Trend Micro’s Head in the Clouds study is distilled from interviews with 13,200 remote workers across 27 countries on their attitudes towards corporate cybersecurity and IT policies. It indicates that there has never been a better time for companies to take advantage of heightened employee cybersecurity awareness to crack down on bad habits once and for all.
But with 85 percent of remote workers claiming to take instructions from their IT team seriously, 81 percent agreeing that workplace cybersecurity is partly their responsibility, and 64 percent acknowledging that using non-work applications on a corporate device is a security risk, further education doesn’t appear to be the answer.
Just because most people understand the risks does not mean they stick to the rules.
- 56 percent of employees admit to using a non-work application on a corporate device, and 66 per cent of them have actually uploaded corporate data to that application.
- 80 percent of respondents confess to using their work laptop for personal browsing, and only 36 per cent of them fully restrict the sites they visit.
- 39 percent of respondents say they often or always access corporate data from a personal device – almost certainly breaking corporate security policy.
- eight percent of respondents admit to watching /accessing porn on their work laptop, and seven percent access the dark web.
Examining the results in more detail, evidence shows these behaviours are more a case of attitude than ignorance. A third of respondants do not give much thought to whether the apps they use are sanctioned by IT or not, as they just want the job done. Additionally, 29 percent think they can get away with using a non-work application, as the solutions provided by their company are ‘nonsense’.
With infosecurity understanding there, but employee attitudes towards it varying wildly, how can organisations encourage better behaviour from their remote workers?
Dr Linda K. Kaye, Cyberpsychology Academic at Edge Hill University said: “There are a great number of individual differences across the workforce. This can include individual employee’s values, accountability within their organisation, as well as aspects of their personality, all of which are important factors which drive people’s behaviours. To develop more effective cybersecurity training and practices, more attention should be paid to these factors. This, in turn, can help organisations adopt more tailored or bespoke cybersecurity training with their employees, which may be more effective.”
Bharat Mistry, Principal Security Strategist, Trend Micro, said: “It’s encouraging to see that so many take the advice from their corporate IT team seriously. Having said that, there are individuals who are either blissfully ignorant or worse still who think cybersecurity is not applicable them and will regularly flouter the rules. Hence having a one size fits all security awareness programme is a non-starter as diligent employees often end up being penalised. A tailored training programme designed to cater for employees may be more effective.”
The Head in the Clouds study looks into the psychology of people’s behaviour in terms of cybersecurity, including their attitudes towards risk. It presents several common information security “personas” with the aim of helping organisations tailor their cybersecurity strategy in the right way for the right employee.