New Data Reveals Company Size May Be Tied To Remote-Worker Cybersecurity Practices

Employees at the largest firms are least likely to adhere to wifi and password security guidelines.

The security of a company is often in the hands of the employees who access its data day-to-day. New data from a global study commissioned by Tenable and conducted by Forrester Consulting reveals that remote employees’ use of personal devices, their adherence to security guidelines and their sense of responsibility for company security vary based on the size of the company they work for. 

Personal device use for work

The larger the company, the less likely remote employees are to use personal devices, such as laptops, smartphones and tablets, for work. Less than half of remote work respondents at companies with 20,000 or more employees said they use personal laptops or smartphones for work. Whereas over half of respondents at smaller businesses said they use personal devices for work.

Source: A commissioned study conducted by Forrester Consulting on behalf of Tenable, April 2021. Base: Full-time employees working from home three or more days a week for organizations with 1,000 to 4,999 (N=261), 5,000 to 19,999 (N=157), and 20,000 or more (N=61) employees

A further look at the types of company data employees are accessing on their personal devices reveals the trend in more detail: customer data, financial records and third-party contracts are accessed on personal devices at a much higher rate by employees at smaller firms than they are by those working at firms with 20,000 or more employees. 

Source: A commissioned study conducted by Forrester Consulting on behalf of Tenable, April 2021. Base: Full-time employees working from home three or more days a week for organizations with 1,000 to 4,999 (N=243), 5,000 to 19,999 (N=148), and 20,000 or more (N=52) employees who use personal devices for work

However, one trend is ubiquitous no matter the company size: employee use of work devices to access websites for personal purposes. Corporate devices are being used to access personal social media accounts or streaming services, among other activities. 

Source: A commissioned study conducted by Forrester Consulting on behalf of Tenable, April 2021. Base: Full-time employees working from home three or more days a week for organizations with 1,000 to 4,999 (N=256), 5,000 to 19,999 (N=151), and 20,000 or more (N=58) employees who use employer-provided devices for work

Corporate security guideline adherence 

Survey respondents at firms with 20,000 or more employees self-report less adherence to strictly following best practices with regards to public wifi access and strong passwords than those at smaller firms. In fact, only 16% of respondents at companies with 20,000 or more employees say they strictly adhere to guidance regarding public wifi, and just 20% strictly follow guidelines for setting passwords, compared with 21% and 27%, respectively, of respondents at companies with 1,000-4,999 employees. 

Source: A commissioned study conducted by Forrester Consulting on behalf of Tenable, April 2021. Base: Full-time employees working from home three or more days a week for organizations with 1,000 to 4,999 (N=261), 5,000 to 19,999 (N=157), and 20,000 or more (N=61) employees

When it comes to updating devices, however, more employees at the largest firms claim to do so immediately, as compared with those at firms with less than 20,000 employees. In a prior chart we indicated that employees in the largest subset of companies were also more likely to use employer-provided devices for work.

Source: A commissioned study conducted by Forrester Consulting on behalf of Tenable, April 2021. Base: Full-time employees working from home three or more days a week for organizations with 1,000 to 4,999 (N=261), 5,000 to 19,999 (N=157), and 20,000 or more (N=61) employees

Employees at the largest firms are less likely than those in the middle category of company size to claim that they are aware of corporate cybersecurity guidelines by a margin of -10 percentage points. Yet, those in the largest subset are also least likely to admit that they sometimes ignore cybersecurity policies. 

Source: A commissioned study conducted by Forrester Consulting on behalf of Tenable, April 2021. Base: Full-time employees working from home three or more days a week for organizations with 1,000 to 4,999 (N=261), 5,000 to 19,999 (N=157), and 20,000 or more (N=61) employees

Sense of personal responsibility for company security

Employees at companies in the mid-sized group are less likely to feel responsible for ensuring the security of the devices they use for work. 

Source: A commissioned study conducted by Forrester Consulting on behalf of Tenable, April 2021. Base: Full-time employees working from home three or more days a week for organizations with 1,000 to 4,999 (N=261), 5,000 to 19,999 (N=157), and 20,000 or more (N=61) employees

When it comes to an overall feeling of responsibility for the security of corporate information, employees appear to feel less responsible when their company is larger, as indicated by the fact that employees in the smallest subset of firms were more likely to somewhat or strongly agree that the have a responsibility for the security of the corporate data they access versus those with 20,000 or more employees by a margin of 10 percentage points. In our view, larger companies tend to have more mature cybersecurity programs and controls in place, whereas smaller firms tend to have less controls and rely on employees disproportionally.

Source: A commissioned study conducted by Forrester Consulting on behalf of Tenable, April 2021. Base: Full-time employees working from home three or more days a week for organizations with 1,000 to 4,999 (N=261), 5,000 to 19,999 (N=157), and 20,000 or more (N=61) employees

Conclusion 

As with everything in cybersecurity, awareness is the first step toward remediation. It is important that corporate security personnel take the size of their own organization into account as they consider how employee behavior affects cybersecurity practices and they should pay special attention to their Active Directory security. In addition, given the recent attacks on the software supply chain, it’s worthwhile for security pros to consider these factors when evaluating third-party vendors, especially those they work with on a regular basis. For more insights, read the study, Beyond Boundaries: The Future of Cybersecurity in the New World of Work.

Learn more

• Read the blog: Cybersecurity Awareness: Six Tips to Help Your Employees Be Cybersmart
• Download the study: Beyond Boundaries: The Future of Cybersecurity in the New World of Work
• View the webinar on demand: Cyber Leadership Lessons from the New World of Work: What’s Next?