Malwarebytes has released Enduring from Home: COVID-19’s Impact on Business Security. The report surveyed 200 IT and cybersecurity decision-makers across different sizes of business to look at the impact of work from home (WFH). It also uses data from Malwarebytes own telemetry gathered from installations of its software.
The results are not good news for businesses. They show that 20% of companies experienced a breach since widespread WFH started. There has also been an increase in the costs associated with dealing with those breaches. Almost a quarter (24%) of respondents had to pay unexpected expenses to deal with a breach of malware attack.
Marcin Kleczynski, CEO and co-founder of Malwarebytes, said: “Our fundamental shift to working remotely has dramatically underscored the need for comprehensive security, as well as IT guidance and training to avoid breaches. Many organizations failed to understand the gaps in their cybersecurity plans when transitioning to a remote workforce, experiencing a breach as a result.
“The use of more, often unauthorized, devices has exposed the critical need for not just a complete, layered security stack, but new policies to address work from home environments. Businesses have never been more at risk and hackers are taking notice.”
Key numbers from the report
The key numbers from the report show that WFH issues were more than just a failure of process and technology. Employees did not take cybersecurity seriously and continued to use personal devices even when issued with company equipment.
Key numbers include:
- 24% paid unexpected expenses to address breaches and attacks post-lockdown
- 20% of companies faced security breaches caused by remote workers
- 18% said employees did not see cybersecurity as a priority
- 5% reported employees were a security risk and oblivious to security best practice.
- 44% did not provide training to staff on the risks of WFH
- 45% failed to do security and privacy assessments of software tools used to transition to WFH
- 61% of employers provided staff with devices to WFH
- 65% did not deploy an antivirus solution for those devices
- 61% did not urge employees to use antivirus on personal devices.
Importantly, the numbers show that both businesses and employees have to accept their own part in security failures. It is hard to understand why employers would not install security solutions on devices that were issued to staff. It is just as hard to understand why they didn’t provide these for free, or urge staff to get security for their own devices.
What is not clear is why staff continued to use their own devices once provided with work devices. It may be that these were configured too tightly. Employees at an accountancy firm told Enterprise Times that they couldn’t print from their work computers. It meant that they were restricted to working on a laptop monitor which made it hard to do their jobs. Employees in other businesses will likely have similar stories.
Managers and C-Suite think they did well
WFH came as a shock to businesses around the world. Some were able to adapt their working processes to deal with remote workers, while others struggled. What is interesting in this report is that almost a quarter of respondents rated their business as 8/10 when it comes to preparedness. Surprisingly, over 73% gave their business a score of 7/10 or higher.
These numbers seem high, especially given the surge in phishing and malware attacks against employees who WFH. The number of reported incidents has also surged in the last five months, many of them serious. When this is coupled with the additional costs incurred to deal with incidents, it makes the satisfaction ratings seem even stranger.
Employees were more aware of risk than expected
One surprising set of statistics in this report are those around employee awareness of cybersecurity best practice. The vast majority thought their staff were well aware of what they needed to do in terms of cybersecurity. The top 17.3% were not only acutely aware of cybersecurity but were very mindful of the risk. The problem 17% included 11.9% who had some awareness, while 5.4% were both oblivious and behaved in a risky manner.
Importantly, organisations did provide training (55.4%) to their staff on how to work securely from home. Almost half (45.5%) also invested in the right cybersecurity tools to support employees at home.
Did IT fail the business?
A closer look at the results suggests either confusion in the survey or a problem with the results. Here are some examples:
53.5% say that they set up work or personal devices with new software to help employees do their jobs. Yet 65% say they did not install security software on those devices. Does that mean security is not a requirement for staff?
61% say they did not remind employees about the need for security on personal devices used for WFH. Yet 45.5% claim they did find the right cybersecurity tools for support employees at home. Additionally, why did the cybersecurity training that 55.4% reported provided not focus on the need for security software on both corporate and personal devices?
Enterprise Times: What does this mean?
Many security reports have shown that in the early stages of WFH, cybersecurity teams were refocused to support IT departments. Many spent time on help desks to assist employees in setting up for remote working. It led to concerns that organisations may have missed attacks because the staff were busy elsewhere. At the same time, organisations have admitted that they were unprepared for the change to working practices that WFH brought.
This report is, in some ways, an outlier. It shows a very high internal satisfaction level from management as to how they have done so far. It also exposes a disconnect in what organisations claim to have done to ensure employees stay secure. What is needed is a larger pool of respondents and more insight into those areas where the numbers clash.
Importantly, it shows that processes across the business also need to be rigorously reviewed for the future. Remote working is no longer something granted to a few privileged staff. It is now likely to be the norm for a lot of office-based roles. How those employees are trained and equipment provisioned for them needs to be looked at carefully. The use of personal devices will become increasingly commonplace, and that alone means training and the software used by staff requires an overhaul.