Cybersecurity Problems: Before, During, and Post-Pandemic
William H. Dutton and Patricia Esteve-Gonzalez
Global Cybersecurity Capacity Centre (GCSCC), Oxford Martin School, University of Oxford
Has the shift in working patterns in response to the pandemic caused more problems with cybersecurity? Along with colleagues at the GCSCC, we interviewed a set of experts on cybersecurity to get a more empirically grounded idea on the potential impact of the pandemic on the prominence of cybersecurity problems, particularly considering shifts to working from home (WFH).
A set of in-depth qualitative interviews led us to the prospect that cybersecurity advances over the years played an important role in enabling the shift to WFH as well as potentially increasing problems in some areas. For decades prior to the pandemic, increasing numbers of employees began to work remotely – on the move and from home or decentralized centers. The growth of remote work incentivized many organizations to develop systems and policies to support cybersecurity while outside of the boundaries of the central office. Therefore, the pandemic-driven shift to WFH essentially required organizations to scale-up their developing approaches to supporting remote working for significantly larger proportions of their workforces.
Nevertheless, these in-depth interviews left us with little basis for determining whether the themes suggested were generalizable to the larger work force. We therefore conducted a global exploratory survey in collaboration with GrapeData that provided us with a valuable dataset to explore some of these questions. Our global survey with GrapeData was launched online in the summer of 2022. While a nonprobability sample aimed at reaching those in work (a purposive rather than a random sample), we gained the participation of 7,330 internet users across 133 countries. The survey is therefore able to shed light on the perceptions of internet users from across the world regarding WFH and their cybersecurity experiences over time, especially in recent years when the COVID-19 pandemic disrupted the working models for a large portion of the world.
We are examining many multivariate aspects of any results, as multiple factors could explain any rise in cybersecurity problems. However, one set of initial descriptive results can be validly shared. We asked whether individuals experienced specific problems with cybersecurity, and here is what we found, see Figure on ‘Cybersecurity Problems: Currently’.
As the figure shows, most individuals are not experiencing any problem. Only one problem was experienced by over a quarter of respondents: the receipt of obscene or abusive emails. This problem was followed by receiving a virus, spyware or other malicious software on their computer (just under 25%) and being a victim of a scam or fraud online (just under 20%). All twelve of the problems listed in the above figure are serious in that a lot of individuals have been the victim of one or more of these security issues, but four of these problems were experienced by only about 15 percent of respondents, and the five least frequently encountered were well under that percentage – less than 10 percent agreed that they had experienced them. Generally, these results show a wide variability in the different cybersecurity problems experienced by the sample.
We asked the same questions about before, during, and after the pandemic, and you can see that more respondents believed they experienced somewhat more problems during and after the pandemic than prior to the pandemic, as you see below in the Figure ‘Change in Top Cybersecurity Problems’.
Is this rise a real impact or an impression built on recalling more recent versus more distant events? We’ll be looking at our data in relation to a multitude of factors that might shape these perceptions, but it could be that the pandemic did increase the number of people experiencing cybersecurity problems, while also enabling more people to work from home. Both could be true or could be accounted for by alternative explanations. We hope to unravel these issues as our analyses unfold.
For example, one of the most interesting alternative explanations is that it was “change” – the shift to WFH – rather than the home setting itself that led to more problems. For instance, as the next table illustrates through a set of box plots, it is those individuals who shifted their work from a central office to WFH that tended to experience a wider range of problems – most of them experiencing between one to three problems from our list of twelve. Those who had been WFH and continued to do so, did not see an increase – most of them experienced from no problems to two different problems. Nor did those who were working in the office and continued to work in the office. Similarly, most of these participants experienced from no problem to two different problems. So, changing workplaces might be the major trigger to more cybersecurity problems.
Similarly, those individuals who shifted their work from a central office to WFH tended to perceive more cybersecurity problems during the pandemic than before or currently. As the Figure titled “When did you experience more cybersecurity problems” displays, for those individuals that remained in the same workplace during the pandemic, the difference of problems across time was not as clear.
Consider how you are likely to develop practices and habits in any workplace you choose. For example, while working in a central office, you learn over time how to contact IT staff. You know whom to ask among your fellow workers about a suspicious email and so on. Of course, you can reach IT staff and fellow workers online in the office or while WFH, but it is the likelihood of a change in how you do these things tied to a shift in your workplace that could lead you to follow safe cybersecurity practices less routinely. If true, then targeting advice and assistance to those in the process of shifting workplaces could be the most effective use of limited resources.
Practices Shaping Cybersecurity at Work
We also asked respondents whether they agreed with a variety of practices commonly suggested for enhancing their cybersecurity in the workplace (Figure “Percent strongly agreeing with effectiveness”). Over half of the respondents said they agreed with the effectiveness of most of the practices. These generally agreed good practices included (in order of the percentage agreeing): carefully managing your passwords; being careful to avoid phishing and scam e-mails; using strong passwords; using secure networks; not sharing personal information on social media; not visiting websites that look suspicious; checking the authenticity of people who contact you; keeping operating systems and software up-to-date; using licensed (not pirated) software; using two- or multi-factor authentication and blocking pop-up ads.
Less than half, but more than a quarter of respondents agreed with the effectiveness of practices. These included: securely sharing the URL of virtual meetings; managing records of your internet use like “cookies”; using a sliding webcam cover; and keeping family members away from work devices.
While these practices of individuals were judged effective by many respondents, we only know their perceptions. The actual effectiveness depends on many other factors and cannot be gauged only by survey responses.
However, the practices of organizations are also potentially important to shaping cybersecurity in the workplace. We asked about a dozen different measures that organizations sometimes take to protect their workforce online and most respondents judged every one of these practices as helpful. They included: providing access to IT support (the top rated practice); providing anti-virus software; having clear policies for responding to any security incidents or personal data breaches; having policies on working from home or remotely; using software that is pre-approved by the organization; providing corporate centralized storage solutions and internet resources to share working files; providing secure videoconferencing software; providing training on good cybersecurity practices; providing a securely configured device, such as a laptop; providing multi-factor authentication; making corporate applications accessible to you [respondent] only via encrypted communication channels; and providing a corporate VPN for your [respondent’s] use.
While these responses do not dramatically discriminate among the various practices of organizations in support of remote work, they do illustrate the many ways in which organizations are enabling their workforces to work away from the office and in ways that are scalable.
A fuller set of descriptive statistics will be available in a forthcoming report and basic statistical results are also available in a preliminary set of project slides available HERE.
 Bispham, M., Creese, S., Dutton, W. H., Esteve-Gonzalez, P., and Goldsmith, M. (2022), ‘An Exploratory Study of Cybersecurity in Working from Home: Problem or Enabler?’, Journal of Information Policy, 12 (May), https://doi.org/10.5325/jinfopoli.12.2022.0010 An earlier version is also available at: https://ssrn.com/abstract=3897380.
 More details on the sample are available at: https://www.slideshare.net/WHDutton/changing-workplaces-and-cybersecuritypptx.
 The same patterns are evident in the case of the less prominent problems, not shown here.