Employees know better, but still behave badly
The risky behaviors included viewing adult content on work devices, opening emails from unknown senders, downloading apps from outside the official app stores, installed new applications without IT approval, used social media for personal reasons, or used their personal mobile devices for work.
In a survey of 1,580 respondents, only 20 percent said they've never engaged in these behaviors, according to a new study from UK-based technology market research firm Vanson Bourne.
"We're not seeing any changes in the way the average person makes risk choices," said Hugh Thompson, CTO at Blue Coat Systems, a cloud computing security vendor and the company that sponsored the study. "I don't think we'll be able to educate our way out of this problem."
Ironically, employees working in the IT sector were among the worst offenders, with only 12 percent saying that they had not engaged in any of these risky behaviors, second only to charity and non-profit employees, at 5 percent.
Meanwhile, IT employees had above-average scores for being aware of the risks of these behaviors.
The highest level of awareness, overall, had to do with opening attachments from unknown sources and viewing adult content on work devices. On average, 73 percent of respondents rated each of these behaviors it was risky or seriously risky.
Only 2 percent said that opening attachments from unknown senders posted no risks, and only 3 percent said the same about adult content.
However, 20 percent admitted to opening those attachments, and 6 percent to viewing adult content at work.
In other results, 65 percent of respondents knew that using unsanctioned applications was risky or seriously risky, 62 percent said the same for downloading apps from third-party app stores, 55 percent for clicking on video links on social media sites, 46 percent for using social media for personal reasons at work, and 40 percent for using personal mobile devices for work.
However, 26 percent installed unsanctioned applications, 23 percent downloaded risky apps, 31 percent clicked on video links, 41 percent used social media, and 51 percent used personal devices at work.
"I think that in my heart, I have a fundamental belief in education," said Thompson. "That when people know, they'll change behavior. It's weird to see how people approach risks. There's a massive amount of recidivism despite education."
Thompson suggested that companies put mechanisms in place to remind employees of the risks, or to mitigate the risks if behaviors still happen.
"We have to get pretty good in the security industry and the technology industry at creating compensating controls for protecting people behind the scenes," he said.
He also suggested that companies look for creative ways to signal that a particular behavior is risky.
"This is a rich area of research for the security space," he said.