A lot of office workers are fed up with what they perceive to be unnecessary security policies and measures, according to a new study.
The study, from HP Wolf Security, found that employees working from home and IT teams often don’t see eye to eye on what’s necessary to keep everyone, and the company’s assets, safe. The study included feedback from more than 8,000 working adults and 1,100 IT decision-makers.
Nearly half of office workers surveyed, for example, said that seemingly essential security measures result in a lot of wasted time. Joanna Burkey, chief information security officer at HP Inc., said that some of the measures employees see as particularly onerous are extra logins or the inability to email files to oneself for offline working. Companies could ease the pain by talking to users about what might work better for them and achieve the same result, Burkey suggested. For example, there are multiple ways that companies could address biometric logins or commonly accessible file transfer and storage.
Unclear Security Measures
The survey also found that 39% of employees are unsure what their security policies say or are unaware if their company even has them.
That’s a common problem, Burkey said, but easily solved by clearer and more compelling communication and engaging training. “Being able to articulate the ‘why’ behind policies goes a long way in reaching joint understanding and cooperation,” she said.
Before cybersecurity teams default to thinking there are policy problems to fix, they should think about an alternative approach that acknowledges that real life, especially in a world of hybrid work, doesn't always mean people will follow policies. “Cybersecurity has to be something that everyone can operationalize effectively, where users are aware of security policies and play their part and everyone is working together to keep the enterprise safe from threats,” Burkey said.
A large majority of IT teams – 83% – believe the increase in home workers has created a “ticking time bomb” for a corporate network breach, according to the survey, likely due to home workers avoiding security procedures and policies the company has put in place. Corporate network breaches can take many forms, including ransomware, firmware attacks against PCs and printers, and exploited vulnerabilities.
The solution, Burkey said, involves finding new levels of endpoint protection that provide advanced visibility and remote management while being as unobtrusive as possible to avoid end users trying to circumvent it. It also involves creating a positive security culture across the business that positions security as a shared responsibility.
Security a 'Thankless Task'
IT teams today also suffer from morale problems. Eighty percent of IT teams said IT security is becoming a “thankless task” because nobody listens to them, and nearly 70% said they are made to feel like the “bad guys” for imposing restrictions.
“If you have a staircase in the office, you need to install a banister and have it carpeted so people don’t fall, and that’s what cybersecurity teams are doing,” Burkey said. “But at the same time, they’re trusting that people don’t run down it three steps at a time and potentially injure themselves. I think we need to reset that expectation and build more collaborative security cultures to secure the future of work.”
Other survey results include:
- 76% of IT teams admit security took a back seat to business continuity during the COVID-19 pandemic, while 91% felt pressure to compromise security for business continuity.
- Almost half (48%) of younger office workers (18-24 years old) surveyed viewed security tools as a hindrance, leading to nearly a third (31%) trying to bypass corporate security policy to get their work done.
- 37% of office workers surveyed said security policies and technologies are often too restrictive.
- 80% of IT teams experienced pushback from users who do not like controls being put on them at home; 67% of IT teams said they experience complaints about this weekly.
- 83% of IT teams said trying to set and enforce corporate policies around cybersecurity is impossible now that the lines between personal and professional lives are so blurred.