Dr Margaret Cunningham, Principal Research Scientist at Forcepoint, and Nick Savvides, Forcepoint’s Senior Director of Strategic Business, APAC, discussed how employee stress could be opening companies up to greater cybersecurity threats – and how to address the problem.
Here’s a condensed version of the conversation:
Margaret Cunningham: With this research, we wanted to capture the experiences of people working from home. Not just ‘how's the pandemic for you,?’ but also capturing the socio-technical factors. For example, is your workplace comfortable, do you have space to do work? What are you stressed about, are you having difficulties with your personal professional life boundaries? Do you know what your teammates are doing? Do you know what the goals of your organization are, and what you're supposed to be doing every day? We explored these questions because those are things that make people kind of feel ‘away and at sea.’
On top of that, we looked into the technical behaviors, most specifically targeting shadow IT, which was defined in the survey as using any software or hardware that’s not authorized by your employer – things like USBs, personal file sharing, using shared printers or business centers. These might seem like small behaviors, but we looked into them because they’re an indicator of people being willing to take risks with the data that their company owns.
As part of the research, we surveyed people from ages 18 to 70. Within this group, we have people who have are junior in their career versus senior, those working for big organizations versus smaller companies, and across different industries, from teachers to agriculture, government workers to tech workers.
Looking at the data, people between 18 and 30 are using technology very differently to people aged 50 to 70. The younger group is also feeling much more stressed out and much less secure in their jobs. Essentially, younger people are having this serious breakdown in their relationship with their employers and have been heading this way for years. They don't feel like they’re definitely going to have a job in six months, whereas somebody who's more established feels like they can reach out to a friend who will hire them, and is more likely to have a nest egg saved up so they can still live comfortably if they lose their job.
Nick Savvides: I agree – I’ve seen a lot of anecdotal and other evidence that shows young people are less connected with their employers than at any point in recent history. So, the question here is, does this disconnect indicate that young people are more willing to take risks with their employers’ data and information than older groups?
Margaret Cunningham: They might be – and younger people are actually saying that they feel more inconvenienced by the technology that their company wants them to use. They're saying, I need to use this shadow IT to get my job done, or my company policies are making it difficult for me to do my job. So…I go around. That might be because they're savvier and know better tools to use because they use them in their personal life, in comparison to an older person. But even if it’s just that younger people are more willing to use shadow IT because they use more IT in general, the takeaway is that 30-50% of people in your organization are using personal tech to store and move your company's data.
Nick Savvides: I also think there is an element of poor risk judgement. We know humans in general are poor judges of risk, I think even more so when we are young, but what makes this even worse is the very laid-back attitude of Australians in general – the attitude of “she’ll be right” and “just this once, it won’t happen to me,” that kind of thing. With that in mind, how do we make it easier for young people working from home to work within the rules and make better cyber-security decisions?
Margaret Cunningham: I think that, first and foremost, it’s an enormous mistake trying to protect every single last thing. The reality is, if you think that constricting people's behavior by adding additional rules is going to make your security better, you're probably going to make it worse. It just means increased friction and a decreased ability for people to get their jobs done. Instead, organizations should take risk-based approach: if you know your data and understand your user, you can understand what they're doing and can allow more freedom, because you understand the nuance of peoples’ behavior. And you can be more convincing when it is very critical that people follow the rules.
Nick Savvides: I really agree with this and often say, when everything is an emergency, nothing is an emergency. So, when there is a big issue and you ask people to comply, they don't care anymore. Prioritization, in general, is a big consideration in cybersecurity.
Margaret Cunningham: It's actually a really alarming data set – I work on insider threat all the time and people tend to think it's the malicious actor who's going to steal your classified data. But no, it's the 50% of your company putting it in Dropbox.
Nick Savvides: I remember once I was speaking to a CIO who told me “we don't have a problem with insider threat because everyone agrees to the company security policy. If everyone agrees to the policy, anything that happens is accidental.” Basically, a lot of people just don’t want to acknowledge these issues. There’s a big blind spot when it comes to insider threats and this data really shows that Australians, both as “tiny criminals” as a policy creators, suffer from this blind spot.
Margaret Cunningham: Of course, you’re going to have the malicious people, but they’re only maybe one-one hundredth of the problem. For the most part, you have to work around everyday people making the easy choice – which are the people that we’re seeing in this survey.