Corporate security is failing to keep pace in the new normal of remote working in the wake of the COVID-19 pandemic, says Fujitsu.
According to the company's Building a Cyber Smart Culture study, more than a year after the introduction of remote working arrangements, many organisations are yet to review their cybersecurity.
The study found companies face increased attack surfaces and widespread employee reluctance to report potential security incidents for fear of recrimination.
More than half of business leaders agree that security policies have been unable to keep pace with significant changes, and 61% of employees believe their current cybersecurity training is ineffective, with boredom, lack of targeting, and generic content contributing to a lack of cybersecurity ownership.
The findings suggest many employees working remotely feel more isolated than ever and less able to ask a workmate for casual advice around cybersecurity issues. Forty eight percent of non-technical employees were reluctant to report any potential threats for fear of possible recrimination, leaving organisations exposed to cyberattack.
“For many organisations, cybersecurity was forced into the back seat in the race to enable remote working at the start of the COVID-19 pandemic," says Martin Holzworth, head of portfolio, cybersecurity, Fujitsu Oceania.
"In too many cases, these makeshift, temporary arrangements are still in place. This means organisational cyberattack surfaces have increased; however, employees are reluctant to report potential incidents," he says.
Holzworth says an integrated approach is needed to implement cultural change that focuses on cybersecurity.
“The most common security breaches occur when employees click on email links or open attachments that deploy malware or collect sensitive information in phishing attacks," he says.
"Addressing this weakness with the right corporate culture and knowledge sharing is the cheapest and most effective cybersecurity measure that a company can take."
Holzworth says organisations need to empower and engage employees on an individual basis to ensure they are aware of potential security risks.
"They need to introduce a culture where everyone's job contributes to the company's overall security posture," he says.
However, it must be supported by the CEO and heads of departments.
"If cybersecurity is not owned at the top, it is not owned by the organisation. Investment in creating the right culture, educating employees, and building trust makes organisations genuinely resilient to modern cyberthreats," Holzworth explains.
Key findings of the study include:
- Fifty four percent of organisations were unable to ensure that security policies had kept pace with significant changes.
- Forty five percent of respondents believed cybersecurity had nothing to do with them.
- Sixty percent said all employees in their company received the same cybersecurity training, despite significant differences in roles and security issues they face.
- Of the businesses that provide role-based training, 61% found it ineffective, citing factors such as the training being too boring (35%), too technical (35%), or too long (32%).
- Sixty nine percent of respondents thought cybersecurity training was most effective when it involved games, rewards, or quizzes to improve security awareness or behaviour.