Microsoft Ireland warns of IT security risks
18 February 2019 16:25 GMT

Microsoft Ireland has warned that poor security habits within large Irish public sector and commercial organisations will lead to critical data and intellectual property loss. Following the publication of research across 700 employees working in large Irish organisations employing over 100 staff across both the public and private sector, Microsoft has identified potentially dangerous employee habits which if not addressed, could risk major data loss or theft over the coming year, with severe legal and reputational consequences.

Digital Transformation is enabling and transforming organisations, driving the need to maximise employee productivity, as well as adapting to the explosion in mobile devices and technology innovations. However, in the drive to transform, Irish organisations leave themselves vulnerable to major security risks that range from data and revenue loss to reputation damage, in addition to hindering digital transformation.

Microsoft commissioned Amarach Research to investigate the security culture within Irish organisations to understand how their employees accessed and used sensitive data while at work and on the go. The research also looked at what gaps were emerging that could be exploited by hackers or lead to a data breach. 

As part of its on-going efforts to drive better security for organisations, Microsoft invests $1bn each year in security, it analyses more than 6.5 trillion signals daily, processes 630 billion authentications monthly, and scans 470 billion e-mails for malware and phishing monthly. 

The research found inconsistent data security training – only 54% of respondents within large Irish organisations reported receiving training once a year. Only 16% of employees have updated their passwords in the last 12 months in line with their organisation’s policies.

Poor password hygiene by employees: Passwords have become too easy to guess or steal. Nearly a quarter (22%) of Irish employees write down their passwords. 77% of employees rely on their memory for their work and personal passwords. When it came to their password hygiene, 2 in 5 recycle their work passwords, and 44% recycle their personal passwords. Over the course of a year, only half change passwords quarterly, with only half updating their passwords once a year or less. 

Employees are potentially using the same weak password across dozens of different accounts in their work and home life, making a stolen password more lucrative to criminals. To resolve this, 3 in 5 employees surveyed would welcome biometric verification as an alternative to passwords.

Organisations who provide the technology and trust but don’t enforce security and data protection are vulnerable. The research discovered that employees working from home are much more likely to engage in risky security activities that increase potential data loss. Nearly half (49%) of those working from home at least once a week used their personal email account for saving, editing, sending, or sharing work-related documents. 24% reveal that they accidentally shared work-related material with friends and family. 

Different practices for those working from home: The research found that one in three are allowed by their company to use their personal device for work purposes. Half of respondents claim their personal device is better than their work device, and almost three in ten of these have used their home device to work on sensitive files. 

A quarter of those working from home at least once a week admit to having friends or family access work devices at home, which may violate data policies from their organisation. This is worrying when 56% of respondents reported they work from home, and almost half of these have no restrictions on document access when working from home. 

Worryingly, 25% of those surveyed admitted plugging a USB thumb drive that wasn’t from their company into their work device, 12% connected back-up drives, and 5% connected a smartphone that didn’t belong to them. This increases the chances of employees compromising their identity - Microsoft reported that 81% of major data breaches last year could be traced back to this issue alone. 

Devices and security: While 1 in 5 respondents claim their devices are updated regularly, they aren’t shown how to use newly introduced technology. Using personal devices can increase risky employee behaviour such as downloading sensitive documents to mobile devices (e.g. Smartphones and Tablets) which could result in sensitive data being outside of the sight and control of the organisation. 

Employees have already fallen victim to cyber hackers; 30% of employees surveyed have been notified about a breach of their personal data, and 44% have experienced problems with phishing, hacking, cyberfraud or other cyberattacks happening in either their personal and professional lives. Interestingly 18% have reported similar issues in the workplace.

“Organisations can invest in robust data protection and security measures, but their employees could, accidently, bring about a potential security disaster for their organisation,” said Des Ryan, Microsoft Ireland Solutions Director, “The most common and least detected sources of data breaches are compromised identities. Passwords can be hacked, guessed, leaked or lost. New technologies like biometric security can deliver the robust security required to protect organisations from most social engineering attacks.” 

“Organisations must now ensure they are taking a considered approach to data security, and embrace new procedures and technologies, coupled with consistent training, enforced policies, along with better device upgrades to enable employees to deliver the productivity needed for successful transformation with a minimum of risk to the organisation. We see needless security risks created by employees who are unaware or are working from older devices or older versions of Windows. For example, those who are working in a public Wi-Fi spot who do not have the latest security measure or hardware and are in effect, broadcasting sensitive data that can be picked up by a hacker.”