The next cybersecurity headache: Employees know the rules but just don’t care


Employees are still ignoring cyber security best practice despite being more aware of the risks.

Cybersecurity has shot to the top of many IT leaders’ priorities over the past few months as remote working became the de facto way of doing business. Yet despite being more awareness of the security risks of working from home, employees are still showing a lax attitude when it comes to putting it into practice, according to new findings.

Security firm Trend Micro surveyed more than 13,000 remote workers across 27 countries for its latest Head in the Clouds survey, which sought to understand individuals’ attitudes towards risk in terms of cybersecurity.

Seventy-two percent of respondents claimed to have gained better cybersecurity awareness during the pandemic, with 81% agreeing that workplace cybersecurity falls partly on their shoulders. Despite this, the findings highlighted a disconnect between employees being more aware of risks and them putting this knowledge into practice.

For instance, 56% of employees admitted to using a non-work application on a work device, with 66% admitting to uploading corporate data to that application. This is despite the fact that 64% of respondents acknowledging that using non-work applications on a corporate device is a security risk.

SEE: Mobile device computing policy (TechRepublic Premium)

Similarly, 39% of respondents said they either often or always
access work data from a personal device

– almost certainly in breach of workplace security policy.

On the flipside, 80% of respondents admitted to using their work laptop for personal browsing, with only 36% restricted the types of sites they visit while doing so.

Trend also found that employees were skirting the advice of IT teams if they thought it could get the job done quicker: while 85% claimed take instructions from their IT team seriously, a third of respondents (34%) said they did not give much thought to whether the apps they use are approved by IT or not if it meant getting work done.

Additionally, 29% said they used non-work applications because they believed the solutions provided by their company were ‘nonsense’.

Trend Micro’s report report concluded that simply throwing more awareness programmes at employees “doesn’t appear to be the answer”, as the findings showed individuals were aware of the risks but still didn’t stick to the rules of their company.

Instead, tailored training programmes that account for individual employees’ values and personalities could be the answer, said Bharat Mistry, Trend Micro’s principal security strategist.

“It’s encouraging to see that so many take the advice from their corporate IT team seriously,” said Mistry. 

“Having said that, there are individuals who are either blissfully ignorant or worse still who think cybersecurity is not applicable them and will regularly flouter the rules. Hence having a one size fits all security awareness programme is a non-starter as diligent employees often end up being penalised.”

Attitudes towards cybersecurity has become a key theme amongst businesses during the pandemic, with the sudden shift to home-based working throwing up a multitude of
new considerations for IT security teams

, not least a surge in the number of reported email phishing scams.

SEE: Working remotely: A professional’s guide to the essential tools (TechRepublic) (free PDF)

Return to work

There could be fresh threats on the horizon has employees return to the office, too, according to a separate survey this week from KnowBe4, which provides IT security tools for businesses as well as cybersecurity awareness training.

In a survey of 1,000 furloughed employees in the UK & Ireland, 48% said they were not worried about
finding phishing emails

in their work inbox because they expected IT to take care of them. By comparison, 37% recognized that it was there responsibility to be vigilant to scam emails and report them if necessary.

Similarly, when asked about their attitudes to sorting through work emails on their
return to the office,

47% said they planned to sort through them as quickly as possible so they could return to business as usual. This stands in contrast to the 38% of respondents who said they would take their time to go through their emails to make sure they didn’t click on any links or attachments that could be fraudulent.

KnowBe4 concluded that business leaders should be prepared to provide
security refresher courses

to employees upon their return to work, pointing out that furloughed workers might need to work through backlogs of correspondence.

“When workplaces start welcoming their employees back, they’re inevitably going to be under pressure to catch up with all their missed correspondence,” the report read.

“That pressure has the potential to introduce security liabilities, particularly as workers rush to catch up on several months of unread emails. Workplaces would therefore be wise to implement technologies that can mitigate the risk of phishing [and] to offer security training.”

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays

Sign up today

Also see

Cybersecurity market grows but faces pressure amid shrinking IT budgets


Spending on cybersecurity technology rose last quarter but will dip this year due to budgetary constraints, says Canalys.

Cybersecurity and secure nerwork concept. Data protection, gdrp. Glowing futuristic backround with lock on digital integrated circuit.

Image: Getty Images/iStockphoto

Most businesses and industries have been hurt by the coronavirus pandemic and resulting lockdown. But some have benefited due to certain side effects, such as the shift to remote working. The cybersecurity industry is one sector that has captured more revenue as organizations strive to secure their remote workforces. However, that trend isn’t likely to continue, according to a report published Tuesday by research firm Canalys.

SEE:  Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium) 

The global cybersecurity market increased by 9.7% in the first quarter compared with the same quarter in 2019, Canalys said. The rise in spending was triggered mostly at the end of the quarter as organizations rushed to set up security for their remote workers. The total amount spent hit $10.4 billion, which includes investments in network security, endpoint security, web and email security, data security, and vulnerability and security analytics. But some areas saw more growth than others.

“The unprecedented shift to remote working from March resulted in strong demand for endpoint security to protect new company-deployed notebooks, as well as consumer-owned devices used as part of business continuity measures,” Canalys Chief Analyst Matthew Ball said in a press release. “Endpoint security shipments increased 16.9% to represent 15.4% of the total cybersecurity market. This strong growth continued into Q2, as more countries implemented lockdown measures.”

Investments in web and email security jumped by 13.8% as organizations increased their use of Microsoft Office 365 and other cloud-based services and software-as-a-service applications. However, spending on network security inched up only 4% last quarter, Ball noted. Some security hardware appliance vendors were affected by supply chain constraints. Further, many organizations managed to use their existing network access through service engagements or by boosting capacity through more licenses. Those factors reduced the need to invest in new network security infrastructure.

Image: Canalys

Many cybersecurity vendors reacted swiftly to the COVID-19 crisis, according to Canalys. Cisco extended free licenses for its Umbrella, Duo Security, and AnyConnect Secure Mobility Client products for new and existing customers. The company also unveiled a $2.5 billion Business Resiliency Program.

Palo Alto Networks kicked off a financial services arm to offer extended payment terms and provided free 90-day trials of its GlobalProtect offering. Juniper Networks offered free trials of its vSRX virtual firewall, AppSecure, IPS, and SecIntel.

Bitdefender launched 12-month free access of its product for healthcare organizations. Kaspersky made its Endpoint Security and Hybrid Cloud Security available for free to the healthcare sector. Trend Micro provided its Maximum Security product free for six months to remote workers forced to use their own devices. McAfee offered short-term, three-month burst licenses for its Endpoint Security, DLP, Unified Cloud Edge, and CASB products.

Among cybersecurity companies, Cisco was the leading vendor last quarter, capturing 9.1% of total spending. Palo Alto Networks trailed with a 7.8% market share. Fortinet upped its slice of the market to 5.9%. Check Point was the fourth biggest vendor with a 5.4% share. In fifth place, Symantec grabbed a 4.7% share.

Image: Canalys

However, the bump in spending isn’t expected to last. The cybersecurity market will face pressure as organizations trim their IT budgets due to adverse economic conditions. As such, investments in cybersecurity over the next 12 months will either be reduced or halted completely, Canalys said. This slowdown in spending is expected to carry for the rest of the year and into 2021, though some gains will come as free trials expire and customers move back to paid offerings.

“The vendors that were quick to support existing and new customers during lockdown will stand to gain the most once organizations reassess and reprioritize their cybersecurity strategies,” Canalys Research Analyst Ketaki Borade said in a press release. “Workers will be more decentralized and work from multiple workplaces post-COVID-19. This has implications for the type of cybersecurity solutions needed, with greater emphasis on cloud security, zero-trust, and policy automation.”

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays

Sign up today

Also see

Intelligence-driven Cybersecurity: Now and Beyond


This year’s Cyber Insights is themed around Intelligence-driven Cybersecurity: Now and Beyond. The content and discussions will be around how to enhance Cybersecurity with advanced protection technologies and architecture that enable organizations to gain complete visibility of the threat lifecycle.

As Cybercriminals seek to gain access to corporate networks – particularly in the post-perimeter era, which arises not only because of digital transformation but exacerbated by COVID-19 work-from-home imperatives, organizations must move from a reactive to a proactive security model.

Ready to face the future with confidence? Join us today!