There’s no denying the coronavirus pandemic is having a significant impact on the way we use technology. Some changes feel like a subtle acceleration of behavioral shifts that were already well underway (i.e. more online shopping and more streaming TV/movies).
Other changes are more extreme and we’re only beginning to understand the long-term effects. One of the biggest changes has to do with the way people work. More people are working from home than ever before and many are doing so for the very first time.
Now, combine these newly appointed remote workers with company-owned hardware and things are bound to go wrong. Right?
When it comes to light duty personal tasks like checking email, reading the news, or shopping online, most people who are working from home during the pandemic have no qualms about doing so on a work assigned device. The reason? It’s convenient, it’s believed to be low risk, and, in many cases, it’s allowed. Comparatively, few remote workers avoid any and all personal activities on their work hardware.
These findings and more come out of the latest Malwarebytes Labs reader survey on working from home during the coronavirus pandemic.
Business cybersecurity: perception vs. reality
Before we dig into the results of this new survey, we need to get a little context by looking back at an earlier survey Malwarebytes Labs conducted in August. In this study of the impact of COVID-19 on business cybersecurity, the Labs team spoke with 200 managers, directors, and C-suite executives in IT and cybersecurity roles at companies across the US to determine how their security posture has changed since the start of the pandemic. Sure enough, many companies were caught flatfooted, with 24 percent saying they incurred unexpected expenses relating to a cybersecurity breach or malware attack following shelter-in-place orders. Another 20 percent of respondents said they faced a security breach as a result of a remote worker.
The Labs team wanted to get a better understanding of how and why these security breaches happened. Are remote workers engaging in risky behavior that might open employers up to a potential security breach? To get answers, we went straight to our readers.
We asked Labs readers if they worked from home and, if so, did they have a work device provided by their employer. For the purposes of this survey we defined a work device as a desktop computer, laptop, smartphone, or tablet.
Of the 900 readers who took the survey, 77.5 percent said they currently work from home. About half of at-home workers, 52.7 percent, said they had a work assigned device.
In the earlier study focused on IT leaders, 47 percent said they were confident that their employees were “very aware” of cybersecurity best practices when working from home. Only 17.3 percent believed their employees were “acutely aware and mindful to avoid risk.” A mere 5.4 percent said their employees were “oblivious and risky.”
The results of the latest reader survey appear to support these assessments.
When we asked Labs readers if they used a work device to perform personal tasks not relating to work, most people said they felt comfortable performing seemingly low risk everyday tasks. Specifically, 52.6 percent said they sent or received email, while 52 percent said they read the news. Another 37.8 percent said they shopped online, and 25 percent said they checked their social media.
As for why, most people said it was convenient:
“I’m using the work device during the day, no point starting up my own personal device just to do something I could do on the device I'm already sitting at and using.”
A smaller group of respondents said it was expressly allowed by their employer:
“Work policy allows some personal use outside of work times—read Washington Post, New England Journal of Medicine, Zoom with friends.”
A few said they didn’t have the luxury of switching to a personal computer:
“Kids are using the family computer, I’m already on my work computer.”
For a significant chunk of readers, breaking the monotony of day-to-day WFH life was worth any potential risk. Some 25 percent of respondents said they streamed music, while 24 percent said they streamed videos or movies.
“Easier to stream (within reason) background music and videos while working rather than switch to a dedicated device. Same with reading news and other activities that do not require a personal account sign-in.”
A small, but impressive 30 percent of respondents said they never performed any kind of personal activity on a work assigned device. When asked why, most said something to the effect of “It’s not my computer.”
“I don’t. When I’m tempted to, it’s because it’s easier to not switch to another device or because my work computer has better software than my personal computer. But it’s not my machine so I don’t.”
Others said that personal use was forbidden or outright restricted:
“I work for the government. They monitor computer usage, so no personal stuff done on the work laptop.”
Risky business for remote workers
Remote workers who engaged in online behavior that could be considered high risk were relatively few. Of those surveyed, 22 percent said they downloaded or installed an application on work systems. Another 6.5 percent of respondents said they used a work device as a WiFi hotspot for other devices. Possibly taking advantage of more powerful work hardware, 4.6 percent said they played video games.
It’s worth noting, gamers are a favorite target for cybercriminals. Malwarebytes Labs has reported on cheat tools that contain hidden malware, in-game currency scams, and phishing sites that lure victims in with the promise of “free” games.
At this point, you’re probably wondering why there’s no data about how many remote workers used work devices to connect to unsecure public WiFi networks. Varying shelter-in-place restrictions and the closure of many facilities that offer public WiFi (like coffee shops and restaurants) make it nigh impossible to get accurate data on the subject. If anything, we’ll save that question for a future survey.
For now, it’s safe to say most people working from home are doing so safely. However, the onus is on employers to set clear boundaries around what employees can and cannot do with the company hardware.
One survey respondent summed it up best:
“Pure convenience. The work laptop is fully set up with a dock and connections to keyboard, mouse, external monitor, and wired Internet … So, short answer: I’m lazy.”
The same respondent added:
“It’s probably worth noting that the employer has a reasonable set of safeguards on the laptop itself—I could not, for example, randomly download new software, nor visit certain non-safelisted sites.”
If you’re a business owner, short of placing draconian restrictions on what your remote workers can and can’t do with their work devices, now is a good time to remind employees about work device protocols. To that end, check out our security tips for working from home. Finally, we would be remiss without mentioning Malwarebytes offers endpoint protection solutions that keep your employees, devices, and network safe if and when a remote worker clicks a bad link, opens an infected attachment, or visits a malicious website.