The next cybersecurity headache: Employees know the rules but just don’t care
By Owen Hughes
Employees are still ignoring cybersecurity best practice despite being more aware of the risks. Cybersecurity has shot to the top of many IT leaders’ priorities over the past few months as remote working became the de facto way of doing business. Yet despite more awareness of the security risks of working from home, employees are still showing a lax attitude when putting it into practice, according to new findings.
Security firm Trend Micro surveyed more than 13,000 remote workers across 27 countries for its latest Head in the Clouds survey, which sought to understand individuals’ attitudes towards risk in terms of cybersecurity.Seventy-two percent of respondents claimed to have gained better cybersecurity awareness during the pandemic, with 81% agreeing that workplace cybersecurity falls partly on their shoulders. Despite this, the findings highlighted a disconnect between employees being more aware of risks and them putting this knowledge into practice. For instance, 56% of employees admitted to using a non-work application on a work device, with 66% admitting to uploading corporate data to that application. This is despite 64% of respondents acknowledging that using non-work applications on a corporate device is a security risk.
Similarly, 39% of respondents said they either often or always access work data from a personal device – almost certainly in breach of workplace security policy. On the flipside, 80% of respondents admitted to using their work laptop for personal browsing, with only 36% restricted the types of sites they visit while doing so. Trend also found that employees were skirting the advice of IT teams if they thought it could get the job done quicker: while 85% claimed they take instructions from their IT team seriously, a third of respondents (34%) said they did not give much thought to whether the apps they use are approved by IT or not if it meant getting work done. Additionally, 29% said they used non-work applications because they believed the solutions provided by their company were ‘nonsense’.
Trend Micro’s report concluded that simply throwing more awareness programmes at employees “doesn’t appear to be the answer”, as the findings showed individuals were aware of the risks but still didn’t stick to the rules of their company. Instead, tailored training programmes that account for individual employees’ values and personalities could be the answer, said Bharat Mistry, Trend Micro’s principal security strategist. “It’s encouraging to see that so many take the advice from their corporate IT team seriously,” said Mistry.
“Having said that, there are individuals who are either blissfully ignorant or worse still who think cybersecurity is not applicable to them and will regularly flout the rules. Hence having a one-size-fits-all security awareness programme is a non-starter as diligent employees often end up being penalised.” Attitude towards cybersecurity has become a key theme amongst businesses during the pandemic, with the sudden shift to home-based working throwing up a multitude of new considerations for IT security teams , not least a surge in the number of reported email phishing scams.
Return to work
There could be fresh threats on the horizon as employees return to the office, too, according to a separate survey this week from KnowBe4, which provides IT security tools for businesses as well as cybersecurity awareness training. In a survey of 1,000 furloughed employees in the UK & Ireland, 48% said they were not worried about finding phishing emails in their work inbox because they expected IT to take care of them. By comparison, 37% recognized that it was there responsibility to be vigilant to scam emails and report them if necessary. Similarly, when asked about their attitudes to sorting through work emails on their return to the office, 47% said they planned to sort through them as quickly as possible so they could return to business as usual. This stands in contrast to the 38% of respondents who said they would take their time to go through their emails to make sure they didn’t click on any links or attachments that could be fraudulent.
KnowBe4 concluded that business leaders should be prepared to provide security refresher courses to employees upon their return to work, pointing out that furloughed workers might need to work through backlogs of correspondence. “When workplaces start welcoming their employees back, they’re inevitably going to be under pressure to catch up with all their missed correspondence,” the report read. “That pressure has the potential to introduce security liabilities, particularly as workers rush to catch up on several months of unread emails. Workplaces would therefore be wise to implement technologies that can mitigate the risk of phishing [and] to offer security training.”