How Cybersecurity Habits Of Returning Remote Workers Can Put Companies At Risk
The millions of employees who have worked remotely because of Covid and are now returning to the office on a full-time or hybrid-basis could also bring their bad cybersecurity habits, putting companies at greater risk for cyber-related crisis situations.
A new survey released today by Tessian, an email security company, found that:
- A majority of IT leaders (56%) believed their employees have picked up bad cybersecurity behaviors since working from home.
- Sixty-nine percent of the leaders said ransomware attacks will be a greater concern in a hybrid workplace.
- Over half (54%) were concerned that staff will bring infected devices and malware into the workplace. And their apprehension appeared to be founded—40% of employees said they plan to work from personal devices in the office.
The poll was conducted for Tessian by OnePoll, who surveyed 4,000 working professionals and 200 IT leaders in the U.S. and UK in May, 2021.
Leaders Too Optimistic?
Tessian’s report about the survey asked, “So will the shift back into an office environment result in safer security practices? 70% of IT leaders seem to think so, believing that staff will be more likely to follow company security policies around data protection and data privacy while working in the office.
“Yet, they could be overly optimistic; 57% of employees think the same. Is this because they’ve simply forgotten company security policies and protocols and need a refresh? Or did they never really know them in the first place?”
Ransomware Tactics
The report noted that, “Threat actors are manipulating human behavior to successfully hack an organization. Ransomware campaigns such as Avaddon, for example, prey on people’s insecurities and vanity, using convincing email subject lines to trick people into opening a message that claims to contain a photo of themselves. Once an attachment is opened, ransomware is downloaded and infected devices display a ransom demand that must be paid in order to gain the software needed to retrieve their files.
“Stop phishing, business email compromise, account takeover attacks and social engineering scams, and you significantly reduce the risk of ransomware,” it said.
Employee Mistakes Threaten Cybersecurity
What employees said about their cybersecurity habits won’t provide any comfort to business leaders.
Tessian CEO Tim Sadler said, “One of the most shocking and alarming [survey] findings is how little employees report cybersecurity mistakes. Over a quarter of employees admit to making mistakes that compromised company security while working from home—mistakes they say no one will ever know about.
“What’s more, only half said they always report to IT when they receive or click on a phishing email. The reason? 27% said they feared facing disciplinary action or being required to take more security training,” he said.
What Businesses Need To Understand
Sadler warned, “This is a huge problem. Businesses need to understand when, and why, people make mistakes so they can prevent them from turning into data breaches—but that isn’t possible without visibility into when and how these mistakes occur. Within a hybrid work environment, where employees are distributed across the country and even globally, visibility into employee behavior becomes more difficult but all the more important.”
Advice For Corporate Executives
Culture Matters
Sadler observed, “...it’s up to business leaders to create a culture that empowers people to work securely and productively, and one that makes space for them to come forward with security issues or mistakes.
The Biggest Vulnerabilities
“Consider where your biggest vulnerabilities lie in a hybrid work model, and build a security strategy with people at the heart. People are the gatekeepers to every organization’s data and systems, so plans to secure a hybrid workforce should empower people to work securely and productively. Security shouldn’t get in the way of people getting their jobs done,” he counseled.
A Business-Critical Issue
Sadler advised, “... make sure IT and security leaders are involved in office reopening plans. Security is now a business-critical issue — it can make or break an organization — so it’s encouraging to see that 67% of IT decision makers in our survey do have a seat at the table.”
Encourage Long-Lasting Behavior
He said business leaders should, “...flip security training on its head so that it’s no longer viewed as a punishment or a check-the-box exercise, and instead builds self-efficacy in employees. This is the only way to encourage long-lasting behavior change and improve the security posture of your company.
“For example, tailor phishing exercises to the specific employee or department, and arm staff with tools and knowledge they need to make smart cybersecurity decisions…when a threat arises. This is especially important in a hybrid environment, when employees cannot always verify requests with their colleagues directly,” he concluded.
Reproduced from: How Cybersecurity Habits Of Returning Remote Workers Can Put Companies At Risk (forbes.com)