More than 50% of IT teams believe that employees have bad security habits. Habits they’ve developed since moving their offices into the home and that put their information, systems and employers at risk.
The statistic comes from the Tessian Back to Work Security Behaviours Report that also found an age discrepancy when it came to who practiced the best security from home.
Around 51% of 16-24-year-olds and 46% of 25-34-year-olds reported that they used security workarounds, while two in five people said that the security behaviours they adopted at home were very different from those they used in the office.
For Anna Collard, senior vice-president: content strategy and evangelist at KnowBe4 Africa, this draws a thick red marker around the need to ensure that people and security training remain a priority while offices continue with hybrid ways of working.
“People adopt different behaviours at home as a rule,” she adds. “It is home, after all. There has to be a solid mental shift now that the home has become the office, and this shift involves making sure that the same security check boxes that were ticked at the office are also ticked at home. This is even more important because cyber criminals are taking advantage of system and employee vulnerabilities right now, and really going in on the offensive.”
Now is the right time to implement policies and approaches that take hybrid workplaces and requirements into account. The survey mentioned above also found that 67% of IT decision makers believe that phishing emails will increase as people move back to the office. And there is a discrepancy between how IT sees security when office work returns and how employees see it. Only 57% of employees think that they will follow security protocols once back in the office compared with 70% of IT professionals.
“Cybercriminals have cottoned on to the fact that people will move back into the office with a slightly less than robust approach to security,” says Collard. “They will forget to report mistakes, potentially open up new avenues of risk to the business or get caught by the tide of phishing emails that have become rampant over the past few months.”
People are people. The pandemic has been punishing. Implementing further punishments for making simple cyber security mistakes will only make things worse. What’s needed is a focus on training and positive reinforcement that reminds people of why security is important, and how to keep their side clean. Training that puts them in front of simulated ransomware or phishing emails and that teaches them security best practice, and rewards those who do well. This should be done consistently and in a way that engages with people in the limited time they have.
“By giving your people the tools they need to combat security threats and recognise risks, you are empowering them and adding that extra layer of security to your business,” concludes Collard. “Methodical and repeated simulations combined with training allows for IT teams to trust in their people, and for employees to remain aware of the threat actors that wait for them to make the simplest of mistakes. This is the best way to help your business remain ahead of security best practice and for your people to thwart social engineering attacks.”