A new report from human layer security company Tessian reveals that most IT leaders (56%) believe their employees have picked up bad cybersecurity behaviors since working from home. As organizations make plans for the post-pandemic hybrid workforce, Tessian’s Back to Work Security Behaviors report reveals how security behaviors have shifted during the past year, the challenges as organizations transition to a hybrid work model, and why a fundamental shift in security priorities is required.
Cutting Cybersecurity Corners at Home
According to the report, younger employees are most likely to admit they cut cybersecurity corners, with over half (51%) of 16-24 year olds and almost half (46%) of 25-34 year olds reporting they’ve used security workarounds.
In addition, two in five (39%) say the cybersecurity behaviors they practice while working from home differ from those practiced in the office, with half admitting it’s because they feel they were being watched by IT departments. IT leaders are optimistic about the return to office, though, with 70% believing staff will more likely follow company security policies around data protection and privacy. However, only 57% of employees think the same.
Security Pitfalls in a Hybrid Workforce
After addressing employee security behaviors while working remotely, IT leaders face a new set of challenges with security threats posed by a hybrid workforce, as lockdowns ease and the lines between personal and professional lives blur:
• Dodgy devices: Over half of IT leaders (54%) are concerned that staff will bring infected devices and malware into the workplace. And their apprehension is founded: 40% of employees say they plan to work from personal devices in the office.
• Ransomware rising: The majority of IT leaders (69%) believe that ransomware attacks will be a greater concern in a hybrid workplace, with legal firms and healthcare organizations particularly concerned about this threat.
• The age of phishing: Over two-thirds of IT decision makers (67%) predict an increase in targeted phishing emails in which cybercriminals take advantage of the transition back to the office, adding to the rapidly growing number of phishing attacks faced by organizations (the FBI found that phishing attacks doubled in frequency last year).
• Failure (or fear) to report cybersecurity mistakes: Over one quarter of employees admit they made cybersecurity mistakes — some of which compromised company security — while working from home that they say no one will ever know about. More than one quarter (27%) say they failed to report cybersecurity mistakes because they feared facing disciplinary action or further required security training. In addition, just half of employees say they always report to IT when they receive or click on a phishing email.
• Return to business travel: As lockdown restrictions are lifted, six in 10 IT leaders think the return to business travel will pose greater cybersecurity challenges and risks for their company. These risks could include a rise in phishing attacks whereby threat actors impersonate airlines, booking operators, hotels or even senior executives supposedly on business trips. There is also the risk that employees accidentally leave devices on public transport or expose company data in public places.
As cybersecurity will be mission-critical in the new work environment, it’s encouraging that 67% of surveyed IT decision makers report that they have a seat at the table when it comes to office reopening plans in their organizations. The organizations and IT leaders that address risky human behaviors and corresponding security threats will thrive in a hybrid work model.
“The shift to an all-remote workforce was a huge challenge for IT leaders, but the next transition to a hybrid work model is set to be even more challenging - particularly when it comes to employees’ behaviors,” said Tim Sadler, co-founder and CEO of Tessian. “Employees are the gatekeepers to data and systems but expecting them to be security experts and scaring them into compliance won’t work. IT leaders need to prioritize building a security culture that empowers people to work securely and productively, and understand how to encourage long-lasting behavioral change overtime, if they’re going to thrive in this new way of working.”