A report on employee cybersecurity practices found that most workers took cybersecurity shortcuts despite knowing the risks involved.
ThycoticCentrify, a cloud identity security solutions provider, commissioned a report that polled 8,041 knowledge workers in 15 countries across different parts of the world during the remote working period.
The report also found that small and medium-sized businesses (SMBs) sacrificed cybersecurity for productivity.
The authors identified a disconnect between the employees’ understanding of various cybersecurity risks and their behaviors while executing their daily tasks.
Workers take cybersecurity shortcuts because they feel they were not important
More than three-quarters (79%) of employees took cybersecurity shortcuts during the remote working period despite being aware of the security risks involved.
The report found that a third (33%) of employees saved their passwords on browsers in the last year, a similar number (32%) connected to public Wi-Fi, and nearly a quarter (23%) recycled passwords across multiple sites.
Similarly, nearly a quarter (23%) used personal devices on the corporate network, 18% used a password for personal use in a work context, 13% visited unauthorized websites, and a similar number shared credentials with colleagues.
These employees engaged in risky behaviors despite having the awareness that individual actions like clicking on links from unknown sources or sharing credentials exposed their organizations to cybersecurity risks.
According to the report, these employees behaved so because they felt that they were not “important enough” to worry about cybersecurity or be targeted.
While most workers acknowledged the cybersecurity risk facing their organizations, only 16% perceived it as a “very high risk.” About a third (32%) of employees perceived cybersecurity as a “high risk,” and nearly half (45%) viewed it as “little” or “no security risk” at all.
The report found that cybersecurity training was having some effect. More than half (55%) of workers who received cybersecurity training viewed cybersecurity as high risk, compared to 43% of those who didn’t receive training.
Unfortunately, most organizations lagged in employee cybersecurity training, with just 44% of surveyed employees receiving the training. Consequently, most employees surveyed were left to handle cyber threats alone while working from home.
Additionally, there were huge discrepancies in training among countries. For example, almost two-thirds (64%) of Indian employees had received cybersecurity training, while in France, the number was just less than a third (30%).
Most employees believe cybersecurity is the responsibility of IT departments
Although most (86%) employees accepted personal responsibility for not exposing their organizations, more than half (51%) said it was their IT departments’ sole responsibility to protect them.
Employees also took cybersecurity shortcuts because they believed that the IT teams were protecting them or would take care of any mishap. The researchers blamed the misconception on poor communication between the IT departments and the employees.
“People working in the cybersecurity sector know how their colleagues should behave when it comes to keeping their devices safe and protecting the wider company. But are these messages getting through?” Joseph Carson, Chief Security Scientist and Advisory CISO at ThycoticCentrify asked. “We’d urge employers to redouble efforts to encourage the best possible digital security practices in staff and remind them of the risks of failing to secure networks.”
He added that organizations needed to establish security processes and ensure they resonated with their employees to avoid a ransomware attack or major breach whose consequences could last for years.
Carson, however, acknowledged that hybrid or remote working scenarios posed unique challenges to organizations. He advised organizations to cultivate good security practices in their staff to prevent them from taking cybersecurity shortcuts despite the conditions.
SMBs sacrificed cybersecurity for productivity during the remote working period
While organizations rushed to implement remote working strategies, small and mid-sized businesses took cybersecurity shortcuts to avoid hurting productivity. SMBs were also the least likely to implement multi-factor authentication (MFA), Virtual Private Networks (VPNs), or offer cybersecurity training.
The problem is compounded by the existing cyber solutions that are not viable for all organizations, as SMBs struggled with limited budgets and resources, especially during the remote working period.
“In dealing with the pandemic and shift to remote working, most SMB’s may have been forced to sacrifice cybersecurity to focus on keeping workers productive,” the report stated.
Workers from various countries perceive cybersecurity risks differently
The perception of cybersecurity risks varies among countries. For example, more than a third (36%) of Swedish workers are less likely to view cybersecurity as high risk.
Contrarily, two-thirds (66%) of Japanese workers are more likely to perceive cybersecurity as very high risk, according to the report. Japanese workers are also less likely to take cybersecurity shortcuts such as repeating passwords or clicking on suspicious links, unlike Indian workers.
Singaporean workers are also most likely (95%) to take personal responsibility for protecting their organizations, while Japanese workers are less likely (35%) to shift all responsibility of protecting organizations to their IT departments.
While employees are more likely to take cybersecurity shortcuts in remote working environments, the report exposed a divide between employees and cybersecurity teams.