Are you the fearful kind? Are you the conscientious type? Are you just plain ignorant or do you see yourself daredevil?
A 2020 Trend Micro study of remote workers in Singapore revealed that 59% of respondents are more conscious of their organization’s cybersecurity policies since the start of the national ‘circuit breaker’ measures.
However, many still break the rules due to limited understanding or resource constraints.
The Singapore edition of the Trend Micro’s Head in the Clouds study revealed that employees displayed different attitudes and behaviours towards cybersecurity, suggesting that broad training might be too general to capture these differences. It suggested taking different approaches in encouraging positive security practices.
For instance, employees who are fearful of breaking security rules might benefit more from simulation exercises, where they are allowed to try and experience things they normally would not.
The results indicate a high level of security awareness among local employees, with 89% of respondents claiming they take instructions from their IT team seriously. While 87% of employees agree that they have a role to play in keeping their organization secure, 71% acknowledged that using non-work applications on a corporate device is a security risk.
- 39% say they often or always access corporate data from a non-work device – almost certainly breaking corporate security policy
- 16% of them are likely to click on a link offering free services, such as extra cloud storage and greater internet connectivity, from an unknown email address
- 38% of employees use public Wi-Fi when working remotely, without using the company VPN
- 52% of users confess to downloading or using a non-work application on a corporate device – of this pool, 35% of them did not request permission from the IT team
- 37% have uploaded corporate data to non-work applications
Cybercriminals bank on such unsafe practices to attack businesses. Phishing tactics continue to be favoured by threat actors, as seen by the marked increase in Singapore-hosted phishing URLs detected last year – from 16,100 in 2018 to 47,500 in 2019.
Dr Linda K. Kaye, Cyberpsychology Academic at Edge Hill University explains: “There are a great number of individual differences across the workforce. This can include individual employee’s values, accountability within their organization, as well as aspects of their personality, all of which are important factors which drive people’s behaviours. To develop more effective cybersecurity training and practices, more attention should be paid to these factors. This, in turn, can help organizations adopt more tailored or bespoke cybersecurity training with their employees, which may be more effective.”
Productivity still trumps protection for many users. Thirty-eight percent agree that they do not give much thought to whether the apps they use are sanctioned by IT or not, as they just want the job done. Additionally, 14% would do whatever is quickest to send a client a file, even if that option is slightly less safe.
Nilesh Jain, vice president of Trend Micro, Southeast Asia and India, adds, “To close the cyber risk gap, especially caused by people who are either unaware of security policies or even those who think they are above the rules, organizations should not only provide training but take an opportunity to add guardrails and controls while understanding the users’ needs. Using a combination of both in a positive and easy-to-use fashion will hopefully encourage behavioural change and understanding.”