Palo Alto has released The State of Hybrid Workforce Security 2021 report (registration required). It reveals that remote working was prioritised over security, this is not just one of employers failing to adhere to the rules. A third of employees circumvented or purposely disabled remote security measures. The result is that organisations are now exposed to significant security risks that require new solutions and approaches.
In a blog, Jason Georgi, Field CTO, Prisma Access / SASE at Palo Alto Networks, wrote: “Based on what we heard in this survey, maintaining comprehensive network security is now your key challenge. If we look at this challenge more closely, 51% of survey respondents stated they have difficulty maintaining comprehensive network security. Perhaps what’s even more concerning is that 61% of respondents noted they struggle to provide the necessary remote security to support work-from-home capabilities.”
In an unattributed comment from one respondent: “We didn’t really have a security posture for remote working. As it expanded, there was a significant security gap – because it’s a whole different world operating remotely than it is operating inside a facility.”
Another comment reads: “Our security technologies were not tuned to provide visibility for such remote access, because the majority of the workforce was [previously] only in the office. Our security technologies were focused on providing visibility in that area and not for remote access.”
The survey by the numbers
3,000 respondents took part in the survey from around the world (1,250 Americas, 1,000 Europe, 750 Asia Pacific). The result is a mix of survey data and qualitative interviews with respondents. What is not clear is how many interviews actually took place. Additionally, the limited number of quotes in the report are all unattributed.
Some of the key statistics from the survey deliver a damning picture of what took place:
- 67% of organisations have seen an increase in helpdesk tickets
- 61% struggled to provide the necessary remote security to support work-from-home capabilities
- 58% have seen increased security incidents
- 53% who prioritised remote access over security are now exposed to significant security risks
- 48% of organisations admitted to compromising security or increasing security risk through lax enforcement of security policies
- 42% have seen an unsanctioned application usage
- 35% agreed that employees circumvented or purposely disabled remote security measures
These numbers add up to a significant and ongoing problem for organisations. It will take more than just new technologies or processes to fix these issues.
A breakdown in security culture
One of the most difficult issues to fix is the breakdown in security culture, as evidenced by the willingness of employees to evade security. It is something that organisations have worked to improve, but much of that work seems to have been undone. What is not clear from this report is why those employees chose to circumvent measures.
The report does list what it terms a set of risky remote worker behaviours.
- Using personal devices for work (BYOD)
- Uploading corporate data to unauthorised applications or cloud services
- Circumventing security controls
- Connecting to unsecured networks at home or when travelling
- Lacking cybersecurity awareness training
- Failing to report phishing and other threats
- Sharing confidential files via email
- Not updating security on devices
Looking at that list, some of these are not just down to the employee. Organisations have happily allowed employees to buy their own devices for work (BYOD). It has saved billions in capital expenditure over the last few years. Calling it a risky behaviour by employees is disingenuous and typical of corporate blame-shifting.
The same is true of using email to share confidential files. There are very, very few organisations that would survive an audit with such activity not being seen as standard. Even before the mass move to remote working, there were concerns over departments and teams choosing their own cloud apps. Much of this was down to corporate IT departments being slow to provide an authorised alternative.
In reality, therefore, this list shows how organisations and employees failed and that risky behaviour is endemic through most businesses.
Where do we go from here?
Remote working at much higher levels than pre-Covid is here to stay. 44% of respondents agreed that over half their employees will still be working remotely in 12 months. It means that there is a need to rethink how to secure a hybrid workforce. To achieve that, policies will have to be revisited, reviewed and rewritten for a hybrid workforce.
As one participant commented, “There’s no way on earth that you can have zero home-office working in 2022. That would be just too extreme. It’s just that all of the systems are there, and we kind of developed in that area. So, the planning will be that the home office will be utilised.”
It means that organisations need to rethink their end-to-end security approach. This will give network teams a greater say in security. For many, it means finally rearchitecting the network to accept that the network edge is the employee and not some mythical moat around buildings.
Organisations also need to take a closer look at cloud-based security approaches. Moving security to the cloud is the favoured response from organisations. It has risen from 33% at the peak of Covid-19 to 42% now. Respondents say that within the next 24 months, 71% will have moved more or all of their security into the cloud.
According to the report, there are three broad approaches to developing network and security capabilities:
- Minimal change: 21% made very few changes in both their existing network architecture and security.
- Evolved network: 44% (the highest percentage) channeled their technology investments into improving remote network access while investing relatively little in remote security.
- Evolved network and security: 35% took a more balanced approach and developed more robust remote network access capabilities along with security.
Enterprise Times: What does this mean?
At the start of the Covid-19 lockdown, there were numerous stories of organisations using cybersecurity teams to bolster technical support. It led to multiple warnings over security risks, but connecting workers was more important than worrying about security for many organisations. That is all coming back to haunt businesses that now have to plan for a future where large numbers of workers will not be office based.
It also raises questions as to why it has taken so long for organisations to act. We are 18 months into this global pandemic, but many businesses are still planning their digital future, as this report shows. Why have they not acted sooner? Why are they blaming risky behaviour such as BYOD and a lack of cybersecurity training on their staff? What will it take for them to accept this is a failure of employers as much as it is employees?
There are good things in this report, but they are few and far between. The need for new hybrid network and security architectures is long overdue. Remote working was on the rise before the pandemic, but support for it was lacking. The report cites 54% of organisations planning to spend more than $5 million on remote security in the next year. However, money alone will not solve this. Without the right policies and processes in place, it will be another money pit delivering limited results.
Remote working must be treated as a first-class working environment. Until companies treat it as such, the security challenges will continue.