As people work through another lockdown, it seems that a quarter of people are self-sabotaging their online security. That claim comes from research carried out by identity security company, SailPoint. The details are revealed in a report titled: The Cybersecurity Pandora’s box of Remote Work.
The survey which included users from the US, the UK, France, Germany, Australia and New Zealand shows how lax security is. Passwords are one of the biggest challenges as organisations continue to rely on them. Across the six countries, an average of 22% of users hadn’t changed their password in over a month. Looking further back, in the US, only 14% of users haven’t changed their password in 6 months. For the other five countries, the average was over 43% in the last six months.
Shocked? It gets worse. 18% of computers in the US have no password compared to just over 3% everywhere else.
Juliette Rizkallah, CMO, SailPoint said: “When the pandemic began, businesses had to flip a switch to enable remote work nearly overnight. In this rush, many companies focused on granting access, skipping over the securing of that access. This resulted in an explosion of unsecured technology access across the business.
“You cannot do business today without technology, and you cannot securely use technology without identity security. Companies are recognizing how foundational identity security is to their business as we continue to work from home. Those who had identity security in place were set up for success, while those without strong identity security programs found themselves in an unexpected risk management time crunch.”
Could employers do more?
The answer here is always yes. The most obvious solution is to move away from passwords to more secure forms of authentication. However, that’s a long term goal for many and assumes they have the knowledge, skills and technology to do so. For now, what are businesses doing?
Regular password audits
The use of password audits to detect problems is important. Yet there are widely differing uses of audits. In the US and Australia, password audits are used by 49% and 45% of companies respectively. Elsewhere the use falls off with just 12% of companies auditing passwords in France and Germany.
The use of cybersecurity training
Regularly updating employees cybersecurity awareness is seen by many organisations as a thankless task. The problem is that most programmes are not properly thought through. But something is better than nothing, right?
Wrong. For it to have any impact it has to be effective. Simply sending emails to staff about risks is not training. Giving them a once yearly half-day webinar about the risks of phishing is less than helpful.
Even when companies do deliver some training it is not regular enough. In this survey, 20% of companies in the US and Australia do some form of regular training for employees. Exactly what sort of training and what regular means is not given in the report. The UK closely follows them at 28%. However, New Zealand (24%), Germany (22%) and France (15%) certainly have much more they can do.
The use of secure access for files and folders
The use of online services, shared computers and collaboration solutions requires a rethink of how data is stored securely. Australia (25%) is the top-ranked country here. The US (13%) is far behind. However, for all countries, that this is so low should be of concern. Data theft has been on the rise during the pandemic. Not providing employees with secure file and folder solutions significantly increases the risk of a breach.
How are employees self-sabotaging their cybersecurity?
There are no surprises here, and the problem is as much rooted in the use of Bring Your Own Device (BYOD) as it is poor behaviour. Employees no longer use a device for solely work-related activities, even when an employer provides that device. Instead, devices are used for work and personal activities.
- check personal email (64%)
- do online shopping (60%)
- check the news (46%)
- go on social media (38%)
For those with limited access to devices in a family, devices, logins and passwords are shared with family members. Many employees have children needing to do schoolwork from home as schools close. Not everyone has access to enough computers to go around, and that means sharing has to take place.
- 54% of Brits used their employer’s computer/laptop for work
- 25% have been using their personal computers
- 11% borrowed computers from family members of partners to work
Employees often save credentials on the device and especially in the browser when using web apps. It means that any family member could end up accessing work applications and data. It is a significant issue that companies need to deal with.
Adding to that risk is the increase in phishing and emails scams. Shared devices mean that even if an employee is careful, other family members could compromise the device.
Should family bubbles become cyber bubbles?
SailPoint believes that it is time for cyber bubbles. These are the same as family bubbles during the pandemic. It means a strict level of control over who accesses a device and what they use that device for. It is, however, easier to call for, than implement. Shared devices are a necessity in many families be that computers or tablets. To make a cyber bubble work at this level means a different level of education. It also means that employers have to consider the wider security implications for their business.
For example, is it enough to provide access to end-user protection software? Should devices used for work have secure virtual machines? Are employees using VPNs when they connect? How secure are the home broadband and WiFi router the employee uses? In the case of the latter, employees are constantly warned about the risk of public WiFi. However, WiFi at home can also be easily compromised.
According to SailPoint:
- 41% of us use unsecured public WiFi when working.
- 44% use unsecured connections when surfing the web for personal needs.
Additionally, Generation Z and the tail end of millennials (those aged 18-24) are much more carefree about their digital safety. 39% admit to sharing their passwords and compromising their cyber bubbles in other ways.
A need for greater cyber hygiene
Stephen Bradford, SVP EMEA at SailPoint said: “The current level of cyber hygiene is quite worrying. We’d never think of leaving our house door unlocked or inviting a stranger in for a cup of tea. Why do we treat our digital workspaces, both personal and professional, any differently? By easily giving away passwords or inadvertently inviting malicious actors in through unsecure WiFi connections, we are exposing ourselves to serious risk.
“Each of us must ask ourselves, ‘who am I in contact with, and how far can my passwords spread?’ Businesses need to get a grip on the issue now before it spreads by stepping up their cybersecurity defenses and training for staff. As the pressures of work and personal lives in the pandemic test, our ability to multitask, existing cybersecurity training and processes typically aren’t enough. Innovative, predictive AI-enabled identity security technology is key to protecting people from making human errors, potentially leading to increased risk of cyberattacks and data leaks. If we aren’t careful, we could be facing a security crisis in the digital world.”
Enterprise Times: What does this mean?
Cyber hygiene is a hot topic at the moment, but it is also a vast and complicated one. While SailPoint is looking at this from a user perspective, there are many other cyber hygiene issues that companies need to address.
Is a cyber bubble the way forward? Possibly, but there are many things that can also be done to improve security. Employees are not deliberately self-sabotaging their cybersecurity. For many, they are just using the technology to get on with life in a difficult time. As the research shows, putting the blame solely on employees is a failed narrative. Employers are doing far too little to help improve security.
That said, where an employer supplies a device, there is no reason why staff should be using it for personal tasks. Employees do not get a free pass here and must take their own share of responsibility.