ESG recently completed an interesting study where, rather than surveying IT buyers and practitioners as is normally the case, we targeted employees in non-IT roles like sales, human resources, marketing, and finance. This provided a view of how the typical worker thinks about technology and the impact it has on their professional life. While a lot of the survey focused on end-user focused processes and technologies (mobile devices, applications, voice assistants), respondents were also asked for their perspectives on cybersecurity.
The cybersecurity results are reviewed in detail in this ESG Brief, but some of the high level takeaways included:
- Threats are exacerbated by risky employee behavior – between one in five and one third of employees report downloading personal applications to work devices, sharing sensitive information on public Wi-Fi networks, or disabling/removing AV software. The numbers are even higher for certain types of workers (mobile, senior managers, younger). When cybersecurity best practices get in the way of productivity or convenience, workers will obviously cut corners.
- Passwords remain an issue – nearly three-quarters of workers report reusing passwords at least occasionally. This isn’t surprising due to device and application sprawl, but is still worrisome. Single sign-on/password manager technologies are at the top of the list for technologies that workers want to alleviate the frustrating and productivity draining process of managing multiple passwords.
- Awareness training is becoming more common, but is still not pervasive – 60% of workers report participating in required cybersecurity training, but only 43% said it was a recurring practice. Companies don’t want to burden their employees with unnecessarily or unproductive trainings. However, when done right, cyber awareness training can make an impactful difference. But this requires going past just checking the box and creating an iterative program of training and testing to focus on the most vulnerable vectors and employees.
Overall, my takeaway was that cybersecurity vendors need to spend more time on the user aspect of security. Accounting for the views of those that are on the top line will become increasingly important as cybersecurity continues to move into the mainstream. That’s happened within the IT department, but there’s still room to grow among the non-IT employee base.