Remote workers more aware of security, but still flout the rules

Almost three-quarters (approximately 72%) of people forced to work remotely through the Covid-19 coronavirus pandemic believe they are now more conscious of their organisational cyber security policies than they were before, but are still happy to break the rules if expedient, according to a Trend Micro study distilled from interviews conducted with more than 13,000 remote workers in 27 different countries.

The recently released report, Head in the clouds, found that 85% of respondents say they take instructions from their IT team seriously, 81% agree that security is partly their responsibility, and 64% agree that using non-work applications on a company-owned device is a risk.

“It’s really heartening to see that so many people take the advice from their corporate IT team seriously, although you have to wonder about the 15% who don’t,” said Trend Micro’s vice-president of security research, Rik Ferguson.

“At the same time, those people also accept their own role in the human firewall of any organisation. The problem area seems to be translating that awareness into concrete behaviour. To reinforce this, organisations need to take into account the diversity across the organisation and tailor training to identify and address these distinct behavioural groups.

“The time to do this is now, to take advantage of the new working environment and people’s newfound recognition of the importance of information security.”

Trend Micro said that there had never been a better time for chief information security officers (CISOs) to revitalise their approaches to security training during this period of apparently heightened awareness.

This may even be an imperative because 56% admitted to using non-work apps on work devices, 66% had uploaded corporate data to a non-work app, 80% used their work laptop for personal browsing, 39% had accessed corporate data on a personal device, 8% had watched porn on a work device, and 7% had accessed the dark web on one.

Many respondents appeared to value productivity over security, with 34% saying they didn’t give much thought to whether or not the apps they used were sanctioned by their employer because they just wanted to get the job done.

“There are a great number of individual differences across the workforce. This can include individual employee’s values, accountability within their organisation, as well as aspects of their personality, all of which are important factors which drive people’s behaviours,” said Linda Kaye, senior lecturer in psychology at the UK’s Edge Hill University, and a specialist in the field of cyber psychology.

“To develop more effective cyber security training and practices, more attention should be paid to these factors. This, in turn, can help organisations adopt more tailored or bespoke cyber security training with their employees, which may be more effective,” she said.

As part of the research for the report, Kaye has developed four security ‘personas’ to better explain the need for more bespoke training. These are;

1. Fearful – people who are anxious about getting security wrong and exposing their employer to risk, tend to be accountable for their behaviour even if they don’t understand the risks, and therefore may engage in avoidance behaviour such as declining tasks or waiting for help;
2. Conscientious – people who understand risks and follow advice, proactively take steps to manage risks, and are highly accountable for their behaviour, as well as mindful of their role in protecting the organisation where they work;
3. Ignorant – people who lack cyber awareness and fail to take accountability for their behaviour, who tend to be careless and take risks without understanding the significance of them;
4. Daredevil – people who are similarly careless to ignorant users, but out of recklessness and a perceived sense of superiority, who lack regard or accountability, preferring to attribute this externally on others.

Kaye said that each of these groups would benefit from a different approach – for example, fearful people might benefit from some kind of security mentor; conscientious people are ideal to enlist as security champions; and ignorant people need more basic, simple training, and may benefit from a gamification approach. Meanwhile, the daredevils, who are less likely to be swayed by training, may benefit from incentives such as award schemes.

She added that there was no right or wrong way to go about training as each organisation will have a unique set of challenges.