Threat Labs Risky Business: How COVID-19 changed user behavior
Sep 10 2020

Risky Business: How COVID-19 changed user behavior

The COVID-19 pandemic caused an abrupt change — a sudden and lasting shift to remote work for the majority of knowledge workers. The number of people working remotely more than doubled in the span of a few weeks. Among the many challenges that security organizations faced during this transition was a change in user behavior. The behavior profile of a user working from home (and also working alongside all the other members of their household) is a stark contrast to the profile of the same user working from the office. Managed devices are now being used for more personal web browsing, which includes a 600% increase in visits to pornographic websites. Managed devices are also being shared among members of the household, evidenced by a 450% increase in education app usage aligned with the beginning of the school year. This post highlights the increase in personal usage of managed devices, risky web browsing, and device sharing to support remote learning.

Personal Usage

Those who switched from working in an office to working from home during the COVID-19 pandemic, found once well-defined lines between work and personal life suddenly blurred. Along with this blurring of lines came a change in browsing habits, a doubling of the amount of personal browsing on managed devices.

Figure 1 shows the trend in personal browsing habits for the first half of 2020. It shows the daily total number of visits to websites and cloud apps in the top 5 personal categories, normalized by the number of daily active users on the Netskope Security Cloud platform and displayed as a percentage of their median pre-pandemic levels. Overall, the amount of personal web browsing doubled, led by an increase in visits to “Consumer” and “Streaming & Downloadable Video” websites and cloud apps. 

Figure 1. Personal web browsing and app usage doubles during COVID-19 pandemic
Figure 1. Personal web browsing and app usage doubles during COVID-19 pandemic

“Other” represents additional personal categories of websites and cloud apps, including:

  • Abortion
  • Alcohol
  • Arts
  • Automotive
  • Dating
  • Education 
  • Entertainment
  • Fashion
  • Financial Aid & Scholarships
  • Financial News
  • Forums
  • Games
  • Insurance
  • Job Search/Careers
  • Kids
  • News & Media
  • Pets
  • Tobacco
  • Weapons

Risky Usage

While the amount of personal browsing doubled, the amount of browsing to certain risky categories of websites and apps tripled. Figure 2 shows a breakdown of the top risky categories, led by increases in “Gambling” and “Adult Content”.  Percentage increases in certain categories were even larger, with the number of visits to “Adult Content – Pornography” increasing 6-fold during the pandemic.

Figure 2. Risky web browsing and app usage triples during COVID-19 pandemic

The risks associated with websites and cloud apps in these categories are typically easy to mitigate: organizations block them because their use is a violation of their Acceptable Use Policy (AUP). However, this is not always the case. Many of the malicious threats that the Netskope Security Cloud platform detects and blocks are hosted on websites that aren’t in these traditionally risky categories. For example, we detect more malicious content in “Personal Sites & Blogs” than in any other category. Traffic to this category doubled during the pandemic — as shown in Figure 3 —  increasing the risk of exposure to potentially malicious content. This underscores the importance of inspecting web traffic for malicious content.

Figure 3. Visits to “Personal Sites & Blogs” double during COVID-19 pandemic
Figure 3. Visits to “Personal Sites & Blogs” double during COVID-19 pandemic

Device Sharing

The usage of “Education” apps increased 450% at the beginning of the school year, indicating that managed devices are being shared to support remote learning in the home. Figure 4 shows the increase in usage of “Education” apps from the beginning of August 2019 through the end of August 2020. Compared to the average usage from August 2019, the amount of “Education” app usage tripled after the pandemic declaration, slowed over the summer, and has increased to 4.5x at the end of August 2020 as students return to school. Most popular in this family of apps is Google Classroom, the primary driving force behind the increase.

Figure 4. Education app usage increases 3x at the beginning of the pandemic and spikes again at the beginning of the 2020/2021 school year
Figure 4. Education app usage increases 3x at the beginning of the pandemic and spikes again at the beginning of the 2020/2021 school year

Data Analysis

The analysis presented in this blog post is based on anonymized usage data collected by the Netskope Security Cloud platform relating to a subset of Netskope customers with prior authorization.

Conclusions

The COVID-19 pandemic caused many knowledge workers to work from home alongside other members of their households. This caused a dramatic change in user behavior that included a doubling in personal device usage, a tripling of visits to risky apps and websites, and increased sharing of managed devices within the household. This is the second installment in a series of blogs covering the effects of COVID-19 on knowledge workers. The first installment covered geographic differences in remote work numbers. For more about recent trends in cloud adoption and security threats from the first half of 2020, please refer to our August 2020 Cloud and Threat Report.

author image
About the author
Ray is the Director of Netskope Threat Labs, which specializes in cloud-focused threat research. His background is in software anti-tamper, malware detection and classification, cloud security, sequential detection, and machine learning.
Ray is the Director of Netskope Threat Labs, which specializes in cloud-focused threat research. His background is in software anti-tamper, malware detection and classification, cloud security, sequential detection, and machine learning.