One click on a suspicious link. A company computer connected to public WiFi without a VPN. A password scribbled on a sticky note and left on a desk.
These small employee missteps can expose organizations to huge cyber risks. But while most employees are aware of cyber theft and other digital dangers, our latest Workforce Pulse Survey shows that most don’t grasp the devastating consequences a data breach or other attack could have on their company, on society — or even on themselves.
PwC surveyed more than 1,100 American workers nationwide during the week of July 14, 2020. The results reveal a sobering reality for business leaders: The communication and training they offer on cybersecurity and cyber acumen aren’t resonating with employees. Most workers have little awareness of how their employers are protecting them or their company from hackers, ransomware, phishing or other attacks. In some cases, employees are even flouting security rules by downloading unsecure apps or sharing their work device with family members.
At a time when 61% of CISOs and CIOs say they’re seeing an increase in risks from the use of non-enterprise devices and software due to more people working remotely, there’s a clear opportunity for leaders to make cybersecurity part of their broader safety agenda for employees. Leaders need to double down on targeted communications and training, enforce policies and embed effective controls. Most of all, they must convince their people that practicing good cybersecurity habits will do more than help the company and its multiple stakeholders — it will also help protect their digital lives both at work and at home.
View additional Workforce Pulse Survey findings
Most employees are worried on some level about the dangers of cyber attacks. Their concerns center around the potential impacts to their privacy, such as the exposure of personal information like Social Security numbers, rather than on consequences for the company. But only 22% are very worried about personal financial loss from an attack, and just 15% say they’re very worried about their emails being exposed.
Some employees may simply assume that their company has strong measures in place to protect their information. In fact, 75% of respondents say they trust their employer more than they trust tech companies to keep their personal information safe. But employees may not be aware that many attacks on organizations aren’t necessarily targeting the company. Instead, they’re aimed at stealing employee data, such as salary and retirement information, health status and other personal information.
Employees and their devices have become the primary gateway to cyber incidents and breaches in recent years — whether through social engineering, malware or hacking. The cost of breaches is borne by individuals as much as by corporations. So communication and training should include information that helps employees understand the ramifications cyberattacks can have on them personally, as well as on the company.
It may also help to highlight the broader societal risks. The effects of even a single successful cyber attack can ripple well beyond company walls to harm citizens and communities. Hijacked social media accounts, misinformation campaigns, compromised consumer data, tax scams, and government systems held hostage by cybercriminals and nation-state actors erode public trust and can cause lasting damage.
Even before the COVID-19 pandemic, leaders were investing in security measures aimed at preventing cyber attacks and improving cyber acumen, including adding more training for their entire workforce. Nearly 70% of CISOs and CIOs say they increased security training as a result of COVID-19. In contrast, only 30% of employees say their employer offered training on the dos and don'ts of protecting company and personal digital assets, data and information.
Less than a third say their employer provided devices so they could work outside the office without having to use their personal devices. And only 23% say their firm provided a compelling case for why employees need to have good data security habits. Meanwhile, CISOs and CIOs report strong positive impacts from investments to secure remote work (such as authenticating employees accessing their networks and managing mobile devices and other endpoints beyond corporate networks), as well as investments in real-time threat detection and intelligence.
Granted, some of these measures, like screening for potential attacks, take place behind the scenes, outside of most employees’ daily activities. This helps explain why employees may not appreciate all the near-misses security teams prevent every day, because only a few big breaches make headlines. But the lack of awareness around more visible tactics, such as enhanced policies or additional training, indicates that the efforts leaders are making to help increase their employees’ cyber acumen simply aren’t resonating.
In general, the majority of employees surveyed say they’re acting in cyber-protective ways, such as using their corporate-approved devices and apps for work purposes only. But some employees — specifically Millennials and Gen Z workers — could be raising risk levels for their organizations. PwC’s survey found that these groups are more likely to let friends and family use their work computer for games, online shopping or other personal activities. More than half (51%) of Millennials and 45% of Gen Zers say they use apps and programs on their work devices that their employer has expressly prohibited.
What’s driving this divergence? It could be frustration at what these two groups view as overly burdensome security restrictions — or simply a desire to use apps that make it easier to do their jobs, even if those apps aren’t approved by their company. Employees want the same fast, convenient, frictionless tech experience they have in their personal lives to happen at work, too. But the user experience of enterprise technology isn’t always as seamless as it could be. And with so many people working from home, the need for reliable, user-friendly apps and programs that enable collaboration, creativity and communication has never been higher.
Mistakes happen, and hackers continue to find new ways to get into corporate systems. Even the most stringent security measures can’t prevent every employee from accidentally responding to a phishing email or visiting a website that secretly allows access to company systems. It’s critical for employees to alert their employers as soon as possible when an issue arises, but the majority of employees say they’re not comfortable doing that. Just 26% of respondents strongly agree that they can escalate a security incident they may have caused without fear of reprisal.
It’s important to reinforce the message that it’s okay to elevate a security risk. Consider implementing a zero-tolerance policy on retribution or creating a channel for people to report security risks anonymously. The more willing people are to report a risk, the faster you can identify and contain the fallout.
PwC conducted an online survey of 1,118 U.S.-based adults from a general population between July 14 and 16, 2020. The PwC Workforce Pulse Survey is conducted on a periodic basis to track changing sentiment and priorities among employees. View the June 15, 2020 survey.