Ironically, awareness did not translate into compliance. This indicates that cybersecurity training needs to be tailored and tweaked.
In a recent global cybersecurity survey involving 13,200 remote workers, nearly three quarters (72%) said they were more conscious of their organization’s cybersecurity policies since lockdown began.
That is the good news. The bad news is that many were breaking corporate security rules anyway due to their limited understanding or resource constraints.
The study by Trend Micro Incorporated attempted to delve into attitudes towards corporate cybersecurity and IT policies. The statistics revealed that there has never been a better time for companies to take advantage of heightened employee cybersecurity awareness. Importantly, because there were still cases of non-compliance despite the awareness, the study showed that cybersecurity training is critical, and must be carried out optimally to ensure secure practices are being followed.
Awareness but not compliance
With 85% of respondents claiming they took instructions from their IT team seriously, and 81% agreeing that cybersecurity within their organization is partly their responsibility, the assumption was that remote workforces are finally falling in line. Additionally, 64% acknowledged that using non-work applications on a corporate device is a security risk. However, the following statistics show a different picture:
- 56% of employees admitted to using a non-work application on a corporate device, and 66% of them had actually uploaded corporate data to that application.
- 80% of respondents confessed to using their work laptop for personal browsing, and only 36% of them fully restricted the sites they visited.
- 39% of respondents said they often or always accessed corporate data from a personal device— almost certainly breaking corporate security policy.
- 8% of respondents admitted to watching / accessing porn on their work laptop, and 7% accessed the dark web.
These numbers show that many WFH workers still value productivity over protection. A third of respondents (34%) agreed that they did not give much thought to whether the apps they used were sanctioned by IT or not, as they just wanted the job done. Additionally, 29% thought they could get away with using a non-work application, as the solutions provided by their company were ‘nonsense.’
The psychology of non-compliance
Dr Linda K. Kaye, Cyberpsychology Academic, Edge Hill University explained: “There are a great number of individual differences across the workforce. This can include individual employee’s values, accountability within their organization, as well as aspects of their personality, all of which are important factors that drive behaviors. To develop more effective cybersecurity training and practices, more attention should be paid to these factors. This, in turn, can help organizations adopt more tailored or bespoke cybersecurity training with their employees, which may be more effective.”
Added Bharat Mistry, Principal Security Strategist, Trend Micro: “In today’s interconnected world, unashamedly ignoring cybersecurity guidance is no longer a viable option for employees. It’s encouraging to see that so many take the advice from their corporate IT team seriously. (Yet) there are individuals who are either blissfully ignorant or worse still, think cybersecurity is not applicable to them and will regularly flout the rules. Hence having a one-size-fits-all security awareness program is a non-starter as diligent employees often end up being penalized. A tailored training programme designed to cater for employees may be more effective.”