‘Back to the Office’ Brings Cybersecurity Fears

IT leaders believe employees have picked up bad cybersecurity behaviors while working from home, and additional survey results suggest their fears may be warranted.

Nearly seven in 10 cybersecurity decisionmakers are involved in discussions regarding office reopening plans in their organizations, according to a survey by cybersecurity solutions provider Tessian.

More than half (56%) of information technology (IT) leaders say they believe employees have picked up bad cybersecurity behaviors since they started working from home, and 54% are worried remote employees will bring infected devices and malware into the office.

Nearly seven in 10 IT leaders say they think ransomware attacks will be a greater concern in a hybrid workplace, and 67% predict a rise in “back to office” phishing emails. Tessian notes that when lockdown restrictions eased in the UK during the week of May 10, its platform data found that the number of suspicious emails related to “hybrid work” was 39% higher than the overall weekly average of “back to office” themed emails flagged by its Defender solution since the start of 2021.

Tessian explains that, today, the leading point of entry for ransomware attacks is phishing, which is when ransomware campaigns use convincing email subject lines to trick people into opening messages. “Stop phishing, business email compromise, account takeover attacks and social engineering scams, and you significantly reduce the risk of ransomware,” Tessian says in its survey report.

FBI statistics reveal that phishing attacks doubled in frequency last year, and Tessian’s own data showed a 15% increase in social engineering incidents in the last six months of 2020, the report says. Social engineering is a way of manipulating people to give up confidential information.

The survey suggests IT professionals’ fears may be warranted. Forty percent of employees say they plan to bring their personal devices into the office to work on. One in three employees think they can get away with riskier security behaviors when working remotely.

In addition, more than one-quarter of employees admit to making cybersecurity mistakes—or mistakes that have compromised company security—while working from home that, they say, no one will ever know about. Just slightly more than half (51%) of respondents always report when they receive a phishing email or click on a phishing email.

The survey found the main reason employees aren’t reporting security mistakes to IT team is they are afraid of the repercussions. Twenty-seven percent say they feared facing disciplinary action or being required to take more security training.

“Create a security culture that encourages people to come forward about their mistakes, and support them when they do,” Tessian says.