PA life
Roccabella

1 in 3 employees has picked up bad cybersecurity habits since WFH

A new report from human layer security companyย Tessianย reveals that most IT leaders (56%) believe their employees have picked up bad cybersecurity habits since working from home.

As organisations make plans for the post-pandemic hybrid workforce, Tessianโ€™sย Back to Work Security Behaviorsย report reveals how security behaviours have shifted during the past year, the challenges as organisations transition to a hybrid work model, and why a fundamental shift in security priorities is required.

Cutting Cybersecurity Corners at Home
According to the report, younger employees are most likely to admit they cut cybersecurity corners, with over half (51%) of 16-24 year olds and almost half (46%) of 25-34 year olds reporting theyโ€™ve used security workarounds.

In addition, two in five (39%) say the cybersecurity behaviours they practice while working from home differ from those practiced in the office, with half admitting itโ€™s because they feel they were being watched by IT departments. IT leaders are optimistic about the return to office, though, with 70% believing staff will more likely follow company security policies around data protection and privacy. However, only 57% of employees think the same.

Security Pitfalls in a Hybrid Workforce
After addressing employee security habits while working remotely, IT leaders face a new set of challenges with security threats posed by a hybrid workforce, as lockdowns ease and the lines between personal and professional lives blur:

  • Dodgy devices: Over half of IT leaders (54%) are concerned that staff will bring infected devices and malware into the workplace. And their apprehension is founded: 40% of employees say they plan to work from personal devices in the office.
  • Ransomware rising: The majority of IT leaders (69%) believe that ransomware attacks will be a greater concern in a hybrid workplace, with legal firms and healthcare organizations particularly concerned about this threat.
  • The age of phishing: Over two-thirds of IT decision makers (67%) predict an increase in targeted phishing emails in which cybercriminals take advantage of the transition back to the office, adding to the rapidly growing number of phishing attacks faced by organizations (the FBIย foundthat phishing attacks doubled in frequency last year).
  • Failure (or fear) to report cybersecurity mistakes: Over one quarter of employees admit they made cybersecurity mistakes โ€” some of which compromised company security โ€” while working from home that they say no one will ever know about. More than one quarter (27%) say they failed to report cybersecurity mistakes because they feared facing disciplinary action or further required security training. In addition, just half of employees say they always report to IT when they receive or click on a phishing email.
  • Return to business travel: As lockdown restrictions are lifted, six in 10 IT leaders think the return to business travel will pose greater cybersecurity challenges and risks for their company. These risks could include a rise in phishing attacks whereby threat actors impersonate airlines, booking operators, hotels or even senior executives supposedly on business trips. There is also the risk that employees accidentally leave devices on public transport or expose company data in public places.

As cybersecurity will be mission-critical in the new work environment, itโ€™s encouraging that 67% of surveyed IT decision makers report that they have a seat at the table when it comes to office reopening plans in their organizations. The organisations and IT leaders that address risky human behaviors and corresponding security threats will thrive in a hybrid work model.

โ€œThe shift to an all-remote workforce was a huge challenge for IT leaders, but the next transition to a hybrid work model is set to be even more challenging – particularly when it comes to employeesโ€™ behaviors,โ€ said Tim Sadler, co-founder and CEO of Tessian.

โ€œEmployees are the gatekeepers to data and systems but expecting them to be security experts and scaring them into compliance wonโ€™t work. IT leaders need to prioritise building a security culture that empowers people to work securely and productively, and understand how to encourage long-lasting behavioural change overtime, if theyโ€™re going to thrive in this new way of working.โ€