A recent Bromium survey of 210 security professionals in the U.S. and U.K. found that 35 percent of respondents admitted having gone around, turned off, or bypassed their own corporate security settings.
Even more alarmingly, 10 percent of respondents admitted having paid a ransom or hid a breach without alerting their team.
"While we expect employees to find workarounds to corporate security, we don't expect it from the very people overseeing the operation," Bromium co-founder and CTO Simon Crosby said in a statement. "Security professionals go to great lengths to protect their companies, but to learn that their decisions don't protect the business is frankly rather shocking."
"To find from their own admission that security pros have actually paid ransoms or hidden breaches speaks to the human factor in cyber security," Crosby added.
A Need for Training
Still, a recent ESET survey of over 400 U.S. adults found that a third of respondents said they hadn't received any form of cyber security training at their organization, and 62 percent said they don't receive recurring cyber security training.
Forty-nine percent said they would take a cyber security training course at their workplace, even if it were optional to attend.
Respondents said they feel like their largest cyber security knowledge gaps are in email threats (30 percent), protecting mobile devices (30 percent), ransomware (29 percent), smart or connected devices (29 percent), and creating strong passwords (16 percent).
Strikingly, 20 percent of respondents said they're "not at all aware" of cyber security best practices, while 52 percent said they're "somewhat aware."
Cyber Security Novices
A separate MediaPro survey of 847 retail employees recently found that fully 71 percent were cyber security risks or novices who would could benefit from enhanced awareness of privacy and security risks.
Survey respondents' cyber security awareness was weakest with regard to incident reporting, identifying personal information, working remotely, cloud computing, and acceptable use of social media.
Twenty-six percent of respondents thought it was acceptable to use a personal USB drive to transfer work documents when working remotely, and 25 percent failed to identify a sluggish computer as a potential clue that their computer might be infected.
Twelve percent of respondents chose to use free, public Wi-Fi at a cafe to complete their work for the day, and 47 percent said they'd hold the door open for someone who appeared to work with them even if they didn't have ID.
"The results of this survey strongly suggest retailers need to rethink cyber security and data privacy as matters of overall risk management, not just check-the-box compliance based on PCI standards alone," the MediaPro report states. "Retailers limit their employee education to PCI training at their own risk, as threats to an organization's financial and reputational wellbeing exist beyond the typical coverage of this training."
Photo courtesy of Shutterstock.