But in the age of remote work, we can all step it up a notch.
Who’s got better cyber hygiene—men or women?
A recent study by Mimecast seems to indicate that women have an edge when it comes to staying safe online. The survey, which included over 1,000 businesspeople globally who use a company-issued computer, found that even though 75% of men reported receiving cybersecurity training at work compared to just half of women, women are better at detecting cyberattacks and malicious behaviors.
Cyber hygiene, defined simply as best practices to improve cybersecurity while engaging in common activities online, is a major concern for companies whose workforces were suddenly forced to go remote en masse in March. Earlier this year, Tessian found that when working from home, roughly half of employees are less likely to follow safe data practices than when they’re in the office.
What employees are doing online with corporate-issued devices can have significant ramifications for companies—even more so today, when it’s all happening on employees’ home networks.
A blurring line
Prior to the pandemic, the line between our personal and business lives was already blurring. That trend has accelerated significantly this past year, with 60% of respondents saying they increased their personal activities on company devices since the pandemic.
With many employees’ personal devices being claimed by other homebound family members for work, school or play, employees are now spending an average of 1.9 hours per day using company devices for personal activities.
“There has been a massive increase in the number of corporate-issued devices since March,” says Matthew Gardiner, Mimecast’s Principal Security Strategist. “It really isn’t that surprising that employees are pivoting back and forth between personal and business activities by just opening another tab on the browser, not by changing PCs.
“This reality raises pressing security and policy issues that organizations need to consider.”
Company computer, personal use
Mimecast found that 78% of men admit to using work devices for personal use, compared to 65% of women. In order, top personal-use activities included personal email, financial transactions, online shopping, social media, instant messaging and video streaming, among others.
Nearly 40% of men admitted to shopping online on their employer’s computers, as opposed to only about a quarter of women (26%). 45% of men use Zoom or similar services to call friends, compared to only 30% of women.
One of the highest-risk activities from a cybersecurity standpoint is downloading applications or software for non-work purposes. Here again, men scored higher than their female counterparts. Thirty-five percent of men admitted to downloading such software, versus just 17% of women.
Suspicious emails are an area where both sexes can brush up on their cyber hygiene. Whether out of curiosity, high risk tolerance or some other reason, men are more likely to open suspicious emails (70%). Women also report opening such emails, but in much lower numbers (41%). Additionally, women are more likely to report suspicious emails to IT (64%) than their male counterparts (35%).
Although 96% of respondents said they were aware that links from potentially suspicious emails could infect their devices, it doesn’t seem to affect their likelihood of engaging with such messages. “Sometimes people click first and think second,” says Gardiner. “Given the amount of email the average businessperson receives on a daily basis, they often apply only a split second of thought—if any—to the email before deciding to open it and engage or not.”
Best practices for cybersecurity training
Mimecast’s data indicates that companies are working hard to secure their data, with 64% of respondents indicating that they received specialized WFH cybersecurity training since March. But is the training making a difference? In many cases, the answer is no.
Part of the problem may be outdated, “check-the-box” security training programs. “Everyday employees like consuming Instagram and YouTube content and don’t like boring, hour-long videos, which is how many security training programs still are,” says Gardiner. “Effective security awareness training recognizes that everyday employees are generally quite different from their IT and security colleagues.”
According to Gardiner, brevity and frequency are two critical components of effective training. “It’s better to have five minutes of security training once a month then 60 minutes of training once a year,” he says. “Short, entertaining, informative and well-produced content is what gets people’s attention and engagement.”
How can companies get their people to do the training—and pay attention in the process? Turning the training into a story can help employees remember the concepts and even enjoy the training. “We have seen that employees actually look forward to good security training versus dreading the old style of training,” says Gardiner. “People like to be informed and entertained at the same time.
“Real-life scenarios, acted out with humor, are a great way to catch and keep peoples’ attention, while teaching them something they will remember and more likely apply when the time comes.”
People are the greatest asset—and the weakest link
Today, keeping company data secure requires both technical safeguards and security-conscious users. “Twenty years ago, it was all about developing technical countermeasures including firewalls, AV engines, authentication systems, anti-spam and others to understand what malicious actors were doing,” says Gardiner.
But now, people-first training initiatives are equally important. People are simultaneously the greatest asset in the defense of company data—and the weakest link.
“One thing that comes out clearly from this report is that people are different,” says Gardiner. “It’s important that security awareness training programs take these differences into consideration. Attackers most certainly target people, often individually, and, as such, it is thus equally important that security teams not think in terms of one size fits all for their defenses.”
One thing is clear: cyber hygiene is a coveted skill that will only become more critical as time goes on. As we settle into remote work for the long term, safeguarding company data is something we can all do better.