4 Truths About Risky Employee Behavior 

The vast majority of MSPs—and even their clients—treat cybersecurity with the gravity it deserves. That said, building an ironclad security stack isn’t enough to keep your customers secure. That’s because one of the biggest threats to a client’s data isn’t a hacker trying to break through their firewall—it’s their employees. Here are four truths about risky employee behavior that MSPs and their clients should be aware of.

1. There Are More Users With High-Risk Access Than You Think 

Historically, only C-suite executives and users in upper management had access to data that could be deemed high risk. This made it easier to keep a company’s most critical data secure. But that simply isn’t the case anymore. 

In the CyberArk 2024 Employee Risk survey, the data shows that while the majority of business owners, C-suite executives, and senior management users handle critical data, that doesn’t mean that other employees don’t. In fact, 69% of users in middle management handle critical data. This trend extends all the way through the company hierarchy, with 52% of entry-level employees handling critical data. 

As far as what critical data these employees are accessing, two-thirds of the respondents surveyed say they perform actions with the tools or systems they use at work that an attacker would deem highly valuable. Of those, 40% download customer data, 33% alter critical or sensitive data, and 30% approve large financial transactions. This indicates that the majority of employees, including those working in hybrid or remote environments, could become a security risk. 

2. Busy Employees Tend To Prioritize Productivity Over Security 

This likely won’t surprise any MSP who’s ever tried getting a client and all their employees on board with dual-factor authentication, but currently, many users in the workforce view security as a hindrance. 

The majority of employees surveyed (65%) find ways around cybersecurity policies for the sake of productivity. Of those surveyed, 27% use one password for various accounts to avoid frustration, while 20% use their personal devices as Wi-Fi hotspots. The most concerning statistic about this risky employee behavior is that 52% of staff surveyed say they have shared workplace-specific confidential information with outside parties. 

3. The Dangers Of Personal Accounts 

In another research report, CyberArk’s White FAANG survey, conducted with more than 14,000 participants, roughly 63% of employees reported accessing personal accounts on their work laptops. Google was the most used platform. 

Employee logins to personal accounts on corporate devices open up a huge vulnerability. In the same place that almost all workplace communication is conducted and crucial data is exchanged, bad actors now have a new attack vector. 

Even more alarming, 80% of users surveyed also use personal devices to access workplace tools. These unsecured, unmonitored devices present a huge risk, since MSPs rarely have access to, or even the knowledge of, these devices in order to ensure they meet compliance and security standards. 

4. Employee AI Usage Is Only Going To Increase 

AI is the hottest trend in nearly every industry. Even most MSPs are utilizing it in some capacity, whether that’s in security or marketing. Other areas of AI use across industries include customer service, LLMs, finance, supply chains, and as personal, everyday smart assistants. 

And the majority of employees are already using AI in some capacity—72% of those surveyed say they use AI tools for work. Roughly half of the respondents say that all the AI tools they use for work are sanctioned and monitored by their organization’s MSP. Of the others utilizing AI tools, 21% say that while some tools are approved, they also use other applications, and 4% admit to using completely unapproved or unmanaged AI tools. 

Part of the risk with AI, besides creating an additional attack vector into an organization, is with the data being inputted. Critical information put into an AI tool such as an LLM is completely unsecured and runs the risk of being integrated and further utilized by that AI tool with future users.  

While organizations are attempting to combat this concern with policies, only roughly half (49%) of employees whose companies have mandated that no sensitive information can be inputted into AI tools always adhere to this policy. Instead, 28% adhere to the policies sometimes, and 8% say they never do. Worse, some respondents (9%) indicated that their company doesn’t have any policies on AI use at all. 

While there likely won’t be a one-size-fits-all solution to resolve these concerns, it’s clear that organizations—with the aid of their MSPs, acting as technical advisors—must lock down and minimize these risky employee behaviors to minimize their security risk. Learn more about risk posed by the human element in this recent Kaseya survey.

Share:

Author:

Sarah Jordan

Sarah Jordan is a staff writer at MSP Success. When she’s not reporting on trends and issues pertinent to the MSP community, you can usually find her working on her novel’s manuscript.

RELATED ARTICLES

Get The #1 Media Source For MSPs!
Thousands Of MSPs Trust
MSP Success Magazine
For The Best Industry News, Trends And Business Growth Strategies. Subscribe now!
 

Upcoming Events

Stay Up To Date

Thousands Of MSPs Trust
MSP Success Magazine
For The Best Industry News, Trends and Business Growth Strategies

Never Miss An Update