A survey of more than 1,100 American workers conducted by PwC suggests the divide between cybersecurity teams and the end-users they are trying to protect has only widened in the wake of the COVID-19 pandemic.
While most cybersecurity and IT leaders have increased access to cybersecurity training since the bulk of employees suddenly began working from home in March, only 30 percent of employees said their employer trained them on to secure data, and only 23 percent said their company provided a compelling case for why employees need to have good data security habits.
Well over a third of respondents (39%) said they find it burdensome and restrictive to comply with all the security guidelines of their organization. Less than a third, however, also said they are required to authenticate their identity to access corporate networks/data (31%).
Less than a third (29%) also said their employer provided devices so they could work outside the office without having to employ their personal devices. In addition, more than half (51%) of the Millennials and 45 percent of so-called Gen Zers admitted they use applications on their work devices that their employer has expressly prohibited.
Perhaps most troubling of all, though, only just over a quarter (26%) of respondents strongly agree that they can escalate a security incident they may have caused without fear of reprisal.
Increased cybersecurity challenges
Cybercriminals have apparently taken note of reckless employee behavior. A global survey of 1,000 CXOs conducted by Tanium, a provider of endpoint management and security tools, find 90 percent have seen an increase in cyberattacks due to the pandemic. The most common of these were attacks involved data exposure (38%), business email or transaction fraud (37%), and phishing (35%).
A full 98 percent of respondents said they experienced security challenges within the first two months of the pandemic. The top three challenges identified are new personal computing devices (27%); overwhelmed IT capacity due to virtual private network (VPN) requirements (22%); and increased security risks involving video conferencing (20%).
A full 88 percent of respondents also had trouble patching systems, with 43 percent specifically citing difficulties patching personal devices belonging to workers. Just over a quarter (26%) admit they effectively side-lined patching systems at a time when Microsoft alone released more than 100 fixes on successive Patch Tuesdays.
Preparing for an extended battle
While most IT teams are to be applauded for enabling a mass transition to working from home in a matter of a few days, it's clear that from end-user training to zero-trust architecture there are lots of cybersecurity issues that need to be addressed. Many organizations assumed the COVID-19 pandemic would be roughly equivalent to an extended blizzard that would shut down the office for a few weeks. Increasingly, it’s looking like combating the COVID-19 pandemic will be an extended battle that requires fundamentally new approaches to how IT is delivered and secured.
Naturally, each organization always will need to decide just what the right level of business risk should be given the sensitivity of the data that needs to be protected. However, organizations are being presented with a unique opportunity to approach cybersecurity with a blank piece of paper that should not be wasted.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.