Remote workers are more aware of cybersecurity risks than in-office employees: new study

Workers who telecommute tend to be more aware of cybersecurity threats than those who spend most of their time in a physical office and are more likely to take action to ward them off, according to our new peer-reviewed study^[1].

Our findings are based on Amazon Mechanical Turk^[2] survey data collected from 203 participants who recently switched to full-time remote work, as well as from 147 in-office workers, across multiple organizations within the United States. We didn’t collect data on hybrid workers.

We asked employees the same series of questions about their work arrangements as well as their understanding of cybersecurity threats^[3], and the actions they’ve taken to defend against them.

To account for other factors likely to influence how an employee responds to perceived cybersecurity threats and risks, we controlled for key participant characteristics and various factors, including age, gender, industry type, company size, job position and the duration of remote work. In addition, we tried to ensure the robustness of our data by conferring with other experts and using various statistical techniques.

We found that remote workers, on average, were more mindful of cybersecurity threats and could better recognize safe cybersecurity practices and protection measures compared with office-based employees. Similarly, our data showed that remote workers were more likely to take cybersecurity precautionary measures than their in-office counterparts.

Why might this be the case?

When employees work from the office, they generally expect their organization to provide and deploy security countermeasures to deal with cyber threats and risks. As a result, in-office workers may become complacent about cybersecurity awareness. This could account for in-office workers taking fewer steps to shore up their cybersecurity.

In contrast, the lack of an institutional cybersecurity framework forces remote workers to become more mindful of the risks they may be exposed to.

Why it matters

Employees are the first line^[4] of defense against cybersecurity attacks, which have been on the rise^[5]. Cyber attacks around the world increased 38% in 2022^[6], according to Check Point Research, which provides cyber threat intelligence.

And one of the main ways hackers manage^[7] to worm their way into corporate computer networks is via employees – for example, with a phishing email^[8].

During the early days of the COVID-19 pandemic when much of the workforce was sent home due to lockdowns, cybersecurity was a big concern^[9]. In cybersecurity jargon, it increased the “attack surface^[10],” or the sum of all ways an organization’s network is exposed to potential security risks. Companies worried^[11] whether employees working remotely would take cybersecurity seriously.

With remote work becoming increasingly the norm for many companies, our research suggests that this risk isn’t as great as once feared.

What still isn’t known

We still need to determine whether heightened cybersecurity awareness and precautionary behavior among remote workers will diminish over time. Research suggests that cybersecurity awareness acquired through training and knowledge programs tends to dissipate over time^[12].

As remote working arrangements become more mainstream, does security complacency set in for these workers? It is important to know how long the increased cybersecurity awareness will enable precaution-taking behavior and how remote workers can renew and sustain this vigilance.

The Research Brief^[13] is a short take on interesting academic work.

References

1. ^{^} our new peer-reviewed study (doi.org)
2. ^{^} Amazon Mechanical Turk (www.mturk.com)
3. ^{^} cybersecurity threats (www.cisa.gov)
4. ^{^} Employees are the first line (theconversation.com)
5. ^{^} have been on the rise (www.crowdstrike.com)
6. ^{^} increased 38% in 2022 (www.securitymagazine.com)
7. ^{^} one of the main ways hackers manage (www.shrm.org)
8. ^{^} for example, with a phishing email (theconversation.com)
9. ^{^} cybersecurity was a big concern (www.peoplemanagement.co.uk)
10. ^{^} attack surface (www.crowdstrike.com)
11. ^{^} Companies worried (zipdo.co)
12. ^{^} tends to dissipate over time (www.usenix.org)
13. ^{^} Research Brief (theconversation.com)