Is your IT team compromising security for business continuity?

A vast majority (91%) of IT teams surveyed across Canada and other countries felt pressure to compromise security for business continuity, admitting that security took a backseat to business continuity during the pandemic, a new report from HP Inc. reveals.

According to the HP Wolf Security Rebellions & Rejections report, more than nine in 10 IT team respondents felt pressure to compromise security during the pandemic. Three-quarters (76%) said security took a backseat to business continuity.

The findings were based on a Toluna survey of 1,100 IT decision-makers in Canada, the United States, the United Kingdom, Mexico, Germany, Australia and Japan. The report also used data from a global YouGov survey of 8,443 office workers in the same seven countries who shifted to working from home during the pandemic.

“The findings show that IT teams have been forced into compromising security for business continuity at a time of rising threats,” HP said in a press release Sept. 9, when the report was released. “Making matters worse, their attempts to increase or update security measures for remote workers have often been rejected. This is particularly true for the future workforce of 18-24-year-olds – digital natives who feel increasingly frustrated with security getting in the way of deadlines, leading many to circumvent controls.”

Securing the growing hybrid workplace presents an exponential threat landscape, HP said, a finding that has implications for cyber insurers. According to the results of YouGov poll, almost half (48%) of younger office workers (aged 18-24) surveyed viewed security tools as a hindrance, leading to nearly one-third (31%) trying to bypass corporate security policies to get their work done.

iStock.com/peshkov

Also concerning for IT teams (and cyber insurers) is that 48% of office workers surveyed agreed that “seemingly essential security measures” result in a lot of wasted time — this rises to 64% among those aged 18-24. Over half (54%) of 18-24-year-olds were more worried about meeting deadlines than exposing their organization to a data breach; 39% were unsure what their security policies say, or are unaware if their company even has them — suggesting a growing level of apathy among younger workers, HP said.

“As a result, 83% of IT teams believe the increase in home workers created a ‘ticking time bomb’ for a corporate network breach,” HP said, using stats from the Toluna survey.

Ian Pratt, global head of security for personal systems at HP, said the fact that workers are actively circumventing security should be a worry for any CISO (chief information security officer). “This is how breaches can be born.

“If security is too cumbersome and weighs people down, then people will find a way around it,” Pratt said. “Instead, security should fit as much as possible into existing working patterns and flows, with technology that is unobtrusive, secure-by-design and user-intuitive. Ultimately, we need to make it as easy to work securely as it is to work insecurely, and we can do this by building security into systems from the ground up.”

Security teams have made efforts to curb user behaviour to keep data safe, HP reported. More than nine in 10 (91%) have updated security policies to account for the rise in working from home, while 78% have restricted access to websites and applications. However, these controls often create friction for users, who sometimes pushback on IT. According to the report, 80% of IT teams experienced pushback from users who do not like controls being put on them at home; 67% of IT teams said they experience complaints about this weekly.

“Users have a new set of expectations around the technology they use every day to do their jobs and are looking for a seamless experience that doesn’t hinder their workflow. They expect things to work quickly and refuse to be encumbered, especially younger generations,” HP said in the report. “As a result, cybersecurity teams have been facing an uphill battle trying to secure the increasingly perimeter-less workplace and become burned out and dejected when their efforts are ignored. Building bridges between users and cybersecurity teams will play an important part in securing the future of work.”

Feature image by iStock.com/weerachonoat