Younger Workers Rebel Against Cybersecurity Inefficiencies

Author Avatar

by

Posted on October 4, 2021

Want to interview Nick?

Contact

Everyone is in favor of cybersecurity. That is, unless – or more often, until – it gets in the way of what you need to do. Or makes it more inconvenient. And when that happens, users do their best to sidestep or undermine the procedures and safeguards that are meant to protect your business from cyberattacks.

These are some of the disturbing conclusions from a new report from HP Wolf Security, “Rebellions and Rejections.”

With offices reopening following the pandemic-spurred shift to work from home, many employers are moving to a hybrid model of splitting work between office and home. Nearly 40% of users surveyed said they expect to spend half or more of their time working from home long-term. This is a huge shift from just a couple of years ago, when few companies were set up to support large numbers of people working remotely.

The alarming truth is that still, today, the majority of companies are not really set up for remote work – despite the fact that they have been enabling it for well over a year. As a result, IT professionals still widely (and wisely) view work from home as a danger. A staggering 83% of the IT teams surveyed said from-home work constitutes a “ticking time bomb” for a network breach.

Information security and IT professionals are increasingly finding themselves facing a resounding lack of support for their efforts to keep their companies cyber safe. From employees they encounter apathy, frustration, and often-successful attempts to circumvent protections. From management, they feel pressure to take actions that have the effect of compromising security in the interest of business continuity. IT professionals are left feeling like “bad guys,” perceived as making other employees’ jobs more difficult.

Apathy

The report found that the biggest rebellion comes from the youngest workers: Perhaps because 18-to-24 year olds grew up attached to personal devices, they’re not used to things being complicated or thinking of technology as potentially sinister. 39% of office workers in that age group were unsure of the data security policies of their employers; a majority, 54%, said that they were more concerned about meeting their deadlines than they are about the risks of a data breach.

Frustration

Nearly half of all office workers say that security measures result in a lot of wasted time and are a hinderance. Over a third consider security policies to be too restrictive. That’s a lot of users who feel that some security measures are an unnecessary waste of time. So it’s not surprising that many employees think they know better than the professionals charged with protecting the organization, and choose to disregard or do an end run around security measures.

Circumvention

Younger office workers are the group that is most likely to try and get around security measures: 31% of workers in the 18-24 year old group confess to having tried to circumvent corporate security technologies or policies.

What About Management?

Management should be very concerned about cybersecurity. High-profile cyberattacks that cost companies millions and/or compromise the personal data of tens of millions of users are becoming increasingly common. Cyberattacks have shut down factories, hospitals, and an oil pipeline. Failing to properly secure customer personal data can result in hefty fines under data protection laws such as GDPR and HIPAA. Yet almost all IT teams – 91% – felt pressure to compromise security for the sake of business continuity. 76% said that security took a back seat to continuity during the pandemic.

Cybersecurity risks may seem a little abstract to most managers. After all, those big cyberattacks that shut down companies and cost millions of dollars happen to other companies, not theirs. And when they can manage it, companies try not to disclose that they were attacked, so many attacks are out of sight and therefore out of mind. Whereas the dangers of losing business, missing deadlines, displeasing customers or disappointing stockholders are known, top-of-mind risks.

Unhappy IT Teams

Not surprisingly, given the lack of support (if not open hostility) from both users and management, IT teams are feeling dejected. 80% of IT people surveyed said they felt IT security was a “thankless task,” and 69% said that they are made to feel like “bad guys” when they’re just trying to do their jobs.

Is There a Way to Please Everyone?

Cybersecurity is too important to be optional. IT teams are correct to insist on having strong controls. However, compliance rates will be higher – and complaint rates and resistance lower – if cybersecurity doesn’t impose too great an operational burden on users. These are some things that companies can do to make life easier for users while keeping corporate data secure:

  • Use Single Sign-On (SSO). With SSO a user logs in to the corporate network once and has access to all of their authorized applications, without needing to separately login to each app. Some people incorrectly think SSO is less secure because it’s a single point of failure; the truth is that users are a greater single point of failure. Most users are lazy when it comes to password management. The average American has 150 password-protected accounts. No one can possibly remember all of those passwords, so users do things that are risky (if not downright dumb): They use simple passwords, reuse passwords (one study says 73% of all passwords are duplicates), put passwords in unencrypted files, leave passwords on sticky notes in public view. With only one password to remember, it’s much easier to enforce good password hygiene. It’s also easier to insist on Multi-Factor Authentication when users have to login only once.
  • Make user interfaces user friendly. If it’s hard to figure out what to do (for example, when a password change is needed) users get frustrated, and that means more calls to the help desk and more frustration with wasted time.
  • Tailor access policies to each user’s needs. Choose a Zero Trust security platform like ZTEdge that leverages machine learning to automatically build per-user policies and keep them updated, so the burden of policy maintenance does not bury IT staff.
  • Make your cybersecurity awareness training effective. All too often, security training is a once a year “death by PowerPoint” presentation which accomplishes little. Users need to understand why cybersecurity is important and how it applies to them. They should be given simple, easy-to-understand guidelines they can follow. Try to encourage a “team” approach – the IT team should be concerned about user convenience and the users should be concerned about security.
  • Implement security controls, such as least privilege access and microsegmentation, that work behind the scenes, relatively invisible to users.
  • Hackers are targeting vulnerabilities in legacy technologies like VPNs and RDP. Consider moving to more modern approaches to remote application and desktop access, like Zero Trust Network Access (ZTNA).
  • Make your cybersecurity approach comprehensive, across both on-network and cloud resources, so users don’t have to deal with different systems and remember different procedures for accessing desktop, network, SaaS and private cloud resources.

This last item – making your cybersecurity approach comprehensive – also enhances security. Cybersecurity should not be easy for users to bypass. A patchwork approach to cybersecurity leaves gaps where users might find ways to bypass corporate data security requirements.

Providing a high level of security with minimum pain to users is one reason why we developed the ZTEdge platform. ZTEdge provides Zero Trust security– in a comprehensive cloud-based cybersecurity platform that protects all of your corporate apps and data wherever they are located, for users that are either in the office or working remotely.


Share this on:

Author Avatar

About Nick Kael

A cybersecurity expert with over 20 years of experience in web technologies, architecture, infrastructure, networking and dev environments, Nick is responsible for solution management, technology strategy and technology partnerships. Nick was previously Symantec Group CTO for Global Service Providers, following his tenure as Director of the Chief Architect Team for Channel and Service Providers at Zscaler and an earlier position in the Symantec CTO organization. His certifications include CEH7, CCSK, BCCPP, Bluecoat Blue Knight, MCSE + Security, CCDP, CCNA, CCSA, VTP5 and VTSP5.

Recent Posts

Air Gapping Your Way to Cyber Safety

Physically air gapping enterprise networks from the web is a great way to protect operations, keep data safe … and squelch productivity. Virtual air gapping is a better approach.

Motion Picture Association Updates Cybersecurity Best Practices

The MPA recently revised its content security best practices to address, among other challenges, the issue of data protection in the cloud computing age.

FTC Issues Cybersecurity Warning for QR Codes

QR codes on ads are a simple way to grab potential customers before they move on. No wonder cybercriminals are using QR codes, too.