Over the past few months, Americans have received a crash course in working from home. For the majority of employees, working from home was a rare and short-term occurrence that they only had to worry about if they were sick or in other extenuating circumstances. But it has now become the norm — a norm that will likely persist as the attempt to reopen the country runs into the hard reality of a new spike in COVID-19 cases.
Working from home presents a particularly daunting set of challenges for cybersecurity. All too often, cybersecurity is an afterthought even when employees are in the office with secure servers and IT professionals on hand. When employees are working from home, they’re liable to be less scrupulous than normal about ensuring that they’re keeping their companies (and themselves) safe from cyberattacks.
The remedy to this situation, as is so often the case with cybersecurity, is education. Companies have to be more persistent than ever with their emphasis on cybersecurity — at a time when employees are more likely to be using unsecured equipment, they’re also more likely to engage in risky behavior. This is a situation that can only be addressed with training and awareness.
Employees behave differently at home
In the privacy of their own homes, employees are more inclined to get sidetracked by links that aren’t related to the task at hand, visit questionable websites, and pay less attention to cybersecurity in general. There are many reasons for this behavior shift — when employees aren’t in the company of colleagues, they’re less concerned about how their digital habits may be perceived. Even when employees have private workspaces, they’re often using company equipment on company servers, which deters unsafe behavior.
A 2020 survey by Tessian found that more than half of employees working from home “say security policies impede their productivity” and admit that the “easiest or most convenient path often involves skirting around security rules.” Although the vast majority of IT leaders say they trust employees to follow cybersecurity policies while working from home, significant proportions of employees at companies of all sizes say they’re less likely to observe safe cybersecurity practices at home.
Two of the top reasons employees give for their unsafe cybersecurity practices at home are “I feel as though I’m not being watched by my IT team” (48 percent) and “I am distracted” (47 percent). In other words, there’s a direct connection between their different work environment and their behavior.
A lack of cybersecurity resources
According to a recent survey by Morphisec, around half of employees are working from home for the first time during COVID-19. This is why it should come as no surprise that they also don’t have the proper cybersecurity software or equipment. The survey found that 56 percent of employees are using their personal computers for work, and almost a quarter don’t even know what security protocols or software they have in place.
These numbers demonstrate that companies aren’t just failing to provide employees with the cybersecurity resources they need — they also aren’t giving them the training that will help them effectively use the resources that are available. There are many basic device security measures that every employee should adopt: always keep all of your devices and apps updated with the latest security software, use a VPN whenever you’re on a WiFi network you don’t trust, use high-quality endpoint protection (Webroot, for instance), don’t reuse passwords, implement multi-factor authentication wherever possible, and double check email senders and recipients.
If your employees are neglecting any of these cybersecurity fundamentals, there’s a good chance that they’re exposing your company to a wide range of unnecessary risks. And if they’re actively ignoring cybersecurity guidelines, it’s even more important to point out all the ways in which their behavior can harm the company — as well as employees themselves.
The importance of empathy and engagement
Although it can be frustrating when employees take risks and fail to observe cybersecurity best practices, managers should always remember that we’re in the middle of a chaotic and stressful crisis. A recent survey conducted by the Kaiser Family Foundation reports that 45 percent of American adults “feel that worry and stress related to coronavirus has had a negative impact on their mental health.”
Many Americans have been forced to stay away from loved ones, experienced deaths and sickness in the family, and suffered severe economic burdens. Is it any wonder that cybersecurity isn’t top of mind? However, the harsh reality is that cyberattacks — many of which have exploited fears about COVID-19 — can make a terrible situation even worse. This should be the core message companies deliver to their employees: cyberattacks don’t just affect the bottom line. They lead to stolen identities, millions of dollars lost, and other consequences that affect companies, employees, and their families.
At this time, cybersecurity is more important than ever. Companies are operating on thinner margins, many employees are in a precarious financial situation, and cybercriminals are taking advantage of COVID-19 and the economic fallout. This is why your cybersecurity platform has to consist of more than an occasional email prompt — it should be immersive, data-driven, and capable of vividly demonstrating the huge amount of damage cyberattacks can cause. The companies that deliver effective cybersecurity training will be the ones that keep their operations and employees safe — whether at home or anywhere else.
