Employees and Cybersecurity: What Are Your End-Users Thinking Now?

Chances are, your employees have a lot on their plates right now.

With lives upended by a global pandemic and many workers reporting from home for the first time, lacking their traditional work tools and switching to unfamiliar ones, worries are probably running high.

And that concern bleeds into their relationship with cybersecurity.

How do technology leaders view remote work and cybersecurity?

The majority of CISOs and CIOs are clear: remote work brings a cybersecurity risk.

According to a recent survey from PwC, 61% of CISOs and CIOs have seen cybersecurity risks increase during the shift to remote workforces. The survey, called "It's Time to Adopt a Cyber-Savvy Culture," looks at how cybersecurity currently resonates with employees.

How concerned about cybersecurity are your end-users?

What does the data reveal about your employees and how they are thinking about cybersecurity right now?

The bag is somewhat mixed. On one hand, employees are expressing some mild to strong concerns about these company-related cyberattack consequences:

• 59%: Financial loss to the company
• 50%: Losses for other stakeholders
• 46%: Public disclosure of my emails
• 44%: Loss of company intellectual property
• 44%: Damage to company brand and reputation

And worries are a little higher when it comes to personal consequences:

• 59%: Exposure of personal data to third parties
• 57%: Impacts on my career
• 55%: Personal financial loss due to unauthorized access to pay or retirement data
• 54%: Inability to work and deliver
• 52%: Unauthorized access to my health data

On the flip side, though, only 22% are very worried about personal financial loss from an attack, and just 15% say they're very worried about their emails being exposed.

For CISOs and security awareness managers: what employees are thinking

PwC reveals that in areas where end-users are confident about cybersecurity, that personal confidence likely stems from belief in their company's cybersecurity practices:

"In fact, 75% of respondents say they trust their employer more than they trust tech companies to keep their personal information safe. But employees may not be aware that many attacks on organizations aren’t necessarily targeting the company. Instead, they're aimed at stealing employee data, such as salary and retirement information, health status and other personal information."

So that appears to be a cybersecurity disconnect uncovered by the research.

Another example pops up around security awareness. In particular, how employees feel about the security education they've received since the pandemic:

"Nearly 70% of CISOs and CIOs say they increased security training as a result of COVID-19. In contrast, only 30% of employees say their employer offered training on the dos and don'ts of protecting company and personal digital assets, data and information."

And other portions of the survey reveal pain points around the endpoint and big data.

"Less than a third say their employer provided devices so they could work outside the office without having to use their personal devices. And only 23% say their firm provided a compelling case for why employees need to have good data security habits."

This data stands in contrast to what CISOs and CIOs are saying:

"...CISOs and CIOs report strong positive impacts from investments to secure remote work (such as authenticating employees accessing their networks and managing mobile devices and other endpoints beyond corporate networks), as well as investments in real-time threat detection and intelligence."

8 steps for CISOs and CIOs when approaching remote employees

How should employers mitigate the dissonance between employees and cybersecurity professionals?

PwC offers an eight-step action plan for CHROs, CIOs, and CISOs.

1. Protect your people's digital lives. You're not just protecting company assets, you're also protecting your employees, your stakeholders and society. Tap into your employees' trust in you. 
2. Become role models for cyber-savvy habits. Raise expectations that tech and digital sophistication includes strong cyber acumen.
3. Elevate cyber acumen in your digital upskilling program. Award certifications or badges that can be recognized in the talent market. Encourage those who are "certified" to become ambassadors to help others develop their cyber acumen.
4. Introduce incentives and rewards for cyber-savvy habits and cyber-compliant behaviors. Consider gamification techniques that have been proven to reinforce continuous learning.
5. Adjust your messaging, communication and awareness training so it resonates with employees' concerns about personal loss, rather than focusing on implications for the company.
6. Consider the user experience when choosing technology and designing policies. Involve employees to get their input, especially with emerging or fast-changing apps. The better the experience is for your employees, the less likely they will be to download substitute apps or programs that may introduce risk.
7. Take advantage of modern security controls using powerful techniques such as zero trust (going beyond simply protecting the perimeter) and real-time detection and response, which is informed by behavioral science and powered by AI.
8. Consider offering identity theft management to employees as part of your benefits strategy.

Read more in this new research: "It's Time to Adopt a Cyber-Savvy Culture"