A third of employees picked up bad cyber security behaviors while working from home, according to Tessian’s Back to Work Security Behaviors report.
Despite the remote workers’ bad security practices, 9 out of 10 organizations prefer the hybrid workplace as COVID-19 restrictions eased. Similarly, 89% of employees want to work remotely during the week.
The firm advises IT leaders to consider the bad employee behaviors as organizations transition to hybrid workplace models.
“But as employees go back to the office, IT leaders now need to address changes to employees’ security behaviors since they have been working remotely,” the report said.
Employee behaviors deteriorated while working remotely
Most employers are wary that the post-pandemic hybrid workforce would bring bad cybersecurity behaviors.
More than half (56%) of employers believed that employees had picked bad security practices while working remotely. Similarly, nearly two-fifths (39%) of employees also admitted that their employee behaviors differed significantly while working from home compared to the office.
Additionally, nearly a third (36%) admitted discovering ‘workarounds’ since they started working remotely. Younger workers were more prone to these bad employee behaviors, with 51% of 16-24, 46% of 25-34, and 35% of 35-44-year-olds using ‘workarounds.’
Close to half (49%) of workers adopted the risky behavior because they felt that they weren’t being watched by IT departments. Nearly a third (30%) said they felt that they could get away with the risky employee behaviors while working away from the office.
However, IT leaders placed more confidence in their employees while transitioning to the hybrid workplace. Over two-thirds (70%) of IT decision-makers believed that their staff would observe their company’s cybersecurity policies in the hybrid workplace compared to 57% of employees who thought the same.
Many employees are unlikely to admit cutting corners
The fear or failure to report cybersecurity mistakes was a huge cybersecurity risk for organizations. A quarter of employees refused to report such mistakes believing that nobody would ever discover them.
Similarly, more than a quarter (27%) feared reporting cybersecurity mistakes to avoid potential disciplinary actions or being forced to take additional security training. Only half of the employees said they usually reported security faux pas such as receiving or clicking phishing emails.
However, younger employees are more likely to admit cutting corners, according to the Tessian report. More than half (51%) of employees between 16-24 years old and 46% of those between 25-34 years old were more likely to admit circumventing the company’s security protocols.
However, younger employees were more likely to make cybersecurity mistakes that nobody would ever discover. Nearly half (42%) of 16-24, 37% of 25-34, and 26% of 35–44-year-olds have engaged in this bad employee behavior.
“So, create a security culture that encourages people to come forward about their mistakes, and support them when they do,” the authors suggested.
Personal devices will undermine the network perimeter in the hybrid workplace
Some of the security threats and challenges experienced when people work fully remotely would be imported into the new hybrid workplace.
While many employees used infected devices for remote access during the pandemic, some would bring them to the hybrid office.
More than half (54%) of IT leaders believed that their staff would introduce infected personal devices into the new hybrid workplace, while 40% of employees planned on taking their devices to work. The movement of devices between the corporate and home network created a cybersecurity loophole that could be exploited by threat actors.
“IT and security leaders now have to shift to a new security architecture for good – one that involves zero-trust network access, endpoint security, and multi-factor authentication,” the report stated.
Phishing and ransomware attacks are major challenges in the hybrid workplace
Ransomware attacks were also a major concern for more than two-thirds (69%) of IT leaders who believed that the hybrid work environment would be a target for ransomware attacks. These attacks posed a business continuity threat to targeted companies.
Similarly, phishing attacks concerned over three-quarters (76%) of IT decision-makers who believed that credential phishing would only exacerbate in a hybrid workplace.
Three-fifths (60%) of IT decision-makers also predicted that traveling would put organizations at more cybersecurity risks.
They believed that employees were more likely to expose company data in public or fall for phishing scams impersonating airlines, booking companies, hotels, or senior executives on a business trip. In fact, “back to work” phishing emails were a concern for 67% of IT leaders.
Tessian report pointed out that phishing was the gateway to ransomware attacks. Consequently, successfully blocking phishing exploits reduces the chances of a ransomware attack.
“Stop phishing, business email compromise, account takeover attacks, and social engineering scams, and you significantly reduce the risk of ransomware,” the report authors noted.
However, bad employee behaviors, such as failing to report clicking phishing links, made it harder to stop these attacks.
Tim Sandler, Tessian CEO and co-founder noted that the transition from fully remote to the hybrid workplace faced more challenges. He warned that forcing employees to comply was doomed to fail.
“Employees are the gatekeepers to data and systems, but expecting them to be security experts and scaring them into compliance won’t work. IT leaders need to prioritize building a security culture that empowers people to work securely and productively, and understand how to encourage long-lasting behavioral change over time if they’re going to thrive in this new way of working.”
Thus, building a strong security culture was a crucial step in addressing bad employee behaviors and technical challenges facing organizations transitioning to the hybrid workplace.