The likelihood of a complete return to the office post-pandemic is low; the probability of an ongoing hybrid home/office work environment is much higher. Security teams will need to continue and possibly expand their plans to secure remote personal devices operating in a hostile environment perhaps indefinitely.
Much of this security can be achieved by policy and product – but user behavior can undermine policy; and user behavior in the home environment is an unknown quantity. SecurityAdvisor, a firm that delivers personalized and continuous awareness training, seeks to better understand human behavior at home in a new study (PDF) titled, Top Riskiest Behaviors and Employees in a Hybrid Workplace.
The firm analyzed more than 500,000 malicious emails and more than 500,000 visits to dangerous websites from staff ranging from entry-level to executive in more than 20 countries. The top five ‘risky behaviors’ are: failing authentication; clicking on phishing emails; installing adware; using P2P software and private VPNs; and streaming pirated content.
Failing authentication may not seem a huge security problem since it demonstrates that access controls are working. However, the volume puts an unnecessary strain on the security team – repeated failure in MFA authentication makes it difficult to distinguish between human error and malicious activity. Fifty percent of home workers fail MFA at least once per month.
Falling for phishing is the most obvious threat to home workers – and the statistics are disturbing. While 99% of spam and phishing emails are caught by filters, 1% still reach in-boxes – leading to an average of 5 phishing emails received by every employee every month. About 8% of these are clicked on. “In a 5,000-employee organization,” says the report, “this equates to 20 phishing emails opened and clicked each month.”
Three to four percent of employees install adware by installing untrusted software online. “Without users’ consent or knowledge,” states the report, “the download will include additional software containing adware that can spy and export data to malicious entities.”
Around 5% of employees install P2P software and private VPNs, such as BitTorrent and Golden Frog, to bypass media paywalls, access content in restricted geographies, and download movies without being recognized. SecurityAdvisor considers this a major risk. It suggests that 38% of private VPNs contain malware, while 82% can read their clients’ data.
Around 1% of employees use sites like Putlocker, VidCloud, or 123movies to stream pirated content. “These sites,” warns SecurityAdvisor, “often are hotbeds for malware, ransomware, and keyloggers, which can even auto-install malicious software onto users’ laptops with just one click.”
The analysis also shows that senior management is more likely to be targeted by cybercriminals than the average employee. Senior managers and the C-suite are targeted by phishers almost 50 times more frequently than average employees.
The analysis shows a vast difference in risky behaviors between men and women: 76% of risky users are men, and only 24% are women (this figure accounts for the difference in absolute numbers between men and women employees). There have been many studies that suggest women are more risk averse than men – one this year by the Harvard Business Review suggests that companies with a strong female presence in senior management are more likely to expand through internal R&D, while companies with a strong masculine presence are more likely to engage in the more ‘aggressive’ pursuit of an M&A route. But the reason remains elusive.
This issue is wider than just risky behavior, and may play into the difficulty in persuading young girls to look for a career in technology – which in turn may exacerbate the ‘skills gap’ in technology in general and cybersecurity in particular. So far, however, studies have recognized the difference in behavior without finding any fundamental difference in male/female psychology or biology to explain it. The result is that many people believe the cause and solution falls upon the education system.
SecurityAdvisor talked to Professor Kellie McElhaney, a distinguished teaching fellow and founding director of Berkeley University’s Center for Equity, Gender, and Leadership (EGAL), for further insight into its gender results. McElhaney does not believe that women are naturally any more risk averse than men; but that the behavior is learned over time.
The report suggests that women are more aware of the long-term ramifications of risky behavior. “Men, on the other hand, look at risk as a game,” says the report. “They are trained at an early age to win at all costs and, when threatened with a loss or negative outcome, they will do whatever they can to turn that potential loss into a win. The reason for this is that the penalties for taking a risk and failing are far less severe for men than they are for women – or anyone else who is not a part of the dominant group in a society.”
This is, very simplistically, McElhaney’s view: that behavioral differences between men and women are developed by nurture rather than originating in nature. Nurture begins much earlier than schooling. The implication is that basic attitudes are set before school education begins – and while education can influence these attitudes, changing them will always be an uphill battle. In short, the behavioral differences between men and women are caused by parental and societal expectations above formal education.
Related: Securing Your Remote Workforce Under Constant Change
Related: Mismanagement Driving Cybersecurity Skills Gap: Research
Related: Microsoft: Ongoing, Expanding Campaign Bypassing Phishing Protections
Related: Analysis: ISACA Survey on Cybersecurity Workforce, Resources and Budgets