Content, Content

Study: Most Remote Workers Willing to Skirt Employers’ Cybersecurity Policies


On premise employees are often said to be the weakest link in an organization's cybersecurity chain. Are they an even bigger liability when working remotely from home? a new Trend Micro study sought to answer.

Maybe they are. While three quarters of remote workers are more cyber-aware in the coronavirus (COVID-19) lockdown, many are breaking their organization's rules due to a limited understanding or resource constraints, the security specialist found.

On the one hand, Trend Micro’s Head in the Clouds study indicates a high level of security awareness among remote workers: About 85 percent of the 13,200 remote workers globally surveyed take instructions from their IT team seriously. Cybersecurity within their organization is partly their responsibility, said roughly 80 percent of the respondents. And, 64 percent understand that using non-work applications on a corporate device poses a security risk.

On the other hand, workers who comprehend policies and rules don’t necessarily follow them, the study found. Here are some supporting findings:

  • 56% of employees use a non-work application on a corporate device.
  • 66% have uploaded corporate data to that application.
  • 80% of respondents use their work laptop for personal browsing but only 36% fully restrict the sites they visit.
  • 39% often or always access corporate data from a personal device.
  • 8% watch or access pornography on their work laptop and 7% access the dark web.

For many remote users, productivity supersedes cybersecurity. For example, 34 percent will use an application unsanctioned by their organization’s IT team to get the job done, the study said. Additionally, 29 percent prefer using a non-work application because they believe the solutions provided by their company are “‘nonsense.”

“In today’s interconnected world, unashamedly ignoring cybersecurity guidance is no longer a viable option for employees,” said Bharat Mistry, Trend Micro principal security strategist. “It’s encouraging to see that so many take the advice from their corporate IT team seriously. Having said that, there are individuals who are either blissfully ignorant or worse still who think cybersecurity is not applicable to them and will regularly flout the rules."

Diligent employees often end up being penalized by those who break the rules, Mistry said. "CISOs looking to ramp up user awareness training may get a better ROI if they try to personalize strategies according to specific user personas,” he said in a blog post. "By understanding that no two employees are the same, security leaders can tailor their approach in a more nuanced way."

Trend Micro’s work adds to the growing body of research on the cybersecurity safety of remote workers. For example, a PC Matic study found that 93 percent of employees did not receive an antivirus solution to install on their personal device used for work and only 22 percent received additional security training from their employer. Similarly, nearly 75 percent of teleworking employees lack assistance from their employers on security awareness, guidance or training, a Kaspersky report found. And, of the 80 percent of U.S. employees who either rarely worked or did not work from home prior to the pandemic, more than half are now doing so without security policies to guide them, according to an IBM Security survey.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.