Survey Reveals 65% of Employees Take Security Shortcuts
Organizations invest in cybersecurity solutions and develop policies and procedures to ensure compliance and minimize risk, only for employees to circumvent those policies and security measures. The scale of the problem was highlighted by a recent survey conducted by Censuswide on behalf of the security and access management vendor, CyberArk. The survey explored employee behaviors and was conducted in October 2024 on more than 14,000 employees in a wide range of job roles and various verticals in the US, UK, France, Germany, Australia, and Singapore.
Almost all surveyed employees had some form of privileged access or access to sensitive data, and all employees accessed business-critical applications using corporate devices. 80% of employees also admitted to accessing work applications using their personal devices. While employers may have Bring Your Own Device (BYOD) policies allowing personal devices to be used for work purposes, personal devices typically lack security controls and pose a security risk. For instance, 36% of employees who said they use a personal device for work purposes admitted to delaying applying security updates. Alarmingly, 65% of employees said they often bypass their organization’s security policies to improve productivity and make their lives easier. For instance, many admitted to forwarding corporate emails to personal email accounts and using personal devices as Wi-Fi hotspots.
Almost half of employees (49%) admitted to using the same credentials for multiple work applications. 36% of employees said they used the same password for personal and work accounts and 27% said they use just one password for their accounts, despite the security risk. Should that password be compromised in a data breach, a threat actor could gain access to all accounts that share the same password. The high percentage of employees reusing passwords is why password spraying attacks have a high success rate. Almost one-third of employees (30%) said they shared work passwords with colleagues. AI tools such as ChatGPT were used by 72% of surveyed employees. While employers often have policies prohibiting sensitive data from being input into these tools, 38% of employees said their employer does not have such a policy or the policy is sometimes or always ignored.
Security measures and company policies are often bypassed with the best intentions – to improve productivity and get more work done in less time. Security policies are often viewed as cumbersome, and many employees do not fully appreciate the level of risk introduced when they bypass security measures and do not adhere to company policies. It is important to fully explain the risks in security awareness training and how often cyber actors take advantage of the security gaps created by employees taking security shortcuts.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
It is not only employees that pose a security risk to the organization. Most organizations provide at least some cybersecurity and security awareness training to their workforce, but the survey data suggests that training for the C-suite is lacking. 25% of entry-level employees said they had clicked on a phishing link at work at least once, compared to 62% of C-suite executives. Security awareness training needs to be provided to the entire workforce, including the C-suite.
The survey results show how risky security practices are incredibly common. CyberArk recommends building resilient identity security strategies that make it easy for workers to do their jobs while reducing cybersecurity risks. On the password security front, employers can take steps to help employees comply with password policies without impacting productivity. By providing a password manager, employees can set complex, unique passwords for each of their accounts without having to remember or type in those passwords when needed. Many employers have attempted to improve productivity by implementing single sign-on for authentication, and while this can make life easier for employees and improve security, it does not eliminate risks entirely.
“[Single sign-on] ignores the reality of the modern worker and the changing nature of identity: the average employee can be a casual workforce user and, the next moment, a privileged account,” explained Matt Cohen, CEO at CyberArk. “These findings show that high-risk access is scattered throughout every job role and bad behaviors abound, creating serious security issues for organizations and highlighting the pressing need to reimagine workforce identity security by securing every user with the right level of privilege controls.”
