It’s often said that employees (opens in new tab) are the weakest link in the corporate cybersecurity (opens in new tab) chain. This would certainly explain why phishing (opens in new tab) attacks have become the number one threat vector for cyber-attacks. During the COVID-19 crisis, organizations have arguably become more exposed than ever to the potentially insecure user behavior of their remote workers.
This is partly because, given the large numbers of home workers involved, many may not have the luxury of using a corporate laptop (opens in new tab). Personal equipment could be less well secured, while the home environment may feature more distractions than the office. What’s more, stretched IT management (opens in new tab) teams and budgets mean those that do have a security-related problem may not get the support they would normally.
No two employees are the same
This is a concern. So how concerned do we need to be about our employees? A recent global study by Trend Micro based on the responses of over 13,000 remote workers in 27 countries highlights where best practice is occurring, and where things may be going wrong. With over three-quarters (78%) more respondents working from home (opens in new tab) during the pandemic, IT and business leaders need to know where the risks are, so they can take concrete steps to address it.
In doing so, they must also remember that no two employees are the same. We worked with an independent cyberpsychology expert Dr Linda K. Kaye to look at the results of the study and found that there are actually four distinct personas in every organization. Understanding these will help to inform more effective staff cyber security training (opens in new tab) and awareness, although technology controls are also an essential part of any security strategy.
The first bit of good news is that, despite working in physical isolation from colleagues and managers, an overwhelming number of employees (72%) said they have become more security conscious during lockdown, with only 4% claiming to be less so. What does this mean in practice?
It means understanding that approved corporate platforms should be used to send files and recognizing that using a non-work application for company business is a security risk. It’s also about taking instructions from the IT team seriously, as 85% said they do, and agreeing that they have an important responsibility to keep the organization secure.
It’s also about understanding that it’s risky to click on unsolicited emails (opens in new tab), even ones promising attractive offers like free cloud storage (opens in new tab) or faster internet speeds. And knowing definitely not to click if using a corporate laptop.
But there’s still a long way to go
Unfortunately, that’s where most of the good news ends. We also found a large amount of poor security practice which could expose organizations to serious cyber-related risks. These included:
Wi-Fi and remote working issues: Nearly two-fifths of respondents said they always or often use public Wi-Fi without using the company VPN (opens in new tab), potentially exposing their browsing and passwords to eavesdroppers. A third have even worked on sensitive documents in view of members of the public without using any privacy screen shield, rising to 44% for contractors, 48% for those working in legal roles and 47% for HR professionals.
Exposing work laptops to online threats: Only 20% said they never use their work laptops for personal ends. Over a third do so freely and a further 45% only during business trips. Such activity could mean exposing corporate data to malware found in torrent sites, non-approved app stores, adult content sites, and more.
Personal devices used to access work data: Cyber risk is also multiplied the other way around: if remote workers use potentially less well protected personal devices to access corporate systems. Two-fifths (39%) of respondents said they often or always do so.
Shadow IT and non-work apps: Perhaps even more concerning is the fact that two-fifths (38%) of remote workers have uploaded corporate data to a non-work app. Although these may be legitimate applications, the fact they are non-sanctioned by IT compounds the challenges of visibility and control associated with shadow IT.
Fortunately, there’s plenty that organizations can do to mitigate risky employee behavior, even in the context of mass remote working.
IT security managers must combine strict policies on acceptable usage, such as reviewing the corporate policy for BYOD and assessing the risk based on the sensitivity or criticality of the data, combined with enhanced education and awareness training. The latter should focus on best practice security including how to spot phishing attacks, using practical tasks and real-world simulations to drive behavioral changes.
Remote working is set to become the norm long after the current pandemic has receded. Now that the initial rush to support the distributed workforce has subsided, it makes sense to start planning in earnest to mitigate the risks highlighted in this study.
- Bharat Mistry, Principal Security Strategist, Trend Micro (opens in new tab).
- We've featured the best VPN service (opens in new tab).