With the advent of hybrid work, and against a backdrop of intensified cyber threat, we wanted to better understand attitudes to cybersecurity in the home and to see if a relaxed setting means a more relaxed approach to security.
We surveyed over 8,000 general consumers across the EMEA region (Europe, Middle East and Africa), giving us a tremendous insight into general attitudes and approach to security when the private and the public are blending in the hybrid workplace. I have to say, I was surprised to see how many red flags there were.
For general consumers, not much has changed from a technology point of view. Hyper-connectivity was common long before Covid. What the pandemic has accelerated, however, is hybrid work and remote access to business data. Cisco is a B2B company, but with inadvertent insider threats becoming an increasingly common part of the attack chain, it’s important for us to be able to map behavior and identify danger areas. Even the smallest of data leaks can lead to huge issues further up the business chain and poor cybersecurity at home could prove to a weak link for many.
Using Personal Devices for Work
The results reveal that 61% of those surveyed primarily use their personal phone for work. As an organization obsessed with the safety of our customers’ data, it’s surprising that so many businesses would allow the cross over. Indeed, a huge number of people frequently use their personal device for work tasks such as sending emails (58%), make work calls (48%) and share documents (42%). Only 10% have never chatted about work tasks on their personal device or worked on a business document. Personal devices often have minimal (if any) security set up in place so to use them for work is highly questionable. It certainly leaves people open to being accidental ‘inside actors’ – a person or employee who, perhaps by hacking or unwittingly sharing sensitive data, becomes the catalyst for a breach.
Perhaps unsurprisingly, 90% of respondents have two or more connected devices and 84% share at least one connected device with someone else in their home. Of those surveyed, the number of shared devices is higher among those with kids under the age of 16, a demographic not known for their security conscientiousness.
Now, respondents do appear concerned about the threat of attack, with 57% admitting they’re worried about their personal devices being hacked. However, despite concerns and the number of connected devices shared in the home, 1 in 6 respondents have never changed their Wi-Fi password and for 1 in 5 it’s been a year or more.
Security on the Move
Risk is not only a factor at home, with so many people now working in public spaces or checking-in on work tasks on the move. The always-on mentality of so many means people are risking shortcuts to connectivity. 76% of respondents admit to having used public Wi-Fi networks, such as bars, airports and restaurants, for work tasks.
The truth is, on a public Wi-Fi network you don’t know who else is sharing the connection; what their motivations are, or how much effort the owner of the network has put into securing it. If you’re accessing work tasks and data, using a mobile phone’s hotspot feature (with a strong password) will always be more secure than using a public network. Similarly, using a VPN will always be more secure than not using a VPN.
Misunderstanding Security Measures
Username and passwords have never been a particularly effective technique for keeping unwanted individuals from accessing systems. Adding multi-factor authentication (MFA) to accounts is a very simple method for adding a strongextra layer of protection to system access. Put simply, a trusted passwordless application uses the login process as an enforcement point, considering the context and conditions of the request including device health. Security teams establishing these controls are getting ahead of multi-factor phishing and biometric spoofing.
However, 37% do not use or do not know what MFA is. Furthermore, the results among those who answered yes to using MFA indicate a misunderstanding of what it actually is. Of the 63% that answered that they use MFA, the answers were weighted more toward personal devices (29%) than work (10%). As nearly every smartphone now has a fingerprint or facial scanner, consumers are choosing to use biometrics instead of passcodes to unlock and login to applications on their personal devices, Organizations have an opportunity to leverage this technology, which is already in employees’ pockets, to drive adoption of strong MFA at work. This is also known as passwordless authentication.
Inconsistent Education Opportunities
A major challenge in closing the gaps in cybersecurity is educating millions of people at a consistent level. When asked where they seek advice about online and device security behavior, the answers were stacked predominantly towards asking friends and family (39%) or just using common sense (35%). This approach was fairly consistent across age categories, although the use of social media as a reference spiked among younger generations, 35% of those between 16-34 use it compared to much lower levels from older respondents. General media, providers of apps and state authorities were ranked very low on the list of reference points – all below 25%.
Subjective advice and opinions on cybersecurity can mean a deficit in genuinely robust measures. For the average person it may seem unlikely their home Wi-Fi will be hacked, or that someone will steal their data while on a public network. However, it only takes one opportunist and a very short window of time to access and harvest the information they need.
What we’re seeing today is not businesses competing as entities, but as ecosystems. They are all the sum of many varied and variable. These research results really compound the genuine threat of an individual error snowballing up to have huge corporate implications. With all the security measures in the world in place, businesses cannot erase human error. Whether by malicious intent; the accidental sharing of critical data or a hack, people represent an enormous risk to organizations at every scale.
Aligning Business and Consumer Mindsets to Achieve Security Resilience
Undoubtedly, the line between work and home has been permanently blurred – in some cases seemingly eradicated. As the habits of use for personal devices creep into those applied to work there is a huge threat to organizations for whom IP and reputation are invaluable.
While organizations can’t erase human error, they can certainly mitigate it. Security resilience is something we work with organizations to bake in end to end, especially in planning for hybrid work. For example, businesses should be holding data securely in the cloud and allowing access based on zero-trust – aligning all access with individual need and context. Similarly, controlling access to cloud systems via a SASE architecture gives security teams visibility and control over remote access.
Hybrid work is the future of work and robust strategy and investment around devices, protocols and security isn’t a nice to have – it’s critical. If ever it was time for organizations to get their house in order, it’s now.
Cisco survey 8,167 general consumer across eight EMEA markets, including France, Germany, Spain, Sweden, Netherlands, Poland, Saudi Arabia and Switzerland. The poll was conducted in August 2022 via Census Wide.