Employees are still ignoring cyber security best practice despite being more aware of the risks.
Cybersecurity has shot to the top of many IT leaders’ priorities over the past few months as remote working became the de facto way of doing business. Yet despite being more awareness of the security risks of working from home, employees are still showing a lax attitude when it comes to putting it into practice, according to new findings.
Security firm Trend Micro surveyed more than 13,000 remote workers across 27 countries for its latest Head in the Clouds survey, which sought to understand individuals’ attitudes towards risk in terms of cybersecurity.
Seventy-two percent of respondents claimed to have gained better cybersecurity awareness during the pandemic, with 81% agreeing that workplace cybersecurity falls partly on their shoulders. Despite this, the findings highlighted a disconnect between employees being more aware of risks and them putting this knowledge into practice.
For instance, 56% of employees admitted to using a non-work application on a work device, with 66% admitting to uploading corporate data to that application. This is despite the fact that 64% of respondents acknowledging that using non-work applications on a corporate device is a security risk.
SEE: Mobile device computing policy (TechRepublic Premium)
Similarly, 39% of respondents said they either often or always
access work data from a personal device
– almost certainly in breach of workplace security policy.
On the flipside, 80% of respondents admitted to using their work laptop for personal browsing, with only 36% restricted the types of sites they visit while doing so.
Trend also found that employees were skirting the advice of IT teams if they thought it could get the job done quicker: while 85% claimed take instructions from their IT team seriously, a third of respondents (34%) said they did not give much thought to whether the apps they use are approved by IT or not if it meant getting work done.
Additionally, 29% said they used non-work applications because they believed the solutions provided by their company were ‘nonsense’.
Trend Micro’s report report concluded that simply throwing more awareness programmes at employees “doesn’t appear to be the answer”, as the findings showed individuals were aware of the risks but still didn’t stick to the rules of their company.
Instead, tailored training programmes that account for individual employees’ values and personalities could be the answer, said Bharat Mistry, Trend Micro’s principal security strategist.
“It’s encouraging to see that so many take the advice from their corporate IT team seriously,” said Mistry.
“Having said that, there are individuals who are either blissfully ignorant or worse still who think cybersecurity is not applicable them and will regularly flouter the rules. Hence having a one size fits all security awareness programme is a non-starter as diligent employees often end up being penalised.”
Attitudes towards cybersecurity has become a key theme amongst businesses during the pandemic, with the sudden shift to home-based working throwing up a multitude of
new considerations for IT security teams
, not least a surge in the number of reported email phishing scams.
SEE: Working remotely: A professional’s guide to the essential tools (TechRepublic) (free PDF)
Return to work
There could be fresh threats on the horizon has employees return to the office, too, according to a separate survey this week from KnowBe4, which provides IT security tools for businesses as well as cybersecurity awareness training.
In a survey of 1,000 furloughed employees in the UK & Ireland, 48% said they were not worried about
finding phishing emails
in their work inbox because they expected IT to take care of them. By comparison, 37% recognized that it was there responsibility to be vigilant to scam emails and report them if necessary.
Similarly, when asked about their attitudes to sorting through work emails on their
return to the office,
47% said they planned to sort through them as quickly as possible so they could return to business as usual. This stands in contrast to the 38% of respondents who said they would take their time to go through their emails to make sure they didn’t click on any links or attachments that could be fraudulent.
KnowBe4 concluded that business leaders should be prepared to provide
security refresher courses
to employees upon their return to work, pointing out that furloughed workers might need to work through backlogs of correspondence.
“When workplaces start welcoming their employees back, they’re inevitably going to be under pressure to catch up with all their missed correspondence,” the report read.
“That pressure has the potential to introduce security liabilities, particularly as workers rush to catch up on several months of unread emails. Workplaces would therefore be wise to implement technologies that can mitigate the risk of phishing [and] to offer security training.”
Cybersecurity Insider Newsletter
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Kubernetes security guide (free PDF) (TechRepublic download)
- Information security policy (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- All the VPN terms you need to know (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)