Employees' Risky Activities Leave Organizations Open to Cybercrime

Employees engage in risky cyber behavior to get their work done.

Edward Gately, Senior News Editor

July 27, 2021

3 Min Read
Flicking risk
Shutterstock

Despite knowing the dangers, most workers are engaging in risky activities that could put their company’s digital security at risk.

That’s according to a global survey of more than 8,000 employees. Sapio Research conducted the survey for ThycoticCentrify.

The survey found nearly 80% of respondents have engaged in at least one risky activity over the past year. Among risky activities, more than a third have saved passwords in their browser in the last year. A similar number have used one password to access multiple sites. In addition, around one in four have connected a personal device to the corporate network.

Despite almost all respondents having an awareness that individual actions such as clicking on links from unknown sources or sharing credentials with colleagues is a risk, only 16% feel their organization is at a very high risk of a cybersecurity attack.

Engaging in Risky Activities to Get Work Done

Caron-Joseph_Thycotic.png

ThycoticCentrify’s Joseph Carson

Joseph Carson is chief security scientist and advisory CISO at ThycoticCentrify.

“The most surprising finding in the research is that while employees understand the risks, they are willing to accept it so they can get their job done,” he said. “They assume that the IT security team has got their back and will prevent anything bad happening even if they take the risks.”

Saving passwords in a browser can lead to credential theft, Carson said.

“Most browsers’ security settings are turned off,” he said. “And when an employee saves credentials within the browser, including corporate credentials, if an attacker ever gains access to the endpoint it also means they have access to any stored credentials within the browsers.”

Just 44% of respondents received cybersecurity training in the past year, according to the survey. That means more than half of the employees surveyed were left to cope alone with the increased threat landscape created by remote working.

“When faced with tough choices such as getting the job done, employees will always take the easy path,” Carson said. “And that means risking security.  Employees need to understand the risks of the actions they take.”

Training Helps Cut Down on Risky Activities

Staff are more likely to rate the cyber risk to their organization as high if they have been trained. That indicates they have a better understanding of the risks.

Key findings from the United States include:

  • Eighty-six percent of respondents acknowledged the companies they work for face small to very high cyber risk. However, nearly half admitted that they have not received any cybersecurity training from their employers in the last year.

  • More than a quarter still feel there is little risk associated with family members using company devices.

  • More than a third admitted they feel that it’s acceptable to access work systems via public Wi-Fi in order to get work completed.

  • Only 14% cited “role-based access controls” as a priority network security measure implemented by their organization.

Smaller Companies More at Risk

People working at SMBs are least likely to have received cybersecurity training in the past year. Those at smaller companies perceive their risk to be lower.

Also, smaller companies were also least likely to have implemented protection such as multifactor authentication (MFA) or VPNs compared to larger organizations.

The survey revealed an overarching sense of responsibility among employees. Eighty-six percent agree they have a personal responsibility to ensure they do not expose their organization to cyberthreats. However, 51% still think IT departments should have sole responsibility to protect companies.

MSSPs and other cybersecurity providers can help organizations with limiting or eliminating risky activities.

“The best way to help organizations is to help automate and adopt usable security measures so employees don’t have to make a choice so the only way is the secure way,” Carson said.

Read more about:

VARs/SIsChannel Research

About the Author

Edward Gately

Senior News Editor, Channel Futures

As senior news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like