6 Ways Employees Expose Businesses to Security and Compliance Risks

by Hannah Grace Holladay / September 12th, 2022

Business managers and IT professionals are inclined to attribute employee-caused security failures to malice, ignorance, or laziness. After all, the business has security policies and procedures. Employees know about them or, at the very least, have signed a declaration affirming they know about them. The IT team has implemented secure systems. 

And yet, employees often circumvent these systems and ignore information security policies, exposing the business to cybersecurity attacks and regulatory risk. Malice and incompetence seem the parsimonious explanation. But the real reasons are more complex.

Why Do Employees Fail to Comply with Security Policies?

A recent study from the Harvard Business Review revealed that few security policy breaches resulted from conscious malice, including incidents where breaches were deliberate. Why Employees Violate Cybersecurity Policies attributes the majority of employee security protocol breaches to four causes:

• To better accomplish tasks for their job.
• To access information or functionality they need to do their job.
• To help other employees to do their work.
• Because stress drives them to increase productivity at the expense of security.

In short, employees typically fail to comply with security policies for productivity and altruism, not malice or ignorance. That doesn’t make failure to comply any more acceptable or mitigate the regulatory risk, but it may help businesses to build secure and efficient processes. 

The 6 Common Employee Security and Compliance Failures

Understanding why employees fail to comply is helpful, but businesses also need to know how employees typically breach security policies. Let’s explore six of the most common ways employees fail to follow security best practices. 

1. Configuration Errors

Configuration errors expose software and services to increased security risk. For example, it is a configuration error to grant public access to an AWS S3 bucket that stores sensitive information.

The OWASP Top Ten lists misconfiguration as one of the most prevalent web application security vulnerabilities, with almost 90% of web apps exhibiting configuration errors. Misconfiguration is also a significant source of cloud security breaches. The National Security Agency (NSA) says misconfiguration is the most common cloud security vulnerability.

Other common examples of misconfiguration include:

• Deploying publicly accessible databases with inadequate authentication
• Using default usernames and passwords
• Configuring firewalls with overly permissive rules
• Failing to limit access to sensitive data and resources

2. Falling for Social Engineering Attacks

Social engineering attacks manipulate employees into acting in ways that are contrary to security policies. Phishing attacks are the most common type. In a phishing attack, the attacker sends an email or instant message containing a malicious link to many different employees. The link might lead to a fake login form or a malware-infected site. 

The attacker wants to harvest login credentials or infect a trusted device. Once they can access one device, they can use it to island hop to others, circumvent security controls, and gather sensitive information.

Every organization is at risk of phishing, but it’s far from the only social engineering attack. Others include:

• Spear phishing: a refined phishing variant that focuses on specific employees within an organization, using knowledge of the individual to craft a convincing deception. High-level executives and technical employees with wide-ranging access to IT systems are frequent spear phishing targets.
• Smishing: attacks that use SMS to manipulate employees via spoofed phone numbers
• Executive impersonation attacks: the attacker contacts an employee while pretending to be a high-level executive, often to ask the employee to send money to an account under the attacker’s control. Employees rarely have the confidence to challenge executive requests.

3. Exposing Log-In Credentials

The simplest way to compromise business IT systems is with stolen login credentials and API keys. If an attacker can authenticate, they can bypass security controls and take advantage of the employee’s trusted status. The paradigmatic log-in exposure is a username and password stuck to an employee’s monitor, but that’s not the only way attackers obtain credentials. 

• Sharing credentials: Employees often share authentication credentials with other employees, including those who may not have the same authorization level.
• Re-using credentials: Using the same usernames and passwords on business systems and other online services increases the risk that they will be exposed.
• Uploading credentials to version control systems: Employees may choose to upload credentials and keys to version control instead of using secure secret management services.
• Phishing attacks: As mentioned above, attackers use phishing attacks to harvest authentication credentials.

4. Circumventing Secure Systems

Security and IT professionals implement and monitor secure systems they expect employees to use. But there is often a trade-off between security and productivity, and employees may seek a more convenient option if it allows them to work more efficiently. 

This phenomenon is one of the key drivers of shadow IT, in which employees, teams, and even whole business units use non-approved devices, software, and IT and cloud services because they are “better” than the services officially approved by the company. Of course, employees and security professionals often define “better” very differently, especially when sensitive data is stored and processed on unvetted third-party services. 

5. Poor Data Storage and Transport Practices

A nightmare scenario for IT security professionals: an employee accesses sensitive data and transfers it unencrypted to a portable drive. They want to work on the data at home but lose the bag containing the drive on their commute. Without training, employees are unlikely to understand the need for encryption and the consequences of removing data from secure storage. 

Alternative risk scenarios include employees who:

• Email sensitive data to third parties or themselves
• Share authentication credentials with unauthorized third parties
• Upload data to insecure cloud services for easier access

In our examples, the employee may be acting from positive motives. But deliberate data theft by departing employees is also a huge issue—one reason removing access from employees who quit or are let go is so important. 

6. Failure to Secure Remote Working Environments

Employees who work remotely present risks that don’t arise when the business controls the working environment. These risks are exacerbated when employees use their personal devices and preferred software to complete tasks. 

Risks include:

• Unsecured WiFi networks and routers
• Use of devices that may have been compromised
• Reduced security awareness and diligence
• Reduced monitoring and oversight

To learn more about how businesses can reduce remote work risks, visit KirkpatrickPrice’s Remote Access Security Testing resources. 

Risk Management: Reducing Employee Compliance Failures

We’ve seen why employees ignore security policies and how that can increase risk. But what can businesses do to manage that risk? Combatting this type of insider threat may be challenging, but we have identified several approaches that help employees act securely and responsibly.

• Promote a positive security culture. Ensure security policies are transparent and easy to understand. Encourage employees to report potential security issues and incentivize them to conform to policies.
• Penetration testing. Pen testing can help to identify potential weaknesses, including those caused by employees.
• Security awareness training. Ensure all employees understand essential security policies and why the company expects them to be followed.
• Information security audits. Regular audits help businesses to identify and mitigate inadequate policies, processes, and behaviors.

Connect with an Expert

If you want to talk to an information security and compliance expert about reducing employee risk and combating insider threats, contact KirkpatrickPrice today.