X-Labs
March 30, 2021

“Tiny Crimes” – How Minor Mistakes When Remote Working Could Lead to Major Cybersecurity Breaches (Part 2)

Dr. Margaret Cunningham Principal Research Scientist

In this post, we'll continue our exploration of the recent study Forcepoint undertook into the shifts and changes impacting office workers under work from home mandates. Exploring whether security behaviors changed due to this shift in working patterns, we surveyed 2000 office workers in Germany and the UK, to provide insight and guidance to business and IT leaders managing remote workers during 2021. 

Shadow IT Casts a Long Shade

Use of shadow IT was high across the entire sample of respondents. On average, 47% reported using some form of shadow IT during lockdown.

In addition, 44% of respondents reported using corporate devices at home for personal use, with nearly a third (29%) allowing family members to use work devices and nearly a quarter (23%) reporting using a neighbour’s Wi-Fi to connect in order to complete work.

Across the majority of the survey, there were negligible differences between the two countries responses.  However, German respondents reported noticeably higher usage of shadow IT.  Though it is not possible to identify specific factors contributing to these differences using this dataset, these differences may reflect differences in existing or pre-pandemic work patterns. Perhaps the UK respondents had more experience or were more likely to work from home, and had existing processes or systems in place.  Alternatively, perhaps the German use a wider range or a greater number of technologies in their personal lives that they then began using to facilitate their work duties. 

In addition, shadow IT was one of the areas where a gender difference was seen. Men used shadow IT more than women across the survey (notably using USB sticks and personal back-up devices significantly more than women) and seemed to feel more constrained by company rules. 45% of men said that company policies made it difficult to work well without using shadow IT, compared to 36% of women. 

Tiny Crimes - Shadow IT casts a long shade

If everyone is breaking a rule, perhaps it is the rule that needs changing and not the behavior?”

Stress, Anxiety Distractions and Split Attention

Across the research we found respondents reporting significant stress and anxieties about their jobs. 55% overall found elements of work stressful or anxiety-inducing, with 62% feeling stressed out over competing demands between personal and professional life, and 60% worrying about employment status and job stability.

Half felt isolated, like they were working on projects alone, and 46% agreed that it was more difficult to make day-to-day professional decisions when working from home.

The coronavirus pandemic has, it has often been said, given rise to an unprecedented change in working conditions. Psychologically, when faced with new working conditions, we are forced to devote more attention to what we’re doing which at first can result in making fewer mistakes – at least until the process becomes more routine. However, as our research shows, by December 2020 over a third of people (36%) were stating that they were making more minor mistakes when working from home with 40% agreeing they were more forgetful.

The nature of work from home routines may be riskier than the process of changing to a new routine, because as the research shows we’re less likely to follow basic cyber hygiene practices at home such as locking our screens, logging into VPNs and using strong passwords. Our homes are also often our safe spaces, and where we feel most comfortable. An increased sense of safety and comfort may contribute to high levels of shadow IT and other risky behavior previously discussed.

Additionally, we are not able to compare our technology use behaviors to others in a social setting. In our offices, we may notice others locking screens, clearing off desks, and engaging in other security related behaviors.  At home, we do not have this type of social pressure or social learning.  We are more likely to leave a stack of dirty dishes in the sink for a bit longer than usual when we’re home alone with no one to see than we are if we’ve invited friends or family over. 

Existing psychological research shows that chronic interruptions and distractions can be both mentally and physically stressful, even if the interruptions don’t necessarily increase the amount of work a person needs to complete. Interruptions can also increase perceived time pressure, and lead to feeling overwhelmed when the interruptions stack up and increase our cognitive load. As seen with the caregiver respondents in particular, when we are mentally overloaded, or when our attention is split between multiple demands, we’re more likely to be forgetful or to be unable to fully concentrate on difficult tasks. This may result in mistakes, or perhaps more commonly, a task taking much longer than it normally would.

Again, following on from the section on generational differences, younger people used significantly more shadow IT and believed far more strongly that usage of shadow IT was necessary in order to do their jobs well.

The differences revealed in this survey, especially with regard to shadow IT use, show that there is much more research and exploration to be done in this area. We are left to wonder if shadow IT use is related to the desire to complete work duties more easily or more seamlessly? Or, do people who use a greater number of technological solutions in their personal lives, such as cloud storage or managing personal obligations via apps, tend to use shadow IT in their professional lives more often than others? Do employees who work multiple jobs, and who depend on personal devices to complete certain jobs, have a more relaxed mindset regarding digital boundaries and systems? Whatever the answers may be, better understanding of human behavior and use of technology is critical for improving security solutions that protect organizational assets and personnel. 

Justification of shadow IT use

With so many people using shadow IT, we were keen to explore why. Overall, 38% claimed they needed shadow IT to get their jobs done. In somewhat of a contradictory response, 60% stated that they had considered the cybersecurity risks of using shadow IT.  Clearly the potential risks do not always outweigh the benefits. 72% said they have taken extra time to understand the cyber processes for using mobile endpoints, and 43% stated they have changed settings since homeworking to improve cybersecurity. Overall, 44% stated that shadow IT allowed them to perform certain tasks more easily, and among the younger age group this justification rose to 67%.

Tiny Crimes - Usage of shadow IT skews younger

Usage of shadow IT is still occurring in large numbers across a range of use cases, even though 64% of survey respondents overall stated that their company’s technology and solutions allow them to easily do all aspects of their job.

We could be seeing a prime example of optimism bias, where people underestimate their chances of experiencing an adverse outcome even when faced with significant or concrete information about risks.  People are also often prone to self serving bias when something goes awry.  This means that rather than identify their own actions as contributing to the poor outcome or consequence, they may point to external factors such as their organization’s technology solutions failing to block or protect any threats. 

Shadow IT can be a source of innovation, and in some cases if everyone is breaking a rule, perhaps it is the rule which needs changing, rather than the behavior. However, shadow IT can introduce risk into an organisation if not properly managed.

When we are mentally overloaded, we’re more likely to be forgetful or be unable to fully concentrate on difficult tasks.”

As previously discussed, the younger age group and the caregivers report disproportionate stress and anxiety, and they also reported higher levels of risky behavior. This area of the survey is also one of the areas where a clear gender difference was seen, with women reporting more negative impacts from remote working. In five of the ten areas regarding anxiety and stress, women reported higher levels of concern, with 55% of women stating they felt at risk of burnout (compared to 52% of men) and more women than men feeling isolated, stressed by competing demands, and concerned about job security.

Takeaways and Guidance for Business and IT Leaders

The survey did however report strong levels of support coming from employers to employees. The overwhelming majority of people stated that they understood broad organizational goals (86%), were part of a team that felt well organized (81%), felt motivated to complete their work (83%) and that their work was recognised by managers and co-workers (82%).

During the shift to working from home, only a quarter stated that technology has been a barrier, and 52% of people reported that their companies had assessed their home equipment and offered more, with 59% of people having received additional training or reminders on cybersecurity.

There are many positive impacts that can come from the remote working environment. As well as benefits such as reduced commuting time and more flexibility, the innovations and digital transformation introduced during this period can continue to deliver benefits once office working is possible again.

Shadow IT usage in particular is interesting, as its usage is not due to malice or carelessness, but is undertaken by staff in order to be more productive. In fact, shadow IT can actually lead to innovation and increased productivity.

Shadow IT use or other behaviors that go against company policies is important to understand, and may in fact highlight areas of innovation and increased productivity.  In addition, It is critical to note that deviations from rules and behavioral responses to highly stressful work environments are typically not a reflection of personal failings or of intentional misconduct.  Rather, people’s behaviors are shaped by their surroundings in ways that have a significant impact on their actions.  For instance, we could consider people with challenging work from home environments as driving through a blizzard with no experience navigating icy roads, learning as they go. In contrast, people with less challenging home environments are cruising down an open road in the sunshine. Organizations should expect more errors and deviations from the norm from those in bad weather, but organizations must also account for the fact that those experiencing bad weather do not control the climate. 

As a result of the significant social shift caused by remote working mandates, business leaders can take steps to not only ensure effective data protection and cybersecurity, but take personal and psychological impacts into account to provide a more supportive environment.

IT and security leaders can:

  • Ensure that critical data is defined and adequately protected - remote and flexible working patterns will last far longer than lockdowns.
  • Rather than focusing on black-and-white IT usage policies that simply block access, look instead at uncovering the use of shadow IT and setting up new policies where necessary.
  • Communicate and raise awareness around IT security issues. Invest in more security training and threat detection solutions that help people perform better. 
    • Choose IT training programs which challenge employees and create ongoing learning opportunities.
    • When possible, provide explicit and easy to follow instructions that can help employees take action to protect their home networks.
  • Leaders must model good security behaviors for their teams, talk about security, and foster culture of shared responsibility and resiliency.
  • Consider investing in cybersecurity solutions designed to provide another layer of security beyond the human element, for example threat detection tools designed to flag suspicious inbound emails that constitute a malware or account takeover threat.

Business leaders can also:

  • Ensure that employees are comfortable in their home offices and provide supplementary equipment as needed
  • Prioritize and facilitate a healthy work-life balance, considering for example regular meeting-free days, and supporting taking time off.
  • Identify ways (such as anonymous surveys) to tap into employees’ needs, workloads and stress levels, and how they may be impacted by ongoing stress.

Business leaders must understand that humans have a finite amount of memory and attention. Some of the reasons we make mistakes are because either we aren’t paying, or can’t pay close enough attention to the task at hand. Sometimes we are forgetful, or we have the wrong amount of information. A person’s physical, mental and environmental state can contribute to whether they can pay attention, remember, and think critically.

ees perform better and make fewer mistakes when they aren’t burnt out and overwhelmed. Enterprises can take this opportunity to examine corporate culture and identify whether or not there are implicit or explicit social rules they can change, which can contribute to a healthier, happier workforce. 

Full Survey Data including country split is available on request.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.

Dr. Margaret Cunningham

Principal Research Scientist

Dr. Margaret Cunningham is Principal Research Scientist for Human Behavior within our Global Government and Critical Infrastructure (G2CI) group, focused on establishing a human-centric model for improving cybersecurity. Previously, Cunningham supported technology acquisition, research and...

Read more articles by Dr. Margaret Cunningham