As a vast portion of UK employees continue to be restricted to at-home working, the buck of keeping digital devices secure seemingly once again stops with the remote workforce. However, with survey findings showing that almost a third of UK workers believe security protocols are less important when working from home, it is clear that the chain of instruction from security vendor, to security leader, to end user, isn’t making it through.
Organisations may have had almost a year to adjust and structure their digital networks in a way that relieves some of this pressure from staff members. But it is ultimately the understanding and actions of individuals sat at their kitchen tables, in their studies, or perhaps even from their beds, that will dictate whether enterprise technologies and systems are more or less vulnerable to attacks. And in this regard, they need stronger guidance.
Research into the connection between security leaders and vendors has found that almost six in 10 of the former find it difficult to filter information provided by the latter, and to then convert a solution into actions and insights. Over half (58%) actually believe that the information they receive from their cybersecurity vendor isn’t even relevant to their organisation. This high-level confusion or disillusion about what they’re working with trickles down to those in their homes, with almost 30% of UK employees admitting that they don’t understand their employer’s security measures.
Cyber vulnerability wasn’t just a 2020 trend
Such a disconnect would be a worrying trend at any time, but given that we’ve begun 2021 in lockdown, the notion of making a swift return back to normality this year has already been quashed. We’re set for continued restrictions for at least the first few months of the year, and many companies are expected to adopt remote working as a longer-term or full-time option. This means the potential of prolonged digital vulnerability if the relationship between vendors, businesses and employees doesn’t improve.
The repercussions of this situation not being rectified have already come to light after the events of the past year. At the beginning of the pandemic back in March 2020, it was revealed that up to 90% of breaches are caused by human error – an ominous forecast for what might come. By the middle of 2020, this had translated into more than 726 million cyber-attacks launched on online resources, as IT teams struggled to come to terms with the accelerated shift to remote working. It could reasonably be hoped that after a year of monitoring these alarming figures and trying to adapt, businesses would have a better handle on their cyber protection. But the stats continue to tell a different story.
Don’t blame the workers
So, what should each link in the chain be doing to remedy this situation? From an employee perspective, the evidence for stronger assistance above them is all too clear: at present, one in 10 don’t know if their devices are connected securely at home or have admitted they are not; more than a quarter admit to bypassing their employer’s security measures to download unauthorised software, and 30% have connected to a mobile hotspot to get around security protocols. These statistics are underpinned by a third being less sure of security measures when working from home.
However, it is fair to pose that staff, at the end of this chain, are the least culpable leg in the tripod. It is policies, strategy and education that shape positive behaviours, and unless staff are directed in a way that makes cybersecurity hygiene understandable, then they can’t be expected to work securely.
To this end, vendors and security leaders must work on improving their own communication channels as a priority, to better align ideas and messages. The result would be an organisation that benefits from bespoke, tailored solutions, that have been offered off the back of strong data insights attained from positive working behaviours. In short, a mutually beneficial partnership.
Aligning policy, strategy and behaviours
In adopting the above mindset, IT decision-makers can take a step closer to realising their goal of demystifying cybersecurity for their organisation. More than 80% of CISOs and similar job roles earmarked this ambition, but around two-thirds currently believe the information they are receiving is too complicated to filter down to employees.
A two-pronged strategy should be explored to turn the tide in the opposite direction. This begins with the provision of effective technology within organisations. It sounds simple, but if the information being filtered down from vendor to company doesn’t match with the devices and equipment being used, then trust and protection among workers falls at the first hurdle.
A clear and consistent strategy needs to be put in place that implicates not only the tech itself, but a set of defined policies and processes that keeps every individual and the wider organisation secure. This should then involve training and workshops to align policy, an explanation of the rationale behind that policy, and the ultimate strategy that each worker should follow to help adhere to those positive behaviours.
Threefold responsibility
We may be working from a baseline performance where 72% of CISOs assume that employees are less likely to follow protective measures from home, but this period of continued lockdown still presents a positive opportunity. It has highlighted a communication disconnect and perhaps a lack of organisational policy geared towards cybersecurity that can now be resolved at an accelerated pace.
The current picture is one of a trickle-down effect that fosters mistrust and confusion between each of the three parties. Vendors, security leaders and employees are all able to disconnect from each other at the moment, with the excuse that each are doing their best with the tools and information they have. Instead, what needs to happen is a transparent and partnered approach, where vendors can gain a better understanding of an enterprises’ – and its employees’ – bespoke needs.
By focusing attentions on the initial bridge of communication, and the general relationship between vendor and organisation, the resulting policies and strategies put in place will resonate with the end worker. It’s a subtle tweak to the existing dynamic that will have positive upshots in terms of employee confidence with tech, the respective company’s overall security levels, and the vendor’s valuable insights that they can then use to improve the offering. We look forward to seeing this positive shift play out at a time of great pressure for so many, so that all three links in the chain can come out of lockdown stronger than they were before.
General Manager, UK and Ireland at Kaspersky
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.