The stress of remote working for 12 months during a global health crisis unseen in a century is causing more people to slip and make basic cyber security errors, according to a newly released report compiled for security firm Forcepoint.
During the first wave of the Covid-19 pandemic, the concerns of security and IT teams focused by and large on protecting hastily installed remote work support systems and preventing Zoom-bombing.
But a year on, Forcepoint has found that more than half of remote workers in the UK are finding themselves under increasing mental pressure, and therefore more inclined to inadvertently fall victim to risky behaviours.
These could include making more mistakes such as opening and clicking on obvious phishing emails, increased use of an individual’s own shadow IT devices, or increased sharing of devices within the individual’s household.
“Lockdown has been a stressful time for everyone, and while employers have admirably supported remote working with technology and connectivity, the human factor must not be overlooked,” said Margaret Cunningham, Forcepoint’s principal research scientist. “Interruptions, distractions and split attention can be physically and emotionally draining and, as such, it’s unsurprising that decision fatigue and motivated reasoning continues to grow.
“Companies and business leaders need to take into account the unique psychological and physical situation of their home workers when it comes to effective IT protection.
“They need to make their employees feel comfortable in their home offices, raise their awareness of IT security and also model positive behaviours. Knowing the rules, both written and implied, and then designing behaviour-centric metrics surrounding the rules can help us mitigate the negative impact of these risky behaviours.”
Cunningham said that although both older and younger employees tended to report they were receiving similar levels of organisational support while working remotely, the emotional experience, and how different generations use technology, was markedly different.
For example, younger, millennial employees – currently aged about 25-40 – were much more likely to say their stress levels made it harder to focus. Younger people were also more likely to feel pressurised to be present “at work” outside normal hours and were more stressed out by competing demands from their personal and professional lives.
They also reported more anxiety about their long-term job security, were worried about their performance and ability to do their job well, and struggled to understand their professional goals.
As a result, 41% of younger respondents reported that they were making more basic mistakes when working from home, such as copying the wrong people into emails – which can technically be a GDPR (General Data Protection Regulation) breach in some circumstances. More than half, 54%, said distractions in the home negatively impacted decision-making, and 46% said they were using shadow IT to perform tasks more easily – a clear risk factor in opening up organisations to cyber attack.
“Throughout the whole study, we saw that certain groups were more negatively impacted by work-from-home mandates, and the group most affected were the younger workers,” said Cunningham.
“This group also reported higher stress levels, which may indicate that they feel pressured by time or work commitments and therefore engage in riskier behaviours to get their jobs done. This can expose organisations to increased cyber security risks.”
The other group of people feeling the pressure were parents and caregivers, who were more likely to feel stressed by competing demands from their personal and professional lives, found it harder to make decisions and, like millennials, also worried about demands on their time outside of their contracted hours.
Caregivers also tended to report that their personal responsibilities during lockdown negatively impacted their job performance and were similarly worried about their ability to do their job well, and in many circumstances their ability to keep their job.
Again, this left them exposing their employers to heightened levels of cyber risk, with high numbers admitting to minor mistakes, distractions and unsanctioned use of shadow IT.
With remote working guidance in the UK still in effect, and likely to remain so until the summer, Forcepoint warned that without additional support from employers, people were likely to continue to deviate from pre-set and learned security rules, exposing their organisations to malicious actors and other threats.