Realizing cybersecurity risks does not mean sticking to the rules

72% of remote workers say they are more conscious of their organization’s cybersecurity policies since lockdown began, but many are breaking the rules anyway due to limited understanding or resource constraints, Trend Micro reveals.

The study is distilled from interviews with 13,200 remote workers across 27 countries on their attitudes towards corporate cybersecurity and IT policies. It reveals that there has never been a better time for companies to take advantage of heightened employee security awareness.

The survey reveals that the approach businesses take to training is critical to ensure secure practices are being followed.

High level of security awareness

The results indicate a high level of security awareness, with 85% of respondents claiming they take instructions from their IT team seriously, and 81% agree that cybersecurity within their organization is partly their responsibility. Additionally, 64% acknowledge that using non-work applications on a corporate device is a security risk.

However, just because most people understand the risks does not mean they stick to the rules.

For example:

• 56% of employees admit to using a non-work application on a corporate device, and 66% of them have actually uploaded corporate data to that application.
• 80% of respondents confess to using their work laptop for personal browsing, and only 36% of them fully restrict the sites they visit.
• 39% of respondents say they often or always access corporate data from a personal device – almost certainly breaking corporate security policy.
• 8% of respondents admit to watching / accessing porn on their work laptop, and 7% access the dark web.

Productivity still wins out over protection

Productivity still wins out over protection for many users. 34% of respondents agree that they do not give much thought to whether the apps they use are sanctioned by IT or not, as they just want the job done. Additionally, 29% think they can get away with using a non-work application, as the solutions provided by their company are ‘nonsense.’

Dr Linda Kaye, Cyberpsychology Academic at Edge Hill University explains: “There are a great number of individual differences across the workforce. This can include individual employee’s values, accountability within their organization, as well as aspects of their personality, all of which are important factors which drive people’s behaviors.

“To develop more effective cybersecurity training and practices, more attention should be paid to these factors. This, in turn, can help organizations adopt more tailored or bespoke cybersecurity training with their employees, which may be more effective.”

Rik Ferguson, Vice President of Security Research at Trend Micro, argues: “It’s really heartening to see that so many people take the advice from their corporate IT team seriously, although you have to wonder about the 15% who don’t… At the same time those people also accept their own role in the human firewall of any organization.

“The problem area seems to be translating that awareness into concrete behavior. To reinforce this, organizations to take into account the diversity across the organization and tailor training to identify and address these distinct behavioral groups.

“The time to do this is now, to take advantage of the new working environment and people’s newfound recognition of the importance of information security.”