Cybersecurity Breakdown: Improving Workplace Awareness

The holiday shopping rush is in full swing, and employees are increasingly using company-issued devices to complete their gift purchases while at work. In fact, recent research from Robert Half Technology found that 75% of employees admitted to shopping during work hours on a company device on Cyber Monday and 23% spent even more time online bargain hunting while at the office. This data shows how critical it is for organizations to be aware of the risks that their employees pose throughout the holiday season, and beyond.

To explore what today’s employees are doing during work hours when it comes to web usage, Mimecast surveyed more than 1,000 people who use company-issued devices (i.e. mobile phones, desktop computers or laptops) in the workplace. This allowed us to get a better sense of not only their behavior, but also their awareness of basic threats plaguing organizations. We also inquired about how much—if any—cybersecurity awareness training they’ve received from their employer.

Here’s what we found:

Today’s employees are lacking basic cybersecurity awareness

It seems like every day there’s another breach (with Marriott Hotels providing the latest example), vulnerability or other cybersecurity incident in the news. Cyberattacks are the number one business risk in North America, yet we found that nearly one-in-four employees aren’t aware of the most common threats plaguing today’s organizations—such as phishing attacks, impersonation attempts and ransomware.

Get more posts like these delivered to your inbox every week. Subscribe to Cyber Resilience Insights now.

Additionally, 15% of respondents admit they could either be more cautious or just completely trust that the emails being sent to their devices are safe from any type of threats. In an age where one wrong click from a single employee can compromise a company’s entire infrastructure, these are rather alarming numbers.

When we asked what they use their company-issued device for, more than two-thirds (69%) said in-part for non-work-related activities. The top three personal use cases are reading the news (53%), checking personal email (33%) and browsing social media (23%).

Additionally, nearly 28% use their company-issued device for personal reasons for at least one hour per day, with the number rising to 40% among younger workers (18-24-year-olds). Shockingly, one-in-10 employees are using their devices for personal reasons for more than four hours per day.

In addition to wasting valuable time at work, personal use of corporate devices presents security concerns. It’s extremely difficult for employers and IT departments to know exactly what these individuals are clicking, browsing and engaging with each work day.

So, employees are ultimately to blame for making hackers’ jobs easier, right? Well, not exactly…

Let’s take a look at what employers themselves are (or aren’t) doing to help the cause.

Cybersecurity and awareness training is missing in a time when it’s needed most

According to our findings, nearly 60% of employees either aren’t aware of their companies having a formal policy on their personal web use at work, or there isn’t one in place at all.

In fact, just 45% of modern businesses provide mandatory formal cybersecurity training, despite human error being one of the most common causes of security incidents. Another 10% offer this type of training as optional. Additionally, amongst those businesses that do offer cybersecurity training and education in some capacity (kudos to you brave few), just 6% provide trainings monthly, while 4% do so quarterly, 9% of the respondents stated they had only received formal cybersecurity training during the onboarding process when they started their job.   

As we drilled down a little deeper, many companies are relying on rather archaic, and frankly ineffective, practices. The most common approach revolves around an emailed or printed list of cybersecurity tips and reminders (33%). This is followed by issuing proactive prompts around safe and unsafe links (30%) and interactive best practices videos (28%).

What does this all mean?

It could indicate that businesses are inherently trusting their employees to know what, and what not, to click on, and to be smart when it comes to browsing the web—for both professional and personal reasons. It could also mean that today’s organizations simply don’t have the resources or know-how to implement formal cybersecurity and awareness training.

And with cyberthreats continuing to evolve so they can bypass traditional security methods, like anti-virus and anti-spam filters, it’s essential organizations integrate cybersecurity awareness training into their overall cyber resilience strategy.

Three Cybersecurity Best Practices

For organizations looking to kick-start, or refresh, their cybersecurity education practices, a few simple tips can make all the difference:

• Be persistent: A one and done approach isn’t enough. It’s important to keep reiterating to employees what they need to be aware of when it comes to cyber threats and best practices to spotting malicious messages, websites, etc. Don’t try to get every bit of training out of the way in a single onboarding class or annual refresher session. Instead, teach in short bursts of no more than a few minutes.
•  Make it mandatory: Training should be provided at 30-day intervals. More importantly, after you train once or twice, don’t stop there—make it a consistent, mandatory, company-wide practice.
• Make it funny: The easiest way to lose your audience is by making the training boring, irrelevant, and worst of all, forgettable. Incorporating personalities, recurring characters and relatable content can go a long way toward the content having a lasting impact.

As we look toward 2019 when cybersecurity incidents are almost guaranteed to continue on this hectic pace, it’s a perfect time for businesses to institute more formal cybersecurity awareness training and education practices to defend against one of the biggest threats – themselves.

Learn more about how Mimecast can help your organization with cybersecurity awareness, training and education here.