“Smart home devices and their apps represent a major weak link in the corporate cybersecurity chain as the lines between work and home life increasingly blur.” That is the claim from Trend Micro. It comes as the company publishes Head in the Clouds, its latest survey of 13,200 remote workers across 27 countries. While the majority (85%) claim to take instructions from IT seriously, the majority still can’t differentiate between work and personal.
In a twist that will cause hand wringing in the boardroom, it seems that users prioritise productivity over security. Not only are users willing to use whatever apps they want to get the job done three in ten say IT-backed solutions are “nonsense.”
Bharat Mistry, Principal Security Strategist, Trend Micro said: “In today’s interconnected world, unashamedly ignoring cybersecurity guidance is no longer a viable option for employees. It’s encouraging to see that so many take the advice from their corporate IT team seriously.
“Having said that, there are individuals who are either blissfully ignorant or worse still who think cybersecurity is not applicable them and will regularly flout the rules. Hence having a one size fits all security awareness programme is a non-starter as diligent employees often end up being penalised. A tailored training programme designed to cater for employees may be more effective.”
Key messages from the Head in the Cloud survey
Bashing users who are working from home for poor cybersecurity behaviour, and companies for not providing training, is pretty common fare at the moment. However, this research from Trend Micro provides a lot more depth, even if access to the full research data and question set was not available.
In addition to the numbers above, other stats from the study show:
- 81% agree that cybersecurity within their organisation is partly their responsibility
- 72% more conscious of organisation’s cybersecurity policies
- 64% acknowledge that using non-work applications on a corporate device is a security risk, yet 56% of employees admit to using a non-work application on a corporate device
- 66% of them have actually uploaded corporate data to that application
- 80% of respondents confess to using their work laptop for personal browsing, and only 36% of them fully restrict the sites they visit. Worryingly, 8% of respondents admit to watching/accessing porn on their work laptop while 7% access the dark web.
Smart devices are a particular issue in terms of risky behaviour. More than half of workers have IoT devices connected to their home network. While most come from well-known brands, 10% come from lesser-known brands. These often have well-documented vulnerabilities, although the study didn’t seem to ask how often people checked and patched devices.
Also missing from the study data that Trend Micro has published is any information on how often devices were shared with other family members. With so many children being home schooled, many families have found themselves short of technology. Anecdotal evidence suggests that parents are allowing children to use their devices for school work and possibly to play games.
Which security persona are you?
As with everything in life, people are not the same. Dr Linda Kaye, Cyberpsychology Academic at Edge Hill University, was asked by Trend Micro to profile four-employee personas. These are based on cybersecurity behaviours and are: fearful, conscientious, ignorant and daredevil. The details are published in a separate report.
By creating the different personas, Trend Micro is seeking to help IT security teams understand:
- What are employees doing in the cloud?
- Why are they behaving in this way?
- How do you motivate them to stop negative behaviours?
Kaye explained: “Our research on personality profiles has been really helpful for this work, to help us better understand the way individual differences impact on cybersecurity behaviours.“
- Fearful employees may benefit from training and simulation tools, as well as real-time feedback from security controls and mentoring.
- Conscientious staff require very little training but can be used to good effect as exemplars of good behaviour and to team up with “buddies” from the other groups.
- Ignorant users need gamification techniques and simulation exercises to keep them engaged in training, and may also require additional interventions to truly understand the consequences of risky behaviour.
- Daredevil employees are perhaps the most challenging because their wrongdoing is the result not of ignorance but a perceived superiority to others. Organisations may need to use award schemes to promote compliance, and, in extreme circumstances, step up DLP and security controls to mitigate their risky behaviour.
Enterprise Times: What does this mean?
One of the challenges with delivering any training is understanding what works best for different people. There are multiple learning styles with the three main generally considered to be auditory, kinaesthetic and visual. When designing a corporate training programme, especially for remote workers, too many assume that workers are all visual. It means that a lot of training is wasted.
Taking the four security personas, it is evident that a wider mix of training styles and materials are required. If companies invest in creating those materials, they will find not just greater awareness but better adherence to what is required.
There will, of course, be those who are seen as resistant, such as daredevil employees. Even here, the use of gamification can be deployed to reduce the risk they present. Alongside this, IT security needs to improve how it manages and protects work devices.
IT has to assume that every device is in a hostile environment. Once that decision is made, it is possible to choose the right endpoint protection software. There is also a need for greater data protection software to be used, especially if users are going to choose their own apps for work.