Despite knowing the dangers, most workers are engaging in risky activities that could put their company’s digital security at risk.

That’s according to a global survey of more than 8,000 employees. Sapio Research conducted the survey for ThycoticCentrify.

The survey found nearly 80% of respondents have engaged in at least one risky activity over the past year. Among risky activities, more than a third have saved passwords in their browser in the last year. A similar number have used one password to access multiple sites. In addition, around one in four have connected a personal device to the corporate network.

Despite almost all respondents having an awareness that individual actions such as clicking on links from unknown sources or sharing credentials with colleagues is a risk, only 16% feel their organization is at a very high risk of a cybersecurity attack.

Engaging in Risky Activities to Get Work Done

ThycoticCentrify’s Joseph Carson

Joseph Carson is chief security scientist and advisory CISO at ThycoticCentrify.

“The most surprising finding in the research is that while employees understand the risks, they are willing to accept it so they can get their job done,” he said. “They assume that the IT security team has got their back and will prevent anything bad happening even if they take the risks.”

Saving passwords in a browser can lead to credential theft, Carson said.

“Most browsers’ security settings are turned off,” he said. “And when an employee saves credentials within the browser, including corporate credentials, if an attacker ever gains access to the endpoint it also means they have access to any stored credentials within the browsers.”

Just 44% of respondents received cybersecurity training in the past year, according to the survey. That means more than half of the employees surveyed were left to cope alone with the increased threat landscape created by remote working.

“When faced with tough choices such as getting the job done, employees will always take the easy path,” Carson said. “And that means risking security.  Employees need to understand the risks of the actions they take.”

Training Helps Cut Down on Risky Activities

Staff are more likely to rate the cyber risk to their organization as high if they have been trained. That indicates they have a better understanding of the risks.

Key findings from the United States include:

Smaller Companies More at Risk

People working at SMBs are least likely to have received cybersecurity training in the past year. Those at smaller companies perceive their risk to be lower.

Also, smaller companies were also least likely to have implemented protection such as multifactor authentication (MFA) or VPNs compared to larger organizations.

The survey revealed an overarching sense of responsibility among employees. Eighty-six percent agree they have a personal responsibility to ensure they do not expose their organization to cyberthreats. However, 51% still think IT departments should have sole responsibility to protect companies.

MSSPs and other cybersecurity providers can help organizations with limiting or eliminating risky activities.

“The best way to help organizations is to help automate and adopt usable security measures so employees don’t have to make a choice so the only way is the secure way,” Carson said.