IT leaders facing backlash from remote workers over cybersecurity measures: HP study
A new study from HP has highlighted the precarious -- and often contentious -- situations IT teams are facing when trying to improve cybersecurity for remote workers.
The new Rebellions & Rejections report from HP Wolf Security surveyed 1100 IT decision-makers and also gleaned insights from a YouGov online survey of 8443 office workers who now work from home.
The study found that IT workers often feel like they have no choice but to compromise cybersecurity in order to appease workers who complain about how certain measures slow down business processes. Some remote workers -- particularly those aged 24 and younger -- outright reject cybersecurity measures they believe "get in the way" of their deadlines.
More than 75% of IT teams said cybersecurity took a "backseat to business continuity during the pandemic," and 91% reported feeling pressured into compromising security for business practices.
Nearly half of all office workers under the age of 24 said cybersecurity tools were "a hindrance", and 31% admitted to outright bypassing certain corporate security policies to get work done.
Unfortunately, almost half of the office workers of all ages believe cybersecurity measures waste their time, and the figure increases to 64% among those under the age of 24. The survey found that 54% of 18-24-year-olds cared more about their deadlines than causing a data breach.
Researchers found that 39% of respondents did not fully know what their organization's security policies are, causing 83% of all IT workers surveyed to call remote work a "ticking time bomb" for data breaches.
Ian Pratt, global head of security for personal systems at HP, said the fact that workers are actively circumventing security should be a worry for any CISO.
"This is how breaches can be born," Pratt said.
"If security is too cumbersome and weighs people down, then people will find a way around it. Instead, security should fit as much as possible into existing working patterns and flows with unobtrusive, secure-by-design and user-intuitive technology. Ultimately, we need to make it as easy to work securely as it is to work insecurely, and we can do this by building security into systems from the ground up."
IT leaders have had to take certain measures to deal with recalcitrant remote workers, including updating security policies and restricting access to certain websites and applications.
But these practices are causing resentment among workers, 37% of whom say the policies are "often too restrictive." The survey of IT leaders found that 90% have received pushback because of security controls, and 67% said they get weekly complaints about it.
More than 80% of IT workers said, "trying to set and enforce corporate policies around cybersecurity is impossible now that the lines between personal and professional lives are so blurred", and the same number of respondents said security had become a "thankless task."
Nearly 70% said they were viewed as "the bad guys" because of the restrictions they impose to protect workers.
"CISOs are dealing with increasing volume, velocity and severity of attacks. Their teams are having to work around the clock to keep the business safe while facilitating mass digital transformation with reduced visibility," said Joanna Burkey, HP's CISO. "Cybersecurity teams should no longer be burdened with the weight of securing the business solely on their shoulders; cybersecurity is an end-to-end discipline in which everyone needs to engage."
Burkey added that IT teams need to engage and educate employees on the growing cybersecurity risks while understanding how security impacts workflows and productivity.
Cybersecurity experts like YouAttest CEO Garret Grajek said every new access method, user pool and technology adds attack vectors and vulnerabilities for hackers.
"We just saw that even the best WFH plans might be vulnerable w/ over 500k of Fortinet VPN users being exposed," Grajek noted. "As with the other attack vectors, enterprises have to assume they will be breached and then ensure that rogue users access and actions are mitigated or limited."