A new report from cybersecurity firm Tessian found that the move to working from home has had drastic effects on how people approach data loss prevention.
In a survey of 1,000 people from the US and 1,000 from the UK, Tessian researchers found that 48% are less likely to follow safe data practices when working from home and 84% of IT leaders surveyed said data loss prevention is more challenging when employees are working from home.
More than 90% of IT leaders trust their staff to follow best security practices when working from home yet 52% of employees (52%) believe they can get away with riskier behavior when telecommuting, creating a dangerous situation for companies in sensitive industries.
“Businesses have adapted quickly to the abrupt shift to remote working. The challenge they now face is protecting data from risky employee behaviors as working from home becomes the norm,” said Tim Sadler, CEO and co-founder of Tessian. “Human error is the biggest threat to companies’ data security, and IT teams lack true visibility of the threat.”
SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium)
The report goes into detail about why employees take more chances when working from home and the differences between employees based on age or location.
US employees are more than twice as likely as UK workers to send emails to the wrong person and are twice as likely to send company data to their personal email accounts than their UK counterparts. One-third of all employees surveyed take company documents with them when they leave a job, with US workers twice as likely as UK workers to do so.
When asked why they put their company and its data at risk, employees gave a variety of answers, with half saying “not being watched by IT” was their main reason for not following safe data practices. Another 47% said distractions at home caused them to take more chances and 51% say security policies impeded their productivity while 40% cited the pressure to get work done quickly as a reason. Of those surveyed, 54% said they would find workarounds if security policies stop them from doing their jobs.
A recent report on data breaches from Verizon found that 30% of breaches involve internal actors exposing company information as a result of negligent or malicious acts and the Tessian study confirms many of Verizon’s findings.
When broken down by organization size, more than half of those at organizations with at least 50 employees, 250 employees and 999 employees all say they are less likely to follow safe data practices.
Younger employees are also more likely to think they can get away with riskier data behavior, according to the survey.
More than half of all employees have training every six months but this statistic varied greatly based on the industry. The average for all industries was training every eight months, but companies involved in public services, energy, utilities, engineering, manufacturing, education, environment and agriculture all have training 10 months at a time or longer.
“As with most things related to cybersecurity, user awareness is a big deal and training programs are key, but a lot of organizations don’t have a follow up to training,” said former chief information security officer Allen Look in the survey.
“They don’t have a system in place to measure user compliance, performance, and success around protecting sensitive information. So what happens if they repeatedly fail? So we retrain them? There often aren’t clear consequences or avenues for remediation, which means nobody is actually held accountable when an incidence occurs.”
The priorities also varied between IT leaders and employees when it comes to the consequences of data loss. Employees were more focused on damaged reputation and losing their jobs while IT leaders were more concerned about losing customers, damaging consumer trust, breached information, and a hurt reputation.
The report includes a number of suggestions that included more training, more stringent company policies, and the adoption of automation or machine learning to help protect data.
“Business leaders need to address security cultures and adopt advanced solutions to prevent employees from making the costly mistakes that result in data breaches and non-compliance. It’s critical these solutions do not impede employees’ productivity though,” Sadler said. “We’ve shown that people will find workarounds if security gets in the way of them doing their jobs, so data loss prevention needs to be flexible if it’s going to be effective.”