With remote working now part of the new business reality, cybersecurity has skyrocketed to the top of the IT to-do list. Companies are investing astronomical sums to upgrade technology, develop security processes, and boost IT staff, yet studies indicate that they may be overlooking the biggest piece of the puzzle: their employees.
Knowledge Is Power … Not!
Recognizing that knowledge is the best weapon when it comes to cybersecurity, many companies have embarked on a mission to raise cybersecurity awareness among employees. From training programs that explain the risk of phishing scams to simulations that clarify the steps to take when faced with a suspicious email, many companies are striving to ensure that every employee within the organization is educated about cybersecurity protocols. Yet despite having this knowledge, apathy about cybersecurity hygiene prevails among employees; most display a lack of interest, enthusiasm, or concern about their organization's cyber health.
A wide spectrum of studies shows that despite greater awareness of cybersecurity dangers, employees still show a lax attitude when it comes to practicing even the most basic cybersecurity prevention methods. Trend Micro reports that despite 72% of employees claiming to have gained better cybersecurity awareness during the pandemic, 56% still admitted to using a non-work application on a company device, and 66% admitted to uploading corporate data to that application, despite knowing that their behavior represents a security risk. The same survey showed that 39% of employees knowingly breach their company's security policies by regularly accessing work data from a personal device. Shockingly, 29% said they believed the solutions provided by their company were "nonsense."
The same level of employee apathy can be seen in the public sector as well. According to a survey by security services firm Dtex Systems, 48% of government employees feel no personal responsibility for the security of their work devices or information. Approximately 50% believe that they could be hacked no matter what protective measures they took, while 43% took the polar opposite approach — they didn't take the threat seriously at all, as they didn't believe they could be hacked.
This lack of concern, care, or adherence to cybersecurity standards is especially worrying with the growth of the work-from-home workforce. In one survey, 34% of IT professionals indicated that their remote staff are not interested in cybersecurity. In another survey of furloughed employees in the UK and Ireland, 48% said they were not concerned about email phishing scams because they say it is IT's responsibility to deal with them. That same number of respondents admit that upon returning to the office, they would power through their inbox as fast as possible, without taking the time to inspect any links or attachments in emails that might be fraudulent.
Four Reasons for Employee Apathy About Cybersecurity
1. Open attitudes toward information: Millennials and Generation Z, who have been raised in a culture of sharing, are not as wary about protecting their privacy or about interacting with strangers. People who are comfortable sharing with anyone and everyone over social media are less likely to think twice about security procedures standards. In fact, millennials have been shown to use the same passwords again and again, and 60% of this demographic accept connections with strangers "most of the time."
2. Complexities of security technology: The wide range of ever-changing security technologies can be confusing and exasperating for the average employee. Studies show that the majority of Internet users do not have a clear understanding of the latest security standards and best practices, such as two-factor authentication, mobile device management, and VPNs. Often, something not understood is more easily ignored.
3. Time constraints: Even the best laid plans can be cast aside when no one has time to implement them. Employees are busy and may not want to spend the extra time required to check the protocol about suspicious emails or to notify the right party when they accidentally clicked on a "bad link."
4. Negative impact on productivity: Employees often feel that cybersecurity measures adversely affect their productivity. Whether it's due to files being quarantined or because each device, app, and software program has its own layer of security, employees can easily become frustrated with cybersecurity protocols. A Dell study found that 91% of business users feel that additional security measures — including remote-access policies — hamper their ability to get their work done efficiently.
What's an Organization to Do?
With an average of 10 million new malware threats recorded per month, organizations must address employee apathy in light of the growing risks. Trend Micro's report concluded that simply building more workplace security awareness programs for employees isn't the answer, as the findings show that employees were well aware of the cybersecurity risks but disregard their company's security rules anyway.
To protect your organization from all emerging file-borne threats, the security and leadership teams must align to develop a streamlined approach to file security. Such an approach should focus only on allowing safe information to reach an end user rather than attempting to block malicious items. Too often, we see the latter approach accomplished with sandboxing and antivirus software — but this blocked information can also act as an obstacle for many employees as they navigate their primary work responsibilities.
Leadership must evaluate the organization's security posture from all angles, finding gaps and solutions that allow safe files to flow freely — no matter what reaches employees.