The large-scale shift to remote work has contributed to more acute cyber security awareness among employees, but organizations should adopt a more personalized approach since bad habits persist and no two employees are the same, a recently-released survey of thousands of workers in nearly 30 countries has found.
According to the study by cyber security solution company Trend Micro, 72% of remote workers are more aware of their organization's data handling and cyber security policies since COVID-19 social distancing restrictions were imposed.
The survey titled "Head in the Clouds" also found that 85% of respondents claim they take instructions from their IT team seriously, while 81% believe that they bear partial responsibility for cybersecurity within their organization, and 64% acknowledge that the use of non-work applications on a corporate device constitutes a security risk.
However, the study found some remote workers are not sticking to the rules, with 80% of respondents using their work laptop for personal browsing; 56% using a non-work application on a corporate device, and 66% having uploaded corporate data to that application; 39% often or always accessing corporate data from a personal device; only 36% fully restricting the sites they visit; and 7% accessing the dark web.
Also, 34% said that they do not give much thought to whether the apps they use are sanctioned by IT or not, as they just want the job done, and 29% think they can get away with using a non-work application, as the solutions provided by their company are insufficient.
“In today’s interconnected world, unashamedly ignoring cybersecurity guidance is no longer a viable option for employees,” said Bharat Mistry, principal security strategist for Trend Micro. “It’s encouraging to see that so many take the advice from their corporate IT team seriously."
"Having said that, there are individuals who are either blissfully ignorant or worse still who think cybersecurity is not applicable to them and will regularly flouter the rules. Hence having a one size fits all security awareness program is a non-starter as diligent employees often end up being penalized. A tailored training program designed to cater to employees may be more effective.”
Trend Micro's findings were based on a total of 13,200 interviews across 27 countries.
The study also classified four types of employees in terms of cybersecurity: fearful ones who are anxious about doing something wrong, highly accountable for their behavior, but not always aware of the cyber risks; conscientious ones who understand the risks, take proactive steps to deal with risk, are highly accountable for their behavior, and mindful of their role; ignorant ones who have a distinct lack of cybersecurity awareness, lack accountability for their behavior, regularly take risks and don't understand the significance of their actions; and daredevil employees who lack any diligence, have no accountability for their behavior, are reckless, and believe that responsibility for cybersecurity lies elsewhere.
"By understanding that no two employees are the same, security leaders can tailor their approach in a more nuanced way. Splitting staff into four camps should ensure a more personalized approach than the one-size-fits-all training sessions most organizations run today," security strategist Mistry said.