Underprepared employees increase cyber risk, and are one reason some companies are less resilient in face of COVID‑19 disruptions
Summary
A survey of 2,000 remote workers in the UK reveals that two-thirds have not received cybersecurity training over the past year, and 61 percent said they were using personal devices to work remotely instead of corporate-issued devices. Despite these shortcomings, 77 percent reported that they are not worried about security while working from home.
Report
Analysis
These numbers provide a quantitative snapshot of the increase in risks to corporate IT networks since the COVID‑19 driven explosion in remote work began. What has exploded in many cases is the complexity of the corporate IT network. Network Complexity can be best described as the size of the threat surface and range of software and end-point devices on it.
Much has been written about the increased risk of security breaches due to the new working environment—cloud and VPN access instead of in-house IT networks; new work environments, stresses and distractions for employees; different and unfamiliar hardware and software systems—which inherently increase cyber vulnerability for companies. The fact that despite these issues, 77 percent of employees report not being worried about security is a problem since vigilance about security is a necessary part of good cyber hygiene, especially when new systems and work processes are being deployed.
A key tenet of cyber governance is around people and process, including regular and ongoing training of staff on security practices and procedures as well as making sure they are fully trained on the corporate IT systems. COVID‑19 highlights that cybersecurity training and contingency planning is something that must be executed regularly and refreshed frequently, as the sudden implementation of remote work meant that there was no time to refresh training before employees left their offices. Companies that manage their technology well tend to be strong on ‘people and process’ and were better prepared for the sudden shift. It is also why companies with good cyber governance are proving more resilient in the face of the overall shocks than those with poor cyber governance.
This survey data appears to show that many companies are deficient on the human element at a time when networks are under unprecedented strain—not a good combination.