Maintaining cybersecurity for an entire office is no small task. Each employee who gains access to an employer’s network presents a certain amount of risk, while external threats are ever-increasing. It seems that even the country’s biggest employers can’t keep cyberattacks at bay, despite having IT departments on the payroll. Considering small businesses make up more than 99% of all firms in the U.S., how are these smaller teams managing the risks that global conglomerates can’t?
We spoke to over 1,000 full-time employees who spent at least four hours each day using a computer about their perceptions of workplace cybersecurity. We discussed the various approaches to keep employees and businesses safe from cyberattacks, as well as some of the reckless behaviors that many employees regularly witnessed. Continue reading to see what cybersecurity really looks like in the average American office.
Online office safety
Overall, 76% of employees said cybersecurity was at least somewhat problematic at work. Forty-four percent considered the problem to be minor, but 24% called it “moderate,” and 8% deemed it a “major” problem. The smaller the company, however, the more likely an employee was to feel this way. Twenty-three percent of employees at companies with fewer than 51 workers agreed their digital information was insecure, compared to just 8% of companies with 501 to 1,000 employees.
The “see something, say something” concept wasn’t heeded by most employees when it came to cybersecurity, though, as 58% said they kept perceived cybersecurity risks to themselves instead of confronting their employer.
The decision to keep quiet might have been influenced by the fact that so few employees were accommodated when they did bring up their concerns. In small businesses, especially, many employees (44%) said their employer was only slightly or not at all responsive to cybersecurity concerns. Between the smaller staff and a smaller likelihood of response to these reported risks, small businesses are taking great risks and liberties with their personal information. That said, employees at every company size did report cybersecurity issues, and workers at companies with over 1,000 employees even said their security concerns were ignored 27% of the time.
Bad cybersecurity behavior
Training and education were the two primary weaknesses noted by employees. Thirty-three percent said their company had failed to provide training on cybersecurity, and another 32% said their employer did not teach them safe digital behaviors.
According to Entrepreneur, “almost 90% of the data breaches are caused by human errors,” which reinforces the need for continuous education as technology evolves. The article argues that training employees to be vigilant about online security is like building a human firewall to protect information. Twenty-eight percent of employees also said their company had weak or insufficient password protocols, which Entrepreneur deems crucial to training: “Explain to your employees that passwords are the first line of protection […] You should also show the employees how to set a strong password that incorporates a combination of symbols, letters, and numbers.”
Employees noticed a few other common cybersecurity mistakes, like not backing up data (27%) and not updating or patching software (26%). We also found that employers who failed to block malicious websites, establish privacy settings, and establish protocols for personal devices were the most likely to be perceived as reckless.
Among all the mistakes made, however, the most egregious (or at least most common) seemed to come from the big players. Companies with 1000 or more employees were the least likely to provide the education and training necessary to keep their companies safe as they grew. Only 11% percent of employees working for companies of this size said that they had established password protocols.
Speaking of passwords, employees were concerned. More than a third of employees at companies with 50 or fewer workers said their passwords were insecure.
Password experts typically recommend using a password that’s at least 12 characters long and choosing a new password for each new account, among other tactics. Still, it seems employees did not receive or, possibly, heed this advice, as 42% said their passwords at work were fewer than 12 characters, and 39% said they used the same password across various logins. Further, more than 1 in 10 shared their passwords with people outside of the company.
Password safety was the one cybersecurity area where larger companies underperformed in some ways: Companies with 1,001 or more employees were the most likely to reuse the same password, use passwords with fewer than 12 characters, and even store physical copies of passwords. According to some IT experts, however, passwords are in the process of becoming obsolete, as even the best passwords can be hacked fairly easily with today’s technology.
Suffering without cybersecurity
Employees didn’t notice this much unsafe digital behavior without seeing some consequences. Nearly a third had experienced phishing, a cybercrime wherein “targets are contacted by email, telephone, or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data.” Phishing is simple, low-tech, and effective: According to the FBI, criminals made off with $676 million in 2017 with phishing scams, and even giants like Facebook and Google have been duped out of more than $100 million.
Often, the security breach extends well beyond the employer and employees and into the lives of customers. Just recently, personal information of more than 10.6 million hotel guests was exposed in MGM Resorts’ data breach, while the world’s largest asset manager BlackRock also suffered the exposure of some highly classified financial information. Thirteen percent of employees had experience with a data breach, while 18% said the cybersecurity habits of their employer jeopardized the privacy of their customers. Even fraud was witnessed by 9% of the people surveyed.
Security often came down to a question of manpower. Even with effective training, IT specialists and security staff are still needed and employed. Thirty-seven percent of employees had the luxury of having IT staff member(s) on-site, but 15% had no IT staff whatsoever.
The absence of IT staff was more common for smaller businesses with 50 or fewer employees, as more than 1 in 3 companies of this size had no dedicated technology department or staff. This left them very vulnerable, as employers with no dedicated cybersecurity staff were twice as likely to be perceived as insecure by their employees. Employee perception has been shown to be extremely important to employee advocacy, and the online success of the brand and safety is a crucial place to earn employee trust.
Put cybersecurity first
Trust and safety are often hard-won in the office but so crucial to keep the enterprise functioning properly. Particularly for an understaffed small-business owner, pulling in additional IT resources can be difficult to accommodate, despite the many modern cybersecurity risks. Data breaches are, unfortunately, a very real risk for employers, their employees, and their customers, so it is best practice to listen to what employees share and take all safety precautions possible. If you’re an employer, create a training program and password protocol and listen when your employees raise concerns.
Personal safety and cybersecurity don’t have to be learned in gloomy isolation, though; instead, it can be internalized and practiced as a group. At Nulab, we specialize in elevating collaboration and making it easier and more enjoyable for your corporate team. Whether you want to cover cybersecurity, productivity, team building, or any other component of efficiency with your team, start by talking to the experts at Nulab.
Methodology and limitations
We surveyed 1,009 full-time employees who used a computer as part of their job responsibilities for four or more hours a day. Respondents were then asked questions about cybersecurity at their place of employment.
Fifty-three percent of our respondents identified as male, 46% identified as female, and less than 1% identified as a gender not listed on our survey. Respondents ranged in age from 19 to 87 with a mean of 37 and a standard deviation of 10.6.
It is possible that with more respondents from various-sized employers, we may have been able to gain better insight into these demographics. The data we are presenting rely on self-reporting and, as such, are susceptible to exaggeration or selective memory.
No statistical testing was performed. The claims listed above are based on means alone and are presented for informational purposes.
Fair use statement
Cybersecurity, particularly in an office setting, is a great example of how one piece influences the whole. A company can’t keep its data safe without the help of an individual, and vice versa. With that being said, please share this with your own network of individuals, but be sure your purposes are noncommercial, and you link back to this page.