‘Check the Box’ Awareness Training has Little Impact on an Organisation’s Security Posture
Mimecast Limited (NASDAQ: MIME), has new research which highlights the risky behaviour of employees using company-issued devices. More than 1,000 respondents in countries throughout the globe were asked about their use of work devices for personal activities and how aware they are of today’s cyber risks. The results highlighted the need for better awareness training, as people are clicking on links or opening suspicious emails despite having been trained.
Earlier this year, an urgent request for IT teams across the globe was to ensure the efficient issuance of laptops and other computing devices to employees, as much of the workforce started working remote due to the novel coronavirus pandemic (COVID-19). A key priority for IT professionals was to then ensure their IT and security policies were ready for the rush to remote work.
The Blurring of Personal and Professional Life
Mimecast’s research found that 73% of respondents globally extensively use their company-issued device for personal matters, with nearly two-thirds (60%) admitting to an increase in frequency since starting to work remote. The most common activities were checking personal email (47%), carrying out financial transactions (38%) and online shopping (35%).
In comparison, 78% of Australian respondents are using work tools for personal matters more than other nations, with 53% reporting an increase in personal usage during COVID-19. While personal email (53%) and financial transactions (51%) ranked highly locally, social media (40%) was the third most common Australian activity, above shopping (38%).
According to the State of Email Security 2020 report, personal email and browsing the web/shopping online were already two areas of major concern for IT professionals. Seventy-seven percent of Australian respondents said there was a risk to checking personal email as the cause of a serious security mistake, and 70% thought surfing the web or online shopping could likely cause an incident.
Awareness Training Doesn’t Always Mean Correct Behaviour
Encouragingly, 97% of Australian respondents claim to be aware that links in email, on social media sites and on websites can potentially infect their devices. Seventy-one percent have even received special cybersecurity awareness training related to working from home during the pandemic, which is higher than the global average of 64%. However, this doesn’t always translate into putting this knowledge into practice. Over a third (35%) of Australian respondents admitted to opening emails that they considered to be suspicious. Thirty-eight per cent admitted to not reporting suspicious emails to their IT or security teams.
“This research shows that while there is a lot of awareness training offered, most of training content and frequency is completely ineffective at winning the hearts and minds of employees to reduce today’s cyber security risks,” said Josh Douglas, vice president of threat intelligence. “Better training is crucial to avoid putting any organisation at risk. Employees need to be engaged, and trainings need to be short, visual, relevant and include humour to make the message resonate. In fact, Mimecast has found that end-users who have taken Mimecast Awareness Training are 5.2 times less likely to click on dangerous links. Awareness training can’t be just another check-the-box activity if you want a security conscious organisation.”
The Younger Generation Can Be an Organisation’s Greatest Risk
Despite being the most tech savvy generation, younger workers may be putting organisations at greater risk. Surprisingly almost 60 per cent of the 16-24 age group globally admitted to opening emails even though they looked suspicious, with young Australians faring slightly better at fifty per cent. This group is also more guilty of blurring the lines between their business and personal usage of these devices. Eighty-seven per cent of the Australian 16-24 age group reported using their issued devices for personal use, while 58% of the older – 55+ – group admitted the same.
“Security professionals need to ensure their organisation isn’t growing more exposed as threats evolve to better target the unsuspecting,” commented Douglas. “With everyone’s home becoming their new office, classroom and place of residence, it’s not really a surprise that employees are using their company-issued devices for personal use. However, this is also a big opportunity for threat actors to target victims in new ways. We’ve seen attacks become more aggressive and the attack surface has expanded due to the new ‘WFH’ or hybrid work environments.”
Australian respondents averaged almost 2.4 hours of personal activity on their work devices a day (higher than the global average of 1.9 hours), with almost a third (30%, compared with 22% globally) clocking more than 3 hours of non-work-related screen time.
The research also revealed how habits differ between males and females. Seventy-eight percent of men reported using their corporate device for personal business versus 65% of women.
Methodology
Data was collected by Censuswide in September 2020 with more than 1,000 respondents from organisations in the United Kingdom, United States (US), Australia, South Africa, Netherlands, Germany, Canada and United Arab Emirates (UAE). Organisations included have greater than 100 employees and currently have a company-issued mobile device, laptop or computer for work.
Download the full Company-Issued Computers: What are Employees Really Doing with Them? report.
