Steve King, board member at CyberEd.io, discussed a Kapersky study of CISOs and workers in the United Kingdom that is relevant here.
Staff workers have increased unsecure behavior since working from home. Over one third of employees don't understand employers' security measures, and another third believe security is not important. The first may be due to poor explanations by employers, but the second is inexcusable. 30% of employees have downloaded unauthorized software and connected to a mobile hotspot, bypassing security.
For their part, CISOs had a poor relationship with their cybersecurity vendors. They felt information they received was not relevant, or too complicated to share with employees. More than half said vendors did not understand threats to their businesses.
To quote a famous movie line "what we have is a failure to communicate". To start, cybersecurity vendors must understand the risks a business faces, and communicate problems and solutions in layman's language. The managers must explain to employees what security they must practice, and why it's important. Finally, employees must be monitored and corrected if they do not follow safe security practices.