Yubico has released the results of a comprehensive study into current attitudes and adaptability to at-home corporate cybersecurity, employee training, and support in the current global hybrid working era. The report surveyed 3,006 employees, business owners, and C-suite executives at large organisations (250+ employees), who have worked from home and use work issued devices in the UK, France and Germany.
Findings from the report offer insights into the use of work-issued devices for personal matters, sharing and remembering business passwords, the adoption of two-factor authentication (2FA), and other security measures, coupled with how enterprises are responding.
Data shows that since the start of the pandemic employees have been engaging in poor cybersecurity practices on work-issued devices, with business owners and C-level executives proving to be the worst culprits. At the same time, enterprises are falling short on cybersecurity best practices that need to be implemented for out-of-office environments. Less than a quarter of respondents admit to even implementing 2FA since the start of the pandemic and even then, many are using less secure and less user-friendly forms of 2FA like mobile authentication apps and SMS one-time passcodes.
Key findings from the survey include:
•54% of all employees use the same passwords across multiple work accounts. 22% of respondents still keep track of passwords by writing them down, including 41% of business owners and 32% of C-level executives.
•42% of respondents admit to using work-issued devices for personal reasons daily while working from home. Of these, 29% are using work devices for banking and shopping, and 7% admit to watching illegal streaming services.
○ Senior workers are among the biggest offenders, as 44% of business owners and 39% of C-level executives admit to performing personal tasks on work-issued devices every day since working from home, with almost a quarter (23%) of business owners and 15% of C-level respondents using them for illegal streaming/watching TV.
•A year after the pandemic began and work-from-home policies were implemented, 37% of all employees across all sectors are yet to receive cybersecurity training to work from home, leaving businesses largely exposed to evolving risks.
•43% of all employees suggest that cybersecurity isn’t the responsibility of the workforce, with nearly two thirds (60%) believing this should be handled by IT teams. However, data suggests that IT departments are not meeting employee expectations, with just 37% feeling more supported by IT than they did when working onsite with their firm’s cybersecurity team close by.
•Meanwhile, a supportive top-down security culture is lacking, causing employees to feel increased levels of anxiety or stress when dealing with IT or security problems. 51% often try to solve their own IT problems rather than contacting IT, and 40% who clicked on a suspicious link wouldn’t immediately tell IT.
•Despite 2FA technology being the best line of defence to protect against account takeovers, only 22% of respondents report their company has introduced it since the pandemic began.
•Even among organisations who have implemented 2FA, only just above a quarter (27%) are rolling out FIDO-compliant hardware security keys, which offer the most advanced form of phishing protection, while others rely on more vulnerable and outdated solutions, such as mobile authentication apps (54%) and SMS one-time passcodes (47%).
Highlights by country:
•UK business owners are stricter about their personal use on work devices than their counterparts in Germany and France. In contrast, UK-based employees have become more relaxed: 20% more of them admit to using work-issued devices for personal affairs since working from home.
•Meanwhile, UK respondents feel less supported by IT than those in Europe - but they’re also the most confident in their own ability to spot phishing attacks, with 80% of all employees indicating they could identify an attempted breach.
•Key 2021 employee habits include:
○ 73% of business owners and 71% of C-level execs allow third parties to use work devices
○ 42% feel more vulnerable to cyber threats while working from home, with 39% feeling unsupported by IT
○ 62% have not completed cybersecurity training for remote work
○ When having clicked a suspicious link during work, 16% figure it out by themselves while 12% “ask Google”
○ 22% would use the same work email log-in again after a security breach, while 31% would share work email passwords
○ 62% would rather have their work credentials than personal data stolen
○ The main personal activities on work devices are: Article reading 36%; admin 36%; shopping 36%; banking 30%; social media 28%; gaming 15%
A lax attitude to cybersecurity is not exclusive to French employees but some of their actions and beliefs are of concern.
26% of those who hope to continue working remote post-pandemic ignore software and operating system updates for their work-issued devices. These are vital to maintaining a barrier against cyber threats.
While 59% of all respondents based in France believe IT should be solely responsible for cybersecurity, 63% believe employees that are working from home should take more ownership.
Just 30% of all respondents say they have received security training, and 36% feel they are less supported by IT compared to when working in the office.
This is likely prompting the 48% of all employees who attempt to fix IT issues on their own, rather than notifying IT, and this percentage rises to 69% for both business owners and the C-suite. As we have seen, this can be linked to over-confidence about spotting phishing attacks - with 67% of all employees feeling they can identify one.
Among new cybersecurity policies which have been implemented since working from home, half of French businesses (50%) require a VPN to access the corporate network, 33% enforce the use of stronger passwords, while 30% request password updates more frequently, and only 19% require 2FA. 57% of French employees consider SSO requirements as being cumbersome or disruptive to their workflow, 54% for 2FA.
Key employee habits include:
•Everyday personal use of work-issued devices: pre-Covid 41%; post-Covid 53%
•Main personal use activities on work devices: admin 37%; article reading 35%; banking 27%; gaming 10%; illegal streaming 10%
•Everyday work use of personal devices: pre-Covid 30%; post-Covid 42% allow third parties to use device: business owner 78%; C-level 70%
•Feeling more vulnerable to cyber threats since working from home: 40%
•Feeling unsupported by IT: 36%
•Completed cybersecurity training for remote work: 30% say yes
•Remembering work passwords: 23% write them down; 14% use a password manager; 11% save to a document on the device; 11% use the same password for multiple accounts
•Would use same work log-in again after breach: 23%
•Share work email passwords: 28%
•Confident about spotting phishing attempt: 67%
•Would rather have work credentials than personal data stolen: 75%
In Germany, some employees have taken a stricter approach to cybersecurity during the pandemic. While everyday personal use of work-issued devices has risen overall, the proportion of people doing this, who already worked from home pre-pandemic, fell from 42% to 34% - suggesting they are more conscious of the increased risk.
As with the overall responses, business owners fall short when it comes to security: a quarter of German based business owners admit to using work devices for illegal streaming.
Only 35% say they have received cybersecurity training from their employer. This includes half of all C-level executives, but only a quarter of entry-level employees.
Patching is patchy, too; important updates on work devices are strongly neglected, only 11% on average keep their work devices updated, along with a further 27% of home workers.
Additionally, respondents based in Germany are overly confident in spotting a phishing attempt with 71% of all employees stating they are very or somewhat confident.
Key employee habits include:
•Everyday personal use of work-issued devices: pre-Covid 21%; post-Covid 30%
•Main personal use activities on work devices: article reading 48%; social media 40%; admin 34%; banking 31%; shopping 31%; gaming 19%
•Everyday work use of personal devices: pre-Covid 19%; post-Covid 28%
•Allow third parties to use device: business owner 90%; C-level 65%
•Feeling more vulnerable to cyber threats working from home: 36%
•Feeling unsupported by IT: 32%
•Completed cybersecurity training for remote work: 35% say yes
•Immediate reaction to clicking suspicious link during work: 59% tell IT ASAP; 18% “ask Google”
•Remembering work passwords: 23% write them down; 21% use a password manager; 12% save to document on the device; 8% same password for multiple accounts
•Would use same work log-in again after breach: 21%
•Never share work email password: 69%
•Confident about spotting phishing attempt: 71%
•Would rather have work credentials than personal data stolen: 63%