A third of remote working employees have not received security training in the last six months.
According to a survey by NinjaRMM of 400 remote workers in the UK across multiple industries, while 83% have had access to security best practice training and 88% are familiar with IT security policies, 32% have received no security training in the last six months.
Also, 50% spend two or more hours a week on IT issues, and 42% felt they had to go around the security policies of their organization to do their job.
According to Lewis Huynh, CSO at NinjaRMM, as COVID-19 introduced a seismic change to how security and IT operations are conducted at most businesses, “IT teams have been stretched thin to maintain normal operations and that means things like security training may have taken a lower priority.” He claimed that this is a mistake, as remote work has introduced more threats, not less.
“Ultimately, the decision to deploy security training to staff comes down to leadership, and if there’s one thing we learned from this report it’s that leaders should be doing more to prioritize basic security hygiene,” he said.
Commenting, Tim Mackey, principal security strategist at Synopsys CyRC, said for some organizations, security training is an annual affair that aligns with other compliance training.
“The worrying statistic is the 32% who state their last training was over a year ago, or that it’s not yet happened,” he said. “It is however quite important to recognize that for many businesses the pandemic has required reassessments of spending priorities, with the potential that, for some, training programs of all forms might be viewed as luxuries.”
Regarding the statistic that 42% of respondents said they have to go around the security policies of their organization to do their job, Infosecurity asked if this shows a poor engagement with the workforce, and what could security and the business be doing better?
Huynh said: “Looking at the reasons why employees are breaking the rules can help explain some of this. The top three reasons given for why they broke the rules were that personal accounts were more convenient, the IT department was too slow to respond to their needs and the security policies were too restrictive on their productivity. So, we’re seeing friction between staff and IT that suggests a breakdown in processes is occurring.”
Javvad Malik, security awareness advocate at KnowBe4, agreed that this shows poor engagement or forming of policies, without understanding the users’ needs. “Policies should not be set in stone,” Malik said. “What was a workable policy a few years ago, may not be fit for purpose today. Security departments should regularly engage with the business units of users who are subjected to the policies in order to find out any pain points and work collaboratively with them to find efficient ways of working as opposed to being the ‘department of no.’”
Elsewhere, the report claimed remote working had caused a 39% increase in the use of cloud services, and a 35% increase in the number of devices, while 75% of those polled said their IT security policy covers unapproved software, hardware and cloud services on work devices.
Malik said while it is good to have awareness of policies, it does not mean much if people do not care about them or, as the report states, if 42% are going around the policies, it does not matter if they are aware. “So, organizations should not just make their employees aware of the security policies, but encourage feedback and understand the effectiveness of policies and tweak where necessary.”
Huynh said the statistic that 88% are familiar with IT security policies was “one positive finding from the report as it suggests that security teams have done a good job at making security policies accessible and understandable.”
He added that policies should also cover the use of unapproved software and hardware, which, from this report, we learned that not every policy does. These seemingly small actions are important as the rapid shift to remote work has introduced new risks that require frequent training and continuous improvement of the security policies in place.