With lockdowns easing and employees going back to the office under a hybrid work schedule, employers face a new set of cybersecurity challenges that will require a fundamental shift in security priorities, a new report suggests.
In fact, more than a third (36%) of employees say they have picked up bad cybersecurity behaviors and found security “workarounds” since working remotely. Most IT leaders (56%) also believe their employees have picked up bad cybersecurity behaviors since working from home, according to Back to Work Security Behaviors from security firm Tessian, which looks at how security behaviors have shifted during the past year.
According to the report, younger employees are most likely to admit they cut cybersecurity corners, with 51% of those ages 16-24 and 46% of those ages 25-34 reporting that they have used security workarounds. In addition, two in five (39%) respondents say the cybersecurity behaviors they practice while working from home differ from those practiced in the office, with half admitting it is because they feel they were not being watched by IT departments.
IT leaders are optimistic about the return to office, though, with 70% believing staff will more likely follow company security policies around data protection and privacy—yet only 57% of employees think the same.
Security Pitfalls in a Hybrid Workforce
Still, as lockdowns ease and the lines between personal and professional lives blur, IT leaders believe they face a new set of challenges with security threats posed by a hybrid workforce:
- Dodgy devices: More than half of IT leaders (54%) are concerned that staff will bring infected devices and malware into the workplace. And their apprehension is not unfounded: 40% of employees say they plan to work from personal devices in the office.
- Ransomware threats: Nearly 7 out of 10 IT leaders (69%) believe that ransomware attacks will be a greater concern in a hybrid workplace, with legal firms and health care organizations particularly concerned about this threat.
- Phishing schemes: Over two-thirds of IT decision makers (67%) predict an increase in targeted phishing emails in which cybercriminals take advantage of the transition back to the office, adding to the rapidly growing number of phishing attacks faced by organizations. In fact, the FBI found that phishing attacks doubled in frequency last year. According to Tessian, one particularly convincing “back to work” campaign targeted employees with emails purporting to come from their CIO, welcoming staff back into office and asking them to provide their login credentials.
- Failure—or fear—to report cybersecurity mistakes: Over a quarter of employees admit they made cybersecurity mistakes—some of which compromised company security—while working from home that they say no one will ever know about. Additionally, 27% say they failed to report cybersecurity mistakes because they feared facing disciplinary action or further required security training. Notably, only half of employees say they always report to IT when they receive or click on a phishing email.
- Return to business travel: As travel restrictions are lifted, 6 in 10 IT leaders think the return to business travel will pose greater cybersecurity challenges and risks for their company. These risks could include a rise in phishing attacks, whereby fraudsters impersonate airlines, booking operators, hotels employees or even senior executives supposedly on business trips. There is also the risk that employees accidentally leave devices on public transport or expose company data in public places, the report notes.
Seat at the Table
As cybersecurity will be mission-critical in the new work environment, Tessian notes that 67% of surveyed IT decision makers report that they have a seat at the table when it comes to office reopening plans in their organizations.
In addition, about 6 in 10 (59%) IT leaders report that their role and responsibilities have been recognized as more important by their senior leadership team over the past year. Interestingly, this sentiment was overwhelmingly shared by respondents in the healthcare and tech industries, but respondents in the legal industry were the most likely to disagree with the statement.
The firm adds that organizations and IT leaders that address risky human behaviors and corresponding security threats will thrive in a hybrid work model.
“The shift to an all-remote workforce was a huge challenge for IT leaders, but the next transition to a hybrid work model is set to be even more challenging—particularly when it comes to employees’ behaviors,” says Tim Sadler, co-founder and CEO of Tessian. “Employees are the gatekeepers to data and systems but expecting them to be security experts and scaring them into compliance won’t work. IT leaders need to prioritize building a security culture that empowers people to work securely and productively, and understand how to encourage long-lasting behavioral change overtime, if they’re going to thrive in this new way of working.”
Of course, while all employers should be concerned about cybersecurity threats, there’s also the unique threat to retirement plans and protecting plan assets, which the Department of Labor warned about in April when it provided cybersecurity best practices and tips for recordkeepers, plan sponsors and fiduciaries, participants and beneficiaries. Since then, the DOL has been following up to find out whether firms have been heeding their advice to implement cybersecurity safeguards.
Tessian commissioned OnePoll to conduct the survey over 4,000 professionals in the U.S. and U.K. across various company sizes and industries, as well as 200 IT professionals to identify back to work trends.