Since the pandemic, one in five organizations has faced a security breach linked to remote workers. That’s according to new research from Internet security giant, Malwarebytes.
It might have been forced upon us, but, in terms of productivity, it seems that most businesses have adapted to working from home (WFH) pretty well. In fact, according to a separate survey, 9 in 10 CEOs think it will be a permanent feature within their firms.
But, as Malwarebytes highlights, lots of businesses still need to address the additional risks posed by WFH, and make sure newly remote workers are schooled in cyber security best practice.
Here’s a closer look at the report findings…
-The report is titled, Enduring from home: COVID-19’s impact on business security. You can access it here. It’s based on a survey of more than 200 managers and executives in IT and cyber security roles across the US.
-Since the pandemic, 20% of respondents had faced a security breach as a result of a remote worker.
-Almost a quarter (24%) had to pay unexpected expenses to deal with a cybersecurity breach or malware attack following lockdown.
-18% of respondents admitted that cybersecurity was not a priority for their employees. 5% admitted that their employees were oblivious to security best practices and posed a real security risk.
WFH security readiness: misplaced
In total, 70% of businesses switched at least 61% of their workforce to a WFH model as a result of the lockdown.
Just how well were businesses able to manage the rapid transition to home working? When asked to rate their preparedness out of ten, three quarters of managers gave their organizations a score of seven or above.
But when you get down to security specifics, the report suggests that many businesses were less prepared than they thought. Malwarebytes director, Adam Kujawa refers to this as “security hubris”: i.e. where confidence in your security tools simply does not match the protective capabilities those tools provide.
Even where they had been given a laptop or phone by their employer, just over a quarter of respondents admitted using personal devices for work-related activities more than their work device.
As more phones, laptops and other devices are introduced to an organization’s network, the challenge of ensuring data security increases. As Data Guardian highlighted recently, 50% of companies that had a ‘bring your own device’ (BYOD) policy in play were breached via employee-owned devices.
Ideally, your device usage policy should covering the following:
- Acceptable usage: setting out what activities can be carried out, what can be accessed and downloaded on works devices (and also on personal devices if staff are permitted to use them for works purposes).
- Minimum spec for hardware and software.
- Mobile device management (MDM): this type of software allows you to secure, monitor, apply antivirus measures and update the devices that are in play across a scattered network.
The report suggests that 61% of businesses issued devices to their staff to enable remote working. However, in 65% of cases, businesses did not deploy an updated antivirus solution for those same devices.
In 61% of cases, businesses did not urge employees to use antivirus on the personal devices being used for work purposes.
According to Malwarebytes, “Many organizations failed to understand the gaps in their cybersecurity plans when transitioning to a remote workforce, experiencing a breach as a result”. This is also known as the Dunning-Kruger effect which is a is a cognitive bias in which people wrongly overestimate their knowledge or ability in a specific area. This tends to occur because a lack of self-awareness prevents them from accurately assessing their own skills and risks.
Software: security and privacy analyses
New ways of working usually means having to adopt additional tech, especially when it comes to collaboration and communications tools. As an illustration, in the first three months of the year, Zoom’s daily meeting participants surged from 10 million to 200 million.
Before putting new technology to work within your organization, you should thoroughly vet its reputation and suitability. You also need to make sure it’s properly configured and patched so that any backdoor vulnerabilities are closed off.
But in the rushed transition to WFH, it seems that these essentials were easily forgotten about. In fact, according to Malwarebytes, 45% of organizations did not perform security and online privacy analyses of software tools deemed necessary for the shift to home working.
Security-wise, it appears that when the lockdown hit, lots of workers were sent home with a company laptop and left to get on with it, with little or no guidance.
In 44% of organizations, employees were not provided with security training that focused on the specific threats linked to WFH. This included the basics like home network security and ensuring that devices were not left in the reach of non-authorized users.
Cybercriminals have been quick to take advantage of the security gaps linked to WFH. These include improperly secured VPNs, cloud-based services and business email.
Criminals have also capitalized on COVID-19 upheaval to target businesses with phishing emails. These emails tend to contain malware that’s available to buy over the Dark Web (e.g. AveMaria and NetWiredRC). Once launched, this type of code opens the door to a host of nasty stuff, including remote desktop access, webcam control and password theft.
Detected instances of AveMaria usage went up 1200% from January to April 2020. NetwiredRC detections jumped 99% from January to June.