Survey finds workers still violate security policies to remain productive
With workplace cyberattacks on the rise, industry experts are pressing businesses to train their workers to be more vigilant than ever to protect passwords and sensitive data and to recognize threats.
“It is imperative for organizations of all sizes to instill among employees the critical role they play in keeping their workplace safe and secure,” said Michael Kaiser, executive director of the National Cyber Security Alliance, a group that promotes education on the safe and secure use of the internet. The group’s members include such major technology companies as Cisco, Facebook, Google, Intel and Microsoft.
Kaiser made his comments timed with last week’s release of a Dell End-User Security Survey that found that 72% of workers are willing to share confidential company information without regard for proper data security protocols. The survey was conducted online in late February and early March with results from 2,608 professionals in companies with more than 250 workers.
“Cybersecurity education needs to be an integral part of the workplace culture,” Kaiser added. “Cybersecurity education doesn’t mean hosting a one-time course or seminar; it means making security a collaborative, continuous cultural initiative.”
Creating a security culture at a company can be complicated. The survey found that 65% of employees recognize their responsibility to protect confidential information, but many said security programs limit their productivity. Of those who received cybersecurity training at work, 24% admitted they went ahead and used unsafe behaviors anyway in order to complete a task.
There is a “balance between protecting your data and empowering employees to be productive,” said Brett Hansen, vice president of endpoint security and management at Dell. Data security needs to be the top priority “while maintaining productivity,” Hansend said. It’s a difficult task that requires companies to create simple, clear policies that address potential breaches.
The survey found that unsafe behaviors for accessing, sharing and storing data are common in the workplace. Forty-six percent of employees admitted to connecting to public Wi-Fi to access confidential information, while 49% admitted to using a personal email account for work tasks. The survey found 35% said it was common to take corporate information with them when leaving a company.
“As the Dell survey clearly indicates, there is still much work to be done regarding cybersecurity education and training for employees,” said Kristin Judge, director of government relations for the Alliance, via email.
“The trend we are seeing is one of creating a culture of cybersecurity within an organization, which means taking cybersecurity best practices out of the IT department and bringing them into the risk management discussion… Effectively responding to cyber threats is relatively new on the list of day-to-day business practices — so it will take some time to establish and instill widespread organizational change.”
Avivah Litan, a security analyst at Gartner, said companies are beginning to institute cybersecurity training programs. “When it is instituted, it really makes a huge difference,” Litan said in an email. She said she used to be cynical about the impact of these training programs, but has become convinced recently about how effective they can be. She wrote a blog in December describing how one Midwest energy firm had seen an almost 80% reduction in security incidents after training.
The alliance urges companies to talk frequently to workers about:
- Rules for keeping a clean machine, including what programs, apps and data that workers can install and keep on their work computers;
- Best practices for passwords, including making them long and strong, with uppercase and lowercase letters, numbers and symbols, and changing them routinely;
- Throwing out suspicious links in email, tweets, posts, online ads, messages or attachments—even if they know the source;
- Remembering to back up work, based on the policies of each company;
- Speaking up if they notice strange happenings on their computer.
For business travelers going abroad, the National Counterintelligence and Security Center has posted a series of travel tips. They include suggestions such as taking a different mobile phone from the one you typically use and checking for updated cybersecurity alerts at the U.S. Computer Emergency Readiness Team’s website.