Nasty surprises lurking in furloughed employees’ inboxes

Organisations that have placed their employees on furlough during the Covid-19 coronavirus pandemic are sleepwalking into a storm of confusion, disruption and legal risk as people return to work and open up months and months of unread emails, according to a study carried out by CensusWide on behalf of security awareness and training specialist KnowBe4.

As the UK rushed to lockdown in March 2020, and millions were temporarily furloughed, a lack of preparation to email hygiene has left many organisations dangerously exposed, according to the report Furloughed Workers: Threats, anxiety, and staying away from work.

KnowBe4 asked respondents how long they expected they would take to clear their email backlog when they did return to work. A majority of 44% reckoned they could do so within a day, while 19% said it would take two. Just under 11% thought it would take at least a full working week to break through the logjam. Most people, however, said they would prefer to deal with the backlog themselves, and just under 10% said they would be happy for management to “triage” their inbox

But herein lies the risk, as the data also revealed that 48% of people were not worried about coming across malicious phishing emails in their inboxes, and believed that it was the job of their IT teams to get ride of them, compared to 37% who understood that they bore responsibility for spotting and reporting such things.

Javvad Malik, security awareness advocate at KnowBe4, said: “These findings are concerning as KnowBe4’s research has demonstrated time and again that individuals are often over-confident in their abilities to spot a malicious email. In the most recent 2020 benchmarking report, it was found that almost 40% of untrained employees were likely to fall for a phishing email; a figure that continues to grow year on year.

“Without the necessary training, tied with a haste among employees to return to business as usual, organisations may very soon find themselves at the mercy of cyber criminals,” he said.

In the rush to clear out the email backlog, this could put many organisations at elevated risk of being compromised via a phishing email in the first few days back in the office. A total of 47% respondents to the survey admitted that they would prioritise clearing down their emails as fast as possible in order to get back a semblance of business as usual. In contrast to this, only 38% said they would filter through their emails with an eye on the possibility of coming across dangerous links or attachments.

The risks that an organisation may fall victim to a cyber attack are further exacerbated by a tendency among employees to prioritise speed over security. Indeed, almost half of respondents (47%) admitted that, when resuming work, their main priority would be to sort through emails as quickly as possible and return to business as usual. In contrast, only 38% would carefully filter through their emails and avoid clicking on something they shouldn’t. On average, respondents thought it would take them just over two days to sort through their emails upon returning to work.

The report also found that almost 40% of furloughed employees had received no guidance from their employer on what is and what is not allowed when it comes to reading and responding to emails while furloughed.

For clarity, the rules of the furlough scheme state that employees cannot do any work that makes money for or provide services to their employer or any organisation linked to or associated with it while claiming under the programme.

Because checking email may be deemed to be providing services, businesses that have encouraged furloughed employees to do this, or turned a blind eye to the practice, face having to repay money paid by the government to cover wages, or fines, if they are caught.

This may be a very widespread problem, as KnowBe4 claimed that 68% admitted to looking at their emails and 40% had responded to some, suggesting that many businesses could face expensive legal consequences if the government is minded to pursue them.

“For businesses seeking to maintain good cyber hygiene in the present environment, there is already a pressing need to ensure that the remote solution for an increasingly peripatetic workforce creates no additional opportunities for threat actors and the accompanying legal risks,” said Mark Deem, a partner at law firm Cooley LLP. 

“This survey is a timely reminder that – whatever the strict legal position might be concerning whether furloughed staff should be working – businesses need to understand the actual online practices of its workforce, if it is to understand where legal and cyber vulnerabilities might arise.”