In the last two years, hybrid workplaces have emerged as “the future of work.” In this new model, employees have more flexibility about the way they work, while employers can boost business resilience. But this work evolution also changes how organizations approach cybersecurity—they can no longer afford to push security to the sidelines or keep it disconnected from their business goals.
We wanted to understand how the future of work impacts the way small and medium-sized organizations in the private and public sectors view cybersecurity and password management. To learn about cybersecurity trends, we conducted separate surveys of workers and IT decision-makers, along with supplemental interviews with a select group of IT leaders. Here’s what we learned.
Antennas are up for most organizations. Among all our survey participants, 83% noticed an increased level of security awareness and importance at their organization. This means small and medium-sized organizations realize the stakes are high in the digital era.
This increased awareness translated into action, but only for a small group of organizations. Overall:
Throughout our two separate surveys, we noticed that leaders’ perceptions differ from employees’ perceptions in many areas. For example:
These differences are not unexpected because individual roles influence people’s view of their organization’s inner workings. And since leaders drive many of the security initiatives, they see the changes in awareness and security practices through a different lens than most employees.
Our survey found many differences between larger and smaller organizations. Those with more than 300 employees were more likely to note heightened cybersecurity awareness, changes in security practices, and even higher passion for cybersecurity among employees.
Some of these differences may be attributed to the smaller proportion of remote workers at the smallest organizations. However, the more significant reasons are likely the lack of cybersecurity resources and the illusion that cybercriminals don’t target smaller companies. Yet the past few years have demonstrated that size doesn’t matter to cybercriminals—smaller companies are just as much at risk of cyberattacks, if not more.
Increased password manager usage was the top change that organizations made as a result of remote work, with 38% of employees and leaders identifying this shift. Increased cybersecurity training and new policy adoption weren’t far behind (37% and 36%, respectively).
This indicates that organizations understand that people and policies are equally important to maintaining a strong security posture. Changing behaviors and improving the security culture also requires human-centric security, and these findings show that many organizations are well on their way to adopting this mindset. We also found that:
While the employees and the leaders in our two surveys have varying sentiments about different areas of cybersecurity, they’re on the same page when it comes to the need for a password management solution. But leaders feel much more strongly about it.
About half (52%) of employees believe their organization needs a password manager; among leaders, a resounding 97% feel the same. This tells us that employees want digital security tools that help them practice better cybersecurity to keep their organization safe—and leaders are fully behind employees’ desire to have better tools.
Many employers are already making strides here: 41% of organizations represented in our surveys require a password manager for everyone, with another 18% adopting it for some, and 13% offering it as an option. The cohort requiring this digital security tool the most is employers with 301–400 workers (51%), followed by those with 401–500 workers (42%).
From our supplemental leader interviews, we also learned that employees want a dedicated resource beyond an office manager or IT admin for managing access to a password manager. They feel they can handle it for a while, but once the company grows bigger, too many things can go wrong. Choosing a password manager that’s simple and comes with great onboarding features can help achieve this—and the simpler the tool, the more likely employees are to adopt it.
52% of employees overall believe their organizations need a password management solution. Opinions varied by industry, though.
The majority of our participants said they handle more than five passwords for their work accounts regularly, with 6–10 as the most common amount (identified by 41% of respondents). Not surprisingly, given their role, leaders juggle a lot more—72% have more than five passwords, and 53% have 6–10. Education, finance, and healthcare workers are particularly likely to be in the 6–10 accounts range.
Across sectors, employees in banking have the highest access fatigue (with 34% of employees juggling 10 or more passwords), followed by education (25%). Retail and finance tied for the third spot (23%). Access fatigue could lead employees to look for shortcuts, such as reusing passwords or resorting to simple, easy-to-remember ones. Such shortcuts are highly risky for organizations because malicious actors commonly use compromised and weak passwords to break in.
Despite their jumble of logins, employees are not confident that their co-workers use password managers widely. Although 41% of surveyed organizations require a password manager, only one-fifth of employees believe the adoption rate among their co-workers is 95–100%. Worse yet, close to one-third (29%) believe the adoption rate is 50% or less.
Here, too, leaders have a different view—employees are much more skeptical than IT teams. Nearly 40% of our IT leaders believe the adoption rate at their organization is 95–100%, and only 20% believe the rate is 50% or lower.
Since leaders have a closer view of their companies’ security tools than other employees, it’s likely that their understanding of the adoption rates better reflects reality. Even so, it’s clear that organizations struggle with employee buy-in.
Even when organizations invest in security tools, employees may not use them if they don’t trust those tools or learn how to use them. Our survey found that both employees and leaders believe the main barrier to password manager adoption is a lack of knowledge about the features.
Given that so many IT leaders don’t understand their password manager’s features, find the tool difficult to set up, or don’t feel they’re getting good ROI, this helps explain the low adoption rates discussed earlier. It would be challenging for leaders to “evangelize” the use of the tool to their organization if they don’t understand how the password manager works and don’t feel it’s easy to use.
For effective onboarding, employees need to know not only why they need a password manager but also what features are relevant to them and how these features improve security. Take advantage of the resources that many vendors offer as part of their onboarding.
For organizations that have overcome barriers to adoption, the outcomes are positive. Among our survey participants, both employees and leaders in workplaces that require a password manager believe their organization has a lower risk of being hacked or breached.
Leaders are much more convinced that this is the case—90% expressed that their organization is either “not at risk” or “not at all at risk” for being hacked or breached, compared to 59% of employees.
Leaked passwords are abundant in the criminal underground due to the massive number of data breaches. With automated tools, cybercriminals can check the validity of these passwords quickly and at scale. A password manager lowers the risk of compromised and weak passwords, and our study shows that organizations see the results.
Insurance, finance, and banking stood out as the sectors embracing security tools the most—perhaps because stricter regulations lead to broader mandates for improving security.
Cybersecurity best practices may vary slightly from sector to sector, but many are foundational regardless of the industry. Understanding these best practices and adopting the fundamentals will help organizations of all sizes improve their cybersecurity preparedness.
Our latest research found that remote and hybrid work is going mainstream: only 10% of all our surveyed employees and leaders reported no remote workers at their organizations. With remote work commonplace, the pace of online tool adoption will continue to accelerate—which means that cybersecurity will be an increasingly bigger priority for small businesses.
Protecting sensitive data in this new environment requires behavioral change through a strong, human-centric security culture.
Discover more cybersecurity trend insights, along with key predictions and our recommendations, in our 2022 Future of Secure Work for People + Organizations report.