A Disconnect Between Enterprises And Vendors Is Leaving Workforces Vulnerable To Cyberthreats, Kaspersky Finds

By Chris Hurst, Kaspersky UK&I General Manager

Nearly six out of 10 security leaders admit they find it difficult to action the insights their security vendors provide, cybersecurity expert Kaspersky has found. Additionally, a similar percentage believe the information they’re provided is irrelevant to their organisation.

These concerning statistics are just two that Kaspersky found during its research into the communication gap that exists between enterprises and vendors, resulting in a cycle of unprotected infrastructure and lack of progressive insight. It is clear that change is required.

Kaspersky found decision-makers (63%) feel the information they’re provided with by vendors is too complicated for them to convey to other areas of the business. In addition, 60% said that trying to convey such information throughout the business would require too much time and resource.

More than eight out of 10 cybersecurity decision-makers, namely CISOs (Chief Information Security Officers) – said they wanted to work with vendors that could help demystify cybersecurity for their organisations. Kaspersky surveyed more than 240 CISOs and other professionals in executive roles for companies employing more than 250 people. Kaspersky also canvassed the security attitudes of 2,000 UK adults who work full time, in varying industries and levels of seniority. The results not only showed existing communication challenges, but the consequences of this disconnect between vendors and enterprises.

More than a quarter of UK workers admitted to having downloaded unauthorised software, bypassing their company’s security measures to do so. More worryingly, 30% of employees admitted to connecting to mobile hotspots, while a similar figure confess to not understanding the security measures set out by their employers.

The Root of The Message Disconnect

It is clear there is a communication disconnect between security vendors and businesses, and between security leaders with an organisation and the wider workforce. This lapse in communication means that vendors are inadvertently not providing businesses with key information and services that they require. It also means that businesses can’t communicate to vendors their precise needs and requirements, creating a ‘loop’ in the enterprise disconnect. However, 58% of decision-makers claim this disconnect exists due to vendors not understanding the threats their companies face.

There appears to be a cycle between vendors and employers, leaving businesses exposed via a combination of businesses lacking tailored defence, and vendors struggling to provide this without clear and actionable insight. However, the cycle can be broken, and it must be, given the unprecedented rise of working remote working amid the pandemic and its likelihood of remaining for many years.

Last March, during the start of lockdown restrictions, reports revealed that human error was the cause of 90% of cyber data breaches in 2019 – a problem that seems only likely to deepen, as employees are given more autonomy while working with company-provided devices outside of the security perimeters in the office.

Another increasing security risk to businesses is worker reactions to increased employer surveillance. Kaspersky has found that almost half (44%) of home workers have had monitoring software installed on their work-provided devices; in response, nearly a quarter of UK remote workers now use their own devices for work to avoid being watched by their bosses, ushering in a worrying rise in shadow IT.

This is particularly concerning given that more than half of cybersecurity leaders admit their business has experienced increased threat levels due to workforces working remotely, and that a third of workers deem their employer’s security protocols as less important when working from home.

So, how can this cycle be broken? The answer lies primarily in education, and it begins with stronger collaboration between enterprises and vendors, and teaching workforces how they can protect their devices, especially when working remotely. Steps to protecting staff from cyber threats include:

  • Ensure remote working employees are using a corporate VPN
  • Enforce strong passwords, updated when needed
  • Carry out regular updates on devices
  • Making sure to encrypt important data, and regularly backing up this data
  • Making sure all data is stored by employees in one place, as this makes it easier to retrieve data if a system is compromised

Principal security researcher at Kaspersky, David Emm, summarises: “These results highlight an alarming disconnect between vendors and enterprises, leading to flaws in cyber-defences and a lack of the right technologies being harnessed to ensure strong cybersecurity posture.  However, this can be reversed with better communication and understanding of what enterprises require in order to protect their sensitive data, and it is up to the vendor community to drive this change.

“In the immediacy, amid remote working, keeping valuable assets protected, as well as employee education and empowerment, are of vital importance, alongside protecting all employee devices with comprehensive security software. With many employers ruling out office working in 2021 altogether, businesses can’t afford not to get remote working security right.”