By Nic Sarginson, Principal Solutions Engineer, Yubico
The office exodus that is predicted to follow the current pandemic poses a number of challenges for business and team leaders. They will be concerned about maintaining collaborative cultures when teams are dispersed, and in ensuring innovation does not stall or leadership skills diminish. Among their ruminations should be the cybersecurity of an increasingly remote workforce.
In the office, the corporate network is professionally protected. With remote working, employees are using home connections; they may even be accessing applications from coffee shops and other locations. Building a ‘wall’ around the corporate network and protecting everything within it is no longer sufficient.
Recent research of companies in the UK, France and Germany explored cybersecurity in the work-from-anywhere era and reveals some startling insights into the attitudes and practices of employees and business leaders. It’s clear that there’s a security gap that needs to be addressed – these gaps can be found across workplace culture and attitude, existing authentication deployments, and cybersecurity training.
That’s a significant ‘to do’ list but one that needs urgent attention because cybercrime ultimately hurts business. In fact, the cost of cyberattacks on businesses across the UK is put at £34 billion annually, according to the Centre of Economics and Business Research (CEBR).
To mitigate that risk, companies need clear, comprehensive cybersecurity policies and keep up-to-date with the latest threats and forms of protection. Policies need to be understood across the entire organisation, adhered to and backed by hands-on IT training and support.
Attitudes to cybersecurity
Worryingly, data from the research indicates that, since the start of the pandemic, employees have been engaging in poor cybersecurity practices on work-issued devices. What’s more, in some areas business owners and leaders appear to be the worst culprits. A surprising 44% of business owners and 39% of C-level executives admit to performing personal tasks on work-issued devices every day, while 23% of owners actually use them for illegal streaming or watching TV.
Such blurring of the corporate/personal divide increases the risk of a security breach – a risk that only increases when we consider the workarounds employees are using when they login to work. Over half (54%) of employees use the same passwords across multiple work accounts. If those passwords were to become compromised, unauthorised users could potentially gain access to a suite of applications and data.
Adapting to at-home cybersecurity
Unfortunately, the research also shows that enterprises are falling short on the type of cybersecurity practices they should have in place for out-of-office environments.
Many organisations use basic authentication for employees to gain access to work systems and applications, but this should be supplemented with stronger forms of authentication. Usernames and passwords alone at login provide insufficient protection, yet less than a quarter (22%) of respondents to the survey have implemented two-factor authentication (2FA), which requires an additional layer of security before access is granted.
Where authentication protection has been implemented, mobile authentication apps and SMS one-time passcodes (OTPs) are the most popular. While these basic forms of 2FA provide a higher level of protection than a username and password alone, they can be vulnerable to phishing and man-in-the-middle threats. OTPs sent using SMS can fall victim to ‘SIM-swap’ fraud, or an employee could be tricked into unknowingly providing it to an adversary.
A hardware-based security key is the strongest form of authentication. It’s a physical device for employees to leverage when logging in to work applications and systems. Google, having been involved in defining the open standard for strong authentication, uses the technology to protect employees and has integrated support for FIDO security keys into the available security protections for Google users. Vendors such as Microsoft, Twitter and even Facebook adopt FIDO to protect both their users and own platforms. Keys provide advanced protection, and are simple to use, yet only 27% of the research respondents acknowledge that their company is rolling out keys compliant with the FIDO open authentication standards.
Employee training and support
Clearly there is more to do to improve cybersecurity practices and the same can be said for employee training and support. A year after the pandemic began and 37% of employees have yet to receive cybersecurity training to work from home. Additionally, the same percentage say they feel more supported by IT.
It appears there is a disconnect between the technology support that is available and employees’ willingness to engage with it. Over half (51%) admitted to trying to solve IT problems on their own, rather than contact the relevant department, and worryingly, 40% of respondents wouldn’t immediately report if they clicked on a suspicious link.
Such behaviour risks reducing the IT team’s ability to carry out its duties and to take quick action in the event of a threat to the corporate IT infrastructure.
Remote and hybrid office/home working policies have big implications for corporate cybersecurity. Out-of-office employees engaging in poor cybersecurity practices open up the organisation to an increased level of risk. Cyberthreats have only increased this past year and have the potential to cause significant financial and reputational damage to businesses.