A global survey of more than 8,000 employees found that employees, even though they know the dangers, engage in risky behavior that could compromise the digital security of their company.
The results are worrying – especially given the increase in remote or hybrid work. The survey found that 79 percent of respondents have done at least one risky cybersecurity activity in the past year. Over a third (35%) of respondents had passwords stored in their browser in the past year, a similar number (32%) have used one password to access multiple websites and around one in four (23%) have a personal device connected to the company network.
Although almost all respondents (98%) are aware that individual actions such as clicking links from unknown sources or giving login details to colleagues pose a risk, only 16% of respondents believe that their company is at a very high risk is exposed to a cybersecurity attack.
Joseph Carson, Chief Security Scientist and Consulting CISO at ThycoticCentrify said, ‘People who work in the cybersecurity industry know how their colleagues should act when it comes to keeping their devices safe and protecting the entire company. But are these messages getting through?’
Carson therefore urges employers to step up their efforts to encourage employees to adopt the best possible digital security practices and to remind them of the risks of not securing their networks. ‘A ransomware attack or a major security breach has serious consequences that can last for years. Every company must therefore introduce security processes and ensure that these are actually lived by employees,’ emphasised Carson.
Only 44 percent of the respondents (38% in Germany) received cybersecurity training last year, which means that more than half of the employees surveyed were left alone with the dangerous situation that arises from working from home. Smaller companies in particular have given their employees the least amount of cybersecurity training in the past year.
‘Working remotely, or hybrid, poses a particular security challenge, so companies should be careful to instill good practice on employees wherever they work,’ Carson said.
Employees rate their organisation’s cyber risk higher (55% versus 43%) when they have received training, which suggests that they have developed a better understanding of the risks.
Although they know that clicking links from unknown sources poses a risk to a company, only 16% of respondents believe that their company is at very high risk from cybersecurity attacks. This assumption contradicts the 79 percent of respondents (82% in Germany) who noticed an increase in the number of fraudulent and phishing messages in the last year.
SMEs at higher risk
Small and medium-sized enterprise employees were the least likely to have received cybersecurity training in the past year. Just under half (47%) of employees in companies with more than 5,000 employees received training in the past 12 months, compared with 20 percent of employees in companies with fewer than 10 employees and 32 percent in organisations with 11 to 50 employees. In smaller companies, the risk is estimated to be lower: Only 37 percent of employees in companies with 1 to 10 employees state that there is a high risk, compared to 50 percent in companies with more than 100 employees. Smaller companies are also the least likely to have implemented protective measures such as multi-factor authentication (MFA) or virtual private networks (VPNs) compared to larger companies.
Personal responsibility for safety
The survey revealed an overarching sense of responsibility among employees. 86 percent agreed that they have a personal responsibility to ensure that they do not expose their business to cyber threats. 51 percent said they still believe that IT should be solely responsible for protecting the company.
Methodology of Study
ThycoticCentrify commissioned the independent market research specialist Sapio Research to carry out the study. Sapio asked more than 8,000 employees worldwide, including 1,000 from Germany, about their attitudes towards cybersecurity. 81 percent of those surveyed were full-time employees, while 19 percent were part-time employees. The interviews were conducted online in June 2021. A rigorous multi-stage screening process was used to ensure that only suitable candidates were given the opportunity to participate.
Image credit: Dan Nelson / Unsplash