stifling innovation
Employees in the UAE are increasingly looking at IT security as a barrier rather than an enabler for business. The survey revealed that over a third (39%) think IT security is stifling innovation and making it harder to collaborate and 20% believe it is making it harder to do their job. One in five (20%) believe that the costs of lost business opportunity outweigh the costs associated with a potential security breach.
Four distinct IT security behaviour profiles across the UAE
The research, also identified four distinct IT security behaviour profiles across the UAE which could form the basis for behaviour-centric security strategies. Each demonstrates a different level of threat to data security and requires a specific approach in order to limit the risk posed whilst leaving people free to perform at optimum efficiency and effectiveness:
- The threat aware – those aware of security risks and who try hard to stay safe online
- The well-intentioned – those who try to adhere to policies but who implement on a ‘hit and miss’ basis
- The complacent – those who expect the company to provide a comprehensive security environment and therefore do not take individual responsibility for data security
- The bored and cynical
Kaizo Limited– those who believe the cyber security threat is overhyped and that IT security inhibits their performance and will circumvent policies as a result.
A company registered in England and Wales
Registered office: 1 Quality Court, Chancery Lane, London, WC2A 1HR
Registered Number: 07631425
Rabih Dabboussi Managing Director for Cisco in the UAE
“This study confirms the complex challenges facing businesses when it comes to IT security. The results show most employees recognise that the threat from cybercriminals is real and worthy of continuous defence but it also reveals that employee complacency about IT security is increasing the risks for businesses in the UAE. An employee who blindly trusts is one amongst several “weak links” in the security chain. These expose an organisation to greater risks by providing enterprising hackers with multiple doorways that can be unlocked and potentially lead to sensitive data. While better communication and education will help, it won’t solve the culture of complacency uncovered by this study. IT leaders will be compelled to establish more user-friendly security policies that accommodate each behavioural profile in order to lower the risk of a breach across the entire organisation.”
Hani Nofal, Executive Director at GBM
“The way in which people are choosing to work in modern society does not correlate to the investment companies are making in their IT security strategies. These results highlight that employees are aware that existing security policies need to change in order for businesses to maintain a culture of innovation and collaboration, whilst keeping the corporate network, devices and the cloud safe from external attacks. As cybersecurity becomes more of a strategic risk, organisations across the GCC must take a holistic view of the risks and continually improve cybersecurity practices and procedures. For many organisations his has become a key part of daily operations in order to protect the business from internal and external threats, and to ensure weak links, caused by employee behaviour, are minimised, helping to facilitate business agility, innovation and growth.”
Note to Editors:
- Access the full Cisco Midyear Security Report here: http://www.cisco.com/web/offers/lp/midyear-security-report/index.html
Cisco (NASDAQ: CSCO) is the worldwide leader in IT that helps companies seize the opportunities of tomorrow by proving that amazing things can happen when you connect the previously unconnected. For ongoing news, please go to http://thenetwork.cisco.com.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. A listing of Cisco’s trademarks can be found at www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.
About Gulf Business Machines (GBM)Founded in 1990, Gulf Business Machines (GBM) is the leading IT solutions provider in the region fulfilling the IT requirements of local, regional and international organizations in the GCC.
GBM is the sole distributor for IBM– excluding selected IBM products and services –throughout the GCC, except for Saudi Arabia. GBM’s momentum was further enhanced in 1999, when the team secured the Cisco portfolio. Today GBM holds the highest level of recognition in the region from Cisco, Gold Partner status, in addition to the Cisco Borderless Network Architecture Specialized Learning Partner status.
GBM offers an extensive range of IT infrastructure, IT solutions and services ranging from consulting, resource deployment and integration to after-sales support, through 1000 professionals and over 20 solid strategic partnerships forged with internationally-recognized IT solution providers.
The company, which is ISO-9001 certified since 199 9 , has offices in the UAE (Abu Dhabi, Dubai and Sharjah), Kuwait, Oman, Qatar, and Bahrain. GBM also has established a presence in Pakistan, where the company now operates three offices, one each in Karachi, Islamabad and Lahore as an IBM Premier Business Partner. The Pakistani operation also holds a Silver Partner Status from Cisco.
In 2014, GBM achieved Cisco Channel Customer Satisfaction Excellence, the highest distinction a partner can achieve within the Cisco Channel Partner Program.
For more information please visit www.gbm4ibm.com