Preempt Blog

The latest insights and advice to keep your company protected from insider threats and breaches

Study Finds Employee Security Habits Reveal Risky Imbalance

Human nature motivates us to enhance productivity, make things easy, find workarounds, and to crave information that is being kept from us. How do these motivations change the way people work? Do their actions put their company at risk? Do IT Security teams need to understand basic psychology to protect their organizations?

Recipe for a breach infographicIn the new report Recipe for a Breach: Uncontrolled Employee Access + Poor Security Habits, Preempt conducted a survey with over 200 Professionals (management level and above) at organizations with 1000+ employees with a focus of exploring employee password habits, exposure of personal credentials and bending the rules to access restricted data. The goal was to learn more about employee motivations and their security awareness and how their actions, or non-actions, could affect Enterprise IT Security.

The results reveal a risky imbalance

Employees have more access than they should and a large majority of them have poor security habits even when they think they don’t. This combination is dangerous to organizations because it leaves their business exposed. It’s a recipe for a breach. A snapshot of the survey results can be seen in this infographic.

The full report and results can be downloaded here. And Preempt has also developed a FREE tool, Preempt Lite, which can help quickly determine if an organization is vulnerable from insecure employees along with actionable data that can be acted on to reduce risk. Download Preempt Lite here.

Here’s a Snapshot of Key Takeaways:

Employees Look for Shortcuts and Find More Than They Should

It’s human nature that people want to find an easier way to do things whether it be cleaning their house or completing tasks at work. Bending the rules is a means to an end. And the motivation to access things even when we know we shouldn’t be driven by a variety of factors – whether it’s just being nosy or malicious. The survey revealed:

  • 1 out of every 3 employees admit to having bent the rules or found a security workaround in order to get something done for work – with more than 10 percent of respondents having done so regularly or on multiple occasions.
  • 25 percent of employees have tried to access data at work that they weren’t supposed to.
  • Of those 25 percent, close to 60 percent were successful at accessing that data.

The Risks: Organizations inherently trust their employees. This combined with a lack of proper access controls puts an organization at risk. The results of successfully restricted data access are startling and this should be a major concern for IT Security teams. The data exposed can put a company’s and its employees at a significant risk of damage to the business or to their reputations.

For IT Security, it shows a growing need for being able to better understand how to assess the trust and risk of employees and having real-time adaptive access controls to ensure data is protected. Gartner talks about this with CARTA, a strategic approach that pushes enterprises to embrace a continuously adaptive approach to information security.

Employees Have Poor IT Security Habits and Awareness

For many, remembering passwords is annoyingly difficult. So to make things easier, they use the same password for everything. The study also shows that many people don’t care or don’t know how to find out if their credentials were compromised in a breach. And to make matters worse, of the few that do know they were exposed to a breach many of them don’t have a clear understanding of the impact of how their breached password can put other accounts they have at risk, and what the impact might be for their employer. The survey revealed:

  • 41 percent of employees use the same passwords for personal and business accounts.
  • Nearly 80 percent don’t know or aren’t sure if their username and password were exposed in a breach.
  • Of the nearly 20 percent that did know their username and password were exposed in a recent breach, 63 percent claim they only changed their password for the account that was breached showing they are not aware of the full consequences of a password leak.

The Risks: If employees are using the same passwords for personal and business accounts this makes it easier for hackers as they can easily take over many accounts once they have obtained a single set of login credentials. A password exposed in a breach is listed in a database known to hackers and could be used in a breach attempt. The “weak” password puts the enterprise at risk until it is changed. Because so many employees use the same passwords everywhere, the enterprise is endangered by their lack of security awareness.

For IT security teams being able to proactively find weak passwords is a high priority. Forcing regular password changes for everyone has become ineffective. NIST has reset their recommendations admitting that complexity doesn’t really matter anymore. If a complex password was in a breach, it can be just as easily cracked. A password should be reset not based on some arbitrary time frame, but rather based on real-world evidence that it has been compromised. So finding better ways to identify the weak passwords in real-time and enforcing contextual password updates when they are actually needed will be more effective.

Employees are Overconfident in Their Security Habits

“I’m great!” Perhaps this a result of the Dunning-Kruger Effect? When asked how they rate their personal IT security health awareness and maintenance compared to the rest of their colleagues, people generally think they’re pretty great when their previous answers show they’re probably not.  The survey revealed:

  • 41 percent rated themselves in the top 25 percent in their organization when it comes to security awareness proving a large portion of employees think they are much more security-aware than they really are.

The Risks: The results of the survey clearly show that employees don’t completely understand their work habits and decisions put their organization (and themselves) at risk. Having overconfidence can lead to greater risks. When employees don’t understand that their behaviors and habits are risky, they aren’t likely to change them. This leaves the burden on IT Security to pick up the slack. Gaining a better understanding of identity, behavior, and risk, can help IT be more proactive at preventing threats, enforcing policies, securing access, and finding areas to reduce risk.

Do you Know if Your Company is Vulnerable From Insecure Employees?


Health Check for Enterprise Passwords, Stealthy Administrators and More

Every day, employees are using passwords remarkably similar to those in their personal accounts. Attackers know this, and use that as an opportunity to decipher passwords for their other accounts, including business accounts.

Preempt Lite is a powerful application that quickly assesses an organization’s password health, including exposure to high profile security breaches, and provides actionable results to reduce a company’s risk of a credential-based attack.

Topics: CARTA, CISO, Credential Compromise, Insider Threat, NIST, Passwords,

Posted by Preempt on November 16, 2017 5:12 AM


Brute Force Attacks: Denying the Attacker, Not the User

According, close to 8 billion accounts have been compromised...

Read More


What State-Sponsored Attacks Can Teach Us About Conditional Access

People often think that state-sponsored attacks from groups like Lazarus...

Read More


A Simplified Approach to Network Segmentation

Network segmentation has long been one of the most valuable tools for protecting ...

Read More


10 Things You Need to Know About Kerberos

As our research team continues to find vulnerabilities in Microsoft that bypass all major

Read More


Brute Force Attacks: Denying the Attacker, Not the User

According, close to 8 billion accounts have been compromised...

Read More