Remote workers are increasingly putting corporate data and systems at risk by failing to follow best practice security, according to new research from Mimecast.

The email security vendor polled over 1000 global respondents working from corporate machines to compile its latest report, Company-issued computers: What are employees really doing with them?

It found a litany of risky behavior: for example, 73% of respondents frequently use their company-issued device for personal matters such as checking webmail (47%), carrying out financial transactions (38%), and online shopping (35%).

It also revealed that, although most (96%) of the respondents said they were aware of the repercussions of clicking through on malicious phishing links, nearly half (45%) open emails they consider to be suspicious.

This is despite the fact that 64% claimed to have received special security training to equip them better for the new normal of working from home.

Nearly half (45%) also admitted to not reporting such emails to their IT security teams.

Michael Madon, senior vice president of awareness training and threat intelligence at Mimecast, argued that corporate efforts to change behaviors are failing.

“With everyone’s home becoming their new office, classroom, and place of residence, it’s not really a surprise that employees are using their company-issued devices for personal use. However, better training is crucial to avoid putting the company at risk,” he added.

“Employees need to be engaged, and training needs to be short, visual, relevant, and include humor to make the message resonate. Awareness training can’t be just another check-the-box activity if you want a security-conscious organization.”

The report’s findings chime with one from Trend Micro earlier this year which found that 39% of remote workers access corporate data on personal devices, and 36% of these devices do not even have basic password protection. It also revealed that half (52%) have IoT devices connected to their home network, which could expose it to additional security risks.