What’s good for business is often bad for security. That’s the inescapable conclusion of the 1Password State of Enterprise Security Report this year.
Here’s the backdrop, and it should be familiar by now: Work has, slowly and then all of a sudden, expanded. No longer confined to the office ecosystem, work happens in coffee shops and at home and at the airport, on company-provided laptops and the shared computer in the living room, on the family iPad and the phones in our pockets.
All that work leaves a residue of (often sensitive) data as it flows through managed apps like the company productivity suite and unsanctioned apps like the file-sharing service that a handful of people use, unbeknownst to IT.
With the explosion in the number of apps used for work, it’s a good time for employee productivity, and artificial intelligence (AI) has entered the picture to boost output even further. But IT and security teams are struggling to keep up, especially when they’re constrained by limited resources.
In the 1Password report, Balancing act: Security and productivity in the age of AI, we surveyed 1,500 white-collar employees in North America, including 500 security professionals. What emerged from our findings is a tension between productivity and security that has taken on a new urgency.
Let’s start with the growing pressure on employees to be productive.
Risk management suffers in the race for peak productivity
More than a third of workers (34%) use unapproved apps or tools to get things done. This is shadow IT, and its use won’t come as a surprise to security professionals.
But the scale of the problem might. Of that 34% who use shadow IT, each employee uses an average of five unapproved apps or tools. In a company of just 300 employees, that’s more than 500 potential new threat vectors.
The problem is most pronounced in the tech industry, with nearly half of employees saying they use shadow IT, compared to 40% of employees in finance, 27% in healthcare, and 19% in education.
Security teams are trying to keep up. 92% of security pros say their company requires IT to approve software that’s used for work. But 59% say they have no control over whether employees follow those information security policies.
That visibility is more achievable if employees use only work-provided devices, which 84% of companies say they require of their employees.
But 17% of employees say they never work on a company-provided device, using only personal or public computers for work instead.
Security teams struggle to adapt to a new threat landscape
More than two-thirds (69%) of security pros say they’re at least partly reactive in terms of security risk mitigation. That’s because they’re either pulled in too many directions (61%), don’t have the necessary budget (24%), or are understaffed (21%), among other reasons.
As a result, security teams are worried. When asked what keeps them up at night, 79% of security pros listed inadequate security protections. Among their top concerns: external threats like phishing or ransomware (36%), internal threats like shadow IT (36%), and human error (35%).
Phishing scams, ransomware attacks, and a patchwork system give our security team heartburn. They’re the tireless ninjas keeping the bad guys out, so next time you see them, offer a coffee (or a medal). We’re in this digital battle together.” – IT Security VP, tech hardware company
Focus on productivity opens the door to cybersecurity threats
Understandably, productivity is top of mind for employees. Unsurprisingly, in the pursuit of productivity, security suffers. 54% admit to being lax about their company’s data security policies, with 24% of those saying they’re just trying to get things done quickly.
Despite the well-known vulnerabilities associated with weak or reused passwords, 61% of employees (64% of managers and 53% of non-managers) confess to poor password habits, which increase the risk of data breaches. And half of employees say they slipped up on security in the past year, for example by clicking a link in a suspicious email or sharing credentials for work with people outside the company, making companies more vulnerable to a cyberattack.
This is a scenario seemingly tailor-made for AI to deepen the tension between security and productivity. 57% of employees say using generative AI applications makes them more productive.
But a full 92% of security pros have security concerns about AI security, citing employees entering sensitive data into the tools, using AI systems that were trained with bad data, or falling for cybercriminals’ increasingly sophisticated phishing attempts powered by AI.
Download the 1Password State of Enterprise Security Report 2024
The delicate balance between productivity and security isn’t new, but the conditions leading to a potential breaking point are. While security teams are struggling to reduce the risk of cybersecurity incidents as workplace habits shift, employees are likewise singularly focused on the pursuit of productivity. Old concerns like the security of authentication methods haven’t gone anywhere, while new concerns only complicate matters.
We’ve only scratched the surface of this year’s report. Download 1Password’s State of Enterprise Security Report for the full breakdown.
Tweet about this post