Cyber awareness on the up but businesses leaving doors open for attackers to target sensitive data and assets through ‘ghost employees’


British businesses are still failing to lock down access to key, business critical data, as nearly half of UK employees have or have had access to sensitive company information, according to a new study by CyberArk. Its survey of more than 1000 UK office workers, published today, has revealed that organisations’ cyber security practices are enabling a heightened insider threat. Specifically, it found that huge numbers of employees have or have had access to mission critical company systems which should be reserved only for staff that require it:

  • Almost half (48%) of employees have or have had access to sensitive financial documents
  • 46% have or have had access to confidential HR information
  • Nearly a third (29%) have or have had direct access to company bank accounts
  • 37% have or have had access to research and development plans or blueprints for new products/services

These alarming figures show far more employees have access to critical information than is necessary and demonstrate the need for UK businesses to limit how employees access sensitive data in order to better protect themselves and their customers.

Beware ghost employees

As seen with nearly every recent major cyber breach, from Uber to Sing Health, credential theft remains the most common and effective route to a successful cyber-attack. A lax approach to protecting high-value ‘privileged’ accounts can directly elevate the risk of such an attack or a major data breach, in the event of employees’ credentials being harvested. Managing privilege is therefore essential but, according to the study, many British businesses are failing to lock down these key accounts following changes in personnel. One in five (21%) office workers admitted leaving a job with login details for at least one confidential company system such as its internal servers, financial performance data and HR databases, potentially allowing ‘ghost’ employees - former staff members with working login details and credentials - unauthorised access to sensitive company data outside of an organisation’s security purview.

These ‘ghost’ individuals pose a substantial threat, according to Rich Turner, VP EMEA at CyberArk: “Ghost employees are a major concern for any organisation – they not only elevate the risk of key company applications, tools and data being breached in the event of a cyber-attack, but also provide a potential route for disgruntled employees or rival businesses to manipulate existing data, causing serious administrative and financial damage.

“These findings are symptomatic of the misguided cyber spending habits of UK PLC. We continue to devote huge sums to perimeter defences when the smarter approach is to assume the inevitable – that attacks will get in – and ensure that their access to sensitive assets and data is contained. “

Being cyber-sensible, but risk remains

However, the study did reveal that employees are developing a more involved approach to cybersecurity, showing that cyber education is having a positive effect and that British businesses can look forward to a more secure future. Nearly four in five (79%) office workers would immediately admit to IT if they opened a malicious attachment, while three quarters (75%) would voice their concerns if they didn’t understand communications from IT about security. This more involved approach to security is increasing their faith in their IT teams, with nearly three in four (74%) confident that their security team is effectively protecting the wider organisation against threats.

However, this confidence contrasts with the behaviour of many existing employees, who are still exhibiting poor cyber practices. Large numbers are still failing to admit their cyber indiscipline to their security teams, according to CyberArk’s survey: it found that more than half (54%) don’t admit when they let colleagues use their login details, and 45% don’t inform their IT team when they download an unauthorised app onto their work device. Such behaviours are significantly increasing their employers’ risk exposure by leaving their IT systems and accounts vulnerable to the escalation of privileges during a subsequent attack.

Securing the future of the workplace

As well as assessing office workers’ current approach to cybersecurity, the study also explored how evolutions in workplace habits and technologies are changing the security landscape. Encouragingly, it revealed that many organisations are beginning to integrate cutting-edge new security technologies into their strategies, with nearly one in five (19%) office workers reporting that their IT security team is experimenting with biometric security techniques, including fingerprint and retinal scans and embedded microchips.

Nonetheless, despite firms demonstrating a willingness to experiment with new forms of authentication, securing innovative new platforms remains a challenge. Smart devices in particular present a great cause for concern, with 40% of employees reporting that their IT security team is failing to effectively secure IoT and BYOD devices, providing attackers with another privileged pathway to exploit. As these technologies become more and more prevalent, it’s vital that their access to company tools and applications is managed in the same way as any other device within a corporate network.

Summarising the findings, David Higgins, Director of Customer Development EMEA at CyberArk, commented: “Whether for new wearable devices or more established business development, HR or payroll systems, a lack of credentials management means UK organisations remain vulnerable to the seizure of critical company IP through credentials-based attacks. Forging a more secure digital future begins with adopting an effective privileged access management policy, which limits individuals’ ability to escalate privileges and subsequently reduces their access to sensitive systems – ultimately reducing the number of vectors attackers can seek to exploit.”