HP Wolf Security: Employees Pushing Back Against Efforts to Improve Security

Employees are making it difficult for IT teams to improve security, leaving organizations vulnerable to breaches, according to a new HP Wolf Security report.

The new HP Wolf Security report combines data from two surveys. A global YouGov online survey polled 8,443 office workers who shifted to work from home (WFH) during the pandemic. In addition, Toluna surveyed 1,100 IT decision makers globally.

The findings show IT teams have been forced into compromising security for business continuity at a time of rising threats. Making matters worse, their attempts to increase or update security measures for remote workers have often been rejected. This is especially true for the future workforce of 18-24-year-olds. These digital natives feel increasingly frustrated with security getting in the way of deadlines, leading many to circumvent controls.

Cisco’s Joanna Burkey

Joanna Burkey is HP‘s CISO.

“For me, the common theme is that cybersecurity needs to be something that everyone can buy into,” she said. “Cybersecurity teams need to keep the business safe, but users also need to play their part. It’s like physical safety. If you have a staircase in the office, then you need to install a banister and perhaps have it carpeted instead of tiled so people don’t slip and fall. But at the same time, you’re also trusting that people don’t dash down the stairs three at a time and injure themselves. Cybersecurity teams can provide those guardrails, but they still need people to tread carefully. As we navigate this new era of hybrid working, I’m thinking more about how I can ensure everyone is collectively working together to keep the enterprise safe from harm.”

Key Findings

Key findings of the HP Wolf Security report include:

• Seventy-six percent of IT teams admit security took a backseat to business continuity during the pandemic. In addition, 91% felt pressure to compromise security for business continuity.
• Almost half of younger office workers viewed security tools as a hindrance. That lead to nearly a third trying to bypass corporate security policies to get their work done.
• Forty-eight percent of office workers agreed seemingly essential security measures result in a lot of wasted time. This rises to 64% among those ages 18-24.
• Over half of those 18–24 were more worried about meeting deadlines than exposing their organization to a data breach. Thirty-nine percent were unsure what their security policies say, or are unaware if their company even has them. That’s suggests a growing level of apathy among younger workers.
• As a result, 83% of IT teams believe the increase in home workers has created a “ticking time bomb” for a corporate network breach.

Listening and Understanding

Organizations need to create open lines of communication with end users to listen and understand how security impacts their workflows and productivity, Burkey said.

“Secondly, partner with all areas of the business to embed security into the organization’s DNA and create a more collaborative security culture,” she said. “Finally, seek out new levels of endpoint protection that offer advanced remote management while being as unobtrusive as possible to avoid end users trying to circumvent it.”

Many security teams have made efforts to curb user behavior to keep data safe, Burkey said. Those include updating security policies to account for the rise in working from home, and restricting access to websites and applications. However, these controls often create friction for users, who resent the controls and push back on IT. That leaves security teams feeling dejected and rejected.

“It’s vital that any tension is addressed as otherwise it’s another chink in the armor, making you more vulnerable to attack,” she said. “Security leaders play a key role in addressing tensions and making security something everyone can buy into, not just something they are told to do. This involves opening up lines of communications with end users to help inform policy decisions. Adjustments such as providing the rationale behind a security decision or seeking user input before deploying new policies can change hearts and minds. By building collaborative security partnerships across the workforce, cybersecurity will start to become a cultural cornerstone.”

Enacting Better WFH Security

Gurucul’s Saryu Nayyar

Saryu Nayyar is CEO of global cybersecurity company Gurucul.

“Eighteen months into the WFH era of the COVID-19 pandemic, many IT shops still don’t have a good handle on how to enact cybersecurity outside of the office,” she said. “As a result, remote workers are actively bypassing standard security restrictions in an attempt to do their jobs, and in the process opening up security holes for exploit.”

Corporate security professionals need a better understanding of how remote workers are doing their jobs, Nayyar said. Therefore, they can work collaboratively in designing cybersecurity systems that meet those needs.

“Monitoring activities in WFH environments and assessing the risk of specific activities should be a cornerstone of that effort,” she said.