Two-fifths of firms have sacked staff for cybersecurity breaches during Covid, poll shows

Experts urge employers to refresh their policies and practices in line with increased levels of home working

Almost two-fifths of business decision-makers (39 per cent) have dismissed employees because of a cybersecurity policy breach since the pandemic began, a survey has found.

The research, conducted by Censuswide on behalf of Centrify, polled 200 UK business decision-makers and found more than half (58 per cent) of firms believed that working from home made employees more likely to circumvent security protocols – including through the use of personal laptops and failing to change passwords.

To combat poor employee security practices, more than half (55 per cent) of those surveyed had banned, or planned to ban, staff from using personal devices to work from home. 

Meanwhile, 57 per cent were implementing more measures to securely authenticate employees, including biometric data checks such as fingerprint and facial recognition technology, and multi-factor authentication steps to access certain files, applications and accounts.

The poll found that almost two-thirds (65 per cent) had made substantial changes to their cybersecurity policies in response to breaches and to Covid-19.

Commenting on the findings, Kirsty Rogers, employment partner at DWF, said it was imperative employers revisited their data security protocols in light of widespread home working.

Get more HR and employment law news like this delivered straight to your inbox every day – sign up to People Management’s PM Daily newsletter

“There is no doubt that extra precautions must be put in place now that workforces are working remotely,” Rogers said. “Before the pandemic, [employers allowing] working from home or more flexible working had systems in place to ensure that employees working outside of the office had added protections in terms of data security and expected conduct.”

Employers need to communicate that the same principles of data protection apply at home as in the office, including that a breach could lead to severe disciplinary action, Rogers added. “The importance of securing data and directing employees accordingly cannot be underestimated as the employer could find themselves responsible for significant data breaches if they have not taken appropriate steps to protect it,” she said.

Suzanne Hurndall, relationship director at HR Inspire, added it was the company's responsibility to arm itself with tools to prevent these breaches before they occurred, and that any breach should be dealt with immediately. 

“Prudent companies should move to restore confidence, repair reputations and prevent further abuses by revisiting their internal processes and policies and ensuring that these are well communicated, easily visible and accessible to all employees no matter their place of work,” said Hurndall. “Companies are also strongly advised to refresh their IT policy to ensure it’s in line with remote working.”

Separately, a report by recruitment firm Robert Walters has found that up to 65,000 cyber attacks take place on UK SMEs every day, with 4,500 successful. The report, Cybersecurity: Building Business Resilience, found that almost half (48 per cent) of UK companies admitted to not having adequate cybersecurity provision to maintain a fully remote working model.

Stewart Room, global head of data protection, privacy and cybersecurity at DWF, said the threat of a data breach may not have been at the top of company boards’ agendas when lockdown was announced, but there were now a “range of factors that [made] a data breach more likely”. 

“One of the strongest safeguards against a data breach is people conforming to social expectations. Most people wouldn’t steal from a shop if their friends or colleagues could see them do it. Most still wouldn’t if nobody was looking – but a few would. It is the same with data. With people no longer sitting alongside colleagues all day every day, these controls are removed,” said Room. 

He added that an increased threat was employees acting out of dissatisfaction with being furloughed or made redundant: “When you add pressures such as health anxieties, caring responsibilities or job insecurity, some people will face a mental strain that could lead to actions they wouldn’t usually consider.”