Nearly 20% admitted that their work devices have been used by members of their household
In some instances, IT organizations have placed unwarranted trust in their employees, household members and third-party vendors, according to Apricorn’s 2021 Global IT Security Survey. More than 400 IT security practitioners across North America and Europe responded to questions about security practices and policies during remote working conditions over the past 12 months. The findings show that IT security professionals are concerned about the cyber risks brought about by remote work, with 75% putting COVID-centric policies in place, including use of two factor authentication (48%) and encryption of sensitive data (41%).
60% of respondents agree that COVID-induced remote work conditions have created data security issues within their organizations, with 38% noting that data control during the pandemic has been very hard to manage. Even with these data control concerns, nearly 20% admitted that their work devices have been used by other members of their household. This surprising statistic from seasoned IT security professionals highlights that remote work policies can cause employees to relax their security stance when working outside of the office setting.
Almost 70% of respondents want an encrypted USB policy within their organization, but 40% do not have plans to roll out a corporate USB program. Further, a concerning 45% of respondents allow the use of personal USB devices without corporate oversight, leaving it to the employee to decide which device to use, when to use them and for what data. Lack of control over writeable devices connected to corporate systems within the firewall creates a huge opportunity for attack, as evidenced by the fact that corrupted, unencrypted USB sticks are one of the fastest growing methods for malware introduction.
“People can be a huge asset to an organization’s security culture but they need to have the right foundation, which comes from giving them the policies and tools needed to protect corporate data and assets beyond the corporate firewall,” said Kurt Markley, U.S. Managing Director, Apricorn. “This research supports the importance of endpoint hardware encryption, particularly during remote working conditions that will likely continue for many organizations long after this pandemic is over. IT security professionals should have implemented corporate usage policies and provided secure devices that mitigate the inherent risk of a BYoD strategy a year ago. Those who haven’t are extremely late on protecting internal systems from insecure and unmanaged devices, and need to put policies and devices in place immediately.”
The research also showed misplaced trust in third party vendors. Ponemon reports that 53% of organizations have experienced a data breach as a result of a third-party vendor, yet more than a quarter of the Apricorn survey respondents (27%) expressed that they are not concerned about loss of data through third-party vendors and have increased the number of vendors with whom they work. When it comes to storing data in the cloud, respondents are conflicted. While 80% say they have offered a hybrid work option (remote work at least part of the time), a full 25% are not concerned about cloud security even though they have seen an increase in usage from disparate locations. Almost 30% are concerned but have strong processes for managing data stored in the cloud, and nearly 19% have the same concerns but no policies in place about how to store data in the cloud. These responses present conflicting trust issues: those that are over trusting with no concern over the storage of their data, and those that recognize that they should be cautious with the data they entrust to the cloud.
“The third-party vendor findings were a surprise given the large number of high-profile third-party breaches in recent years,” continued Markley. “Misplaced trust is risky. Businesses must strengthen their security posture, consider security policies and processes related to how they handle data, and make policy adjustments inside organizations and within agreements with partners. The use of hardware encrypted USBs and hard drives can be beneficial in these circumstances, providing the ability to securely store data offline and move it between locations securely.”
Additionally, half of respondents (49%) noted that individual employees in their organization do not consider themselves as targets that attackers can use to access company data, illustrating either extreme trust in company security policies (31%) or a naivety about attacker’s interest in individual targets (18%).
“In many cases, successful attacks target employees, so if they are unprepared or untrained, they are a risk,” continued Markley. “For large companies like Ford, CVS Health, and Fidelity Investments who will continue, and even increase remote working practices post-pandemic, employees must understand they are targets and the significant role they play in protecting corporate data and assets. The importance of creating a culture of security, educating users and vendors about security practices, and implementing policies such as end-to-end encryption cannot be overstated for helping organizations remain secure as their operating environments continue to shift.”