A new study has emerged claiming that more than two-thirds (39%) of employees use their personal devices to open corporate data, which leaves a significant security gap for outside actors to take advantage.
The results come from security company Trend Micro who published its Head in the Clouds study, stating that a dangerous amount of workers around the globe are using their personal devices to access sensitive corporate information, leaving the door open to potential outside actors.
The study took responses from 13,200 employees working in 27 countries around the globe to find out their organisation’s attitude and approach toward cybersecurity, with the help of Dr Linda K Kaye, a cyberpsychology academic from the Edge Hill University.
TrendMicro is reporting that 39% of its 13,200 respondents said they were guilty of accessing corporate data and cloud storage networks via their personal computers, smartphones and tablets.
In addition to this, the study found that 52% of remote workers around the globe had their personal devices connected to smart devices around their home, which presents another potential opportunity for hackers looking to access personal information of the individual, or their employer.
TrendMicro says that this is particularly disastrous, considering that more than one-third (36%) of those remote workers failed to implement even the most basic of password protections on their devices.
Bharat Mistry, TrendMicro’s principal security strategist notes in the report that smart devices, connected to the internet of things (IoT) “has empowered simple devices with computing and connectivity, but not necessarily adequate security capabilities.”
Grab Your Free ISO Gap Analysis Checklist
“This threat is amplified as an age of mass remote work blurs the lines between private and company devices, putting both personal and business data in the firing line,” he said.
Finally, TrendMicro says it’s important to note the amount of remote workers accessing these cloud storage networks and their organisation’s internal network via a home internet connection. A reported 70% of employees were found to be logging on to sensitive networks with their home internet connection, which can present another avenue for unauthorised access from a third party.
Sarah Coble of Infosecurity Magazine writes that “since home networks typically offer security protection that is inferior to what which a business can afford to implement, researchers expressed concern that attackers could access home networks, then use unprotected personal devices as a stepping stone into the corporate networks they’re connected to.”
Dr Linda Kaye notes in the report that “the fact that so many remote workers use personal devices for accessing corporate data and services suggests that there may be a lack of awareness about the security risks associated with this.”
“Tailored cybersecurity training which recognises the diversity of different users and their levels of awareness and attitudes around risks would be beneficial to help mitigate any security threats which may derive from these issues,” Dr Kaye added.
Dr Kaye noted four predominant attitudes towards cyber security, which include being fearful, ignorant, conscientious and a daredevil toward online activities.
Those that were anxious about their activity reported being concerned about doing something wrong, or exposing themselves or the organisation to an outside threat. They were found to be highly accountable to their employer, but not always aware of cyber risks and how to mitigate them. They “may” deploy risk avoidance strategies at the cost of productivity, according to Trend Micro.
Conscientious employees were the second personality trait mapped out by Dr Kaye, who says that they understand the risks associated with their role, they’re highly accountable to their employer and they actively take steps to both manage and avoid risks online.
The third type of employee is the ignorant employee, who lacks awareness of cyber risks, accountability to their employer and is careless about their online activity. The fourth and final personality mapped out is the daredevil-type, who is careless about cybersecurity, lacks accountability, and believes that the rules of cybersecurity don’t apply to them.
