People have picked up bad cybersecurity habits while working from home

A new report from Tessian claims that most IT leaders (56 percent) believe their employees have picked up bad cybersecurity behaviours since working from home. As organisations make plans for the post-pandemic hybrid workforce, Tessian’s Back to Work Security Behaviours report highlights how security behaviours have shifted during the past year.

According to the report, younger employees are most likely to admit they cut cybersecurity corners, with over half (51 percent) of 16-24 year olds and almost half (46 percent) of 25-34 year olds reporting they’ve used security workarounds.

In addition, two in five (39 percent) say the cybersecurity behaviours they practice while working from home differ from those practiced in the office, with half admitting it’s because they feel they were being watched by IT departments. IT leaders are optimistic about the return to office, though, with 70 percent believing staff will more likely follow company security policies around data protection and privacy. However, only 57 percent of employees think the same.

Security pitfalls

After addressing employee security behaviours while working remotely, IT leaders face a new set of challenges with security threats posed by a hybrid workforce, as lockdowns ease and the lines between personal and professional lives blur:

• Dodgy devices: Over half of IT leaders (54 percent) are concerned that staff will bring infected devices and malware into the workplace. And their apprehension is founded: 40 percent of employees say they plan to work from personal devices in the office.
• Ransomware rising: The majority of IT leaders (69 percent) believe that ransomware attacks will be a greater concern in a hybrid workplace, with legal firms and healthcare organisations particularly concerned about this threat.
• The age of phishing: Over two-thirds of IT decision makers (67 percent) predict an increase in targeted phishing emails in which cybercriminals take advantage of the transition back to the office, adding to the rapidly growing number of phishing attacks faced by organisations (the FBI claims that phishing attacks doubled in frequency last year).
• Failure (or fear) to report cybersecurity mistakes: Over one quarter of employees admit they made cybersecurity mistakes — some of which compromised company security — while working from home that they say no one will ever know about. More than one quarter (27 percent) say they failed to report cybersecurity mistakes because they feared facing disciplinary action or further required security training. In addition, just half of employees say they always report to IT when they receive or click on a phishing email.
• Return to business travel: As lockdown restrictions are lifted, six in 10 IT leaders think the return to business travel will pose greater cybersecurity challenges and risks for their company. These risks could include a rise in phishing attacks whereby threat actors impersonate airlines, booking operators, hotels or even senior executives supposedly on business trips. There is also the risk that employees accidentally leave devices on public transport or expose company data in public places.

[perfectpullquote align=”right” bordertop=”false” cite=”” link=”” color=”” class=”” size=””]”Employees are the gatekeepers to data and systems”[/perfectpullquote]

As cybersecurity will be mission-critical in the new work environment, it’s encouraging that 67 percent of surveyed IT decision makers report that they have a seat at the table when it comes to office reopening plans in their organisations. The organisations and IT leaders that address risky human behaviours and corresponding security threats will thrive in a hybrid work model.

“The shift to an all-remote workforce was a huge challenge for IT leaders, but the next transition to a hybrid work model is set to be even more challenging – particularly when it comes to employees’ behaviours,” said Tim Sadler, co-founder and CEO of Tessian.

“Employees are the gatekeepers to data and systems but expecting them to be security experts and scaring them into compliance won’t work. IT leaders need to prioritise building a security culture that empowers people to work securely and productively, and understand how to encourage long-lasting behavioural change overtime, if they’re going to thrive in this new way of working.”

Image by TheDigitalWay