Cybersecurity has always been a big priority in IT but the global pandemic has invoked endless extra headaches for IT managers as remote working became a necessary routine around the world. According to a new study many organizations, despite having good practice and awareness embedded in an office environment, discovered that employees quickly slipped into relaxed attitudes when working from home.
UK-based security firm Trend Micro interviewed 13,000 remote workers in more than 25 countries for their recent survey, in an attempt to understand attitudes towards risk in terms of cybersecurity.
The results of the survey were contrary and alarming. More than 70% said their cybersecurity awareness was better during the pandemic, and 82% claimed they fully understood their increased responsibility for cybersecurity working from home. But, despite this knowledge, the results found a massive gap between employees being more aware of risks and them actually putting this knowledge into practice.
For example, just over half the employees surveyed admitted to using non-work applications on a work device and over sixty percent admitted uploading some kind of corporate data to an unapproved application. All this was despite the fact that almost all of those surveyed admitted knowing that using non-work applications on corporate devices was a high security risk. Thirty-nine percent said they frequently or always accessed work data from their personal device – almost certainly in breach of an organizational security policy.
The survey also revealed that employees were ignoring corporate IT policy and guidelines if they thought they could get the job done quicker by, for example, using an unapproved app. Almost 30% of respondents said they installed unapproved apps because they did not believe the solutions provided by the organization were practical. Although 85% said they took corporate IT instructions and cybersecurity very seriously, 34% admitted they had not really put this into practice when it came to getting the job done. To compound the security risk, a staggering 80% admitted to using their work laptop for personal browsing, with only a third being knowingly careful to restrict the sites they visited.
The Trend Micro report concluded that simply issuing awareness instructions or blanket security training for employees was not the solution. Individuals knew the risks but still did not adhere to company rules because they were unmonitored and felt it was justified to use initiative to get results. Instead, Bharat Mistry, Trend Micro’s principal security strategist, recommended small, personalized training programs adapted to individual employees’ needs coupled with a shift in company values to support security.
There were, across all sectors, individuals who appeared ignorant of the rules or considered cybersecurity did not apply to them. Generally, employees in public sector organizations and NGOs were more likely to adhere to cybersecurity best practices than those in the private corporate sector. This is why repeating a security awareness program was not the solution, “An organization that heralds the ideal of individual creativity in problem solving will always struggle to enforce rules that try to cap this freedom. Far better to ensure individual awareness and look at a program to support creativity than to block it.”
The problems of cybersecurity have become an urgent and unplanned theme among organizations during the pandemic, with the sudden shift to home-based working creating new lines of IT support and new considerations for cybersecurity teams, not least a sharp increase in the number of reported email phishing scams.
When employees return to the office who knows what new threats may appear? According to a recent survey of 1000 furloughed employees in the UK and Ireland by KnowBe4, which provides IT security and training for businesses, 48% said they were not worried about finding phishing emails in their work inbox because they expected IT to take care of them, however they were always concerned about finding them in their personal email. Less than 40% believed it was their responsibility to spot and report scam emails. When asked about sorting through work emails on their return to the office, 47% said they would get through them as quickly as possible so they could return to business as usual. Only 38% of participants said they would proceed with caution to make sure they did not click on any links or attachments that could be scams.
KnowBe4 warned that IT managers should be ready to give security refresher instructions to employees upon their return to work, before they are allowed to tackle what will undoubtedly be a huge backlog of correspondence for many.