More than half of UK employees working remotely use unmanaged personal devices to access corporate systems, a new study of IT professionals and remote office workers has found.
The survey found that 60 percent of remote employees use unmanaged, insecure “BYOD” devices to access corporate systems. Some 57 percent of employees have adopted communication tools such as Zoom and Microsoft Teams, the subject of widely reported security flaws.
The analysis comes from the CyberArk Remote Work survey, which was conducted in late April 2020 by an independent research agency with responses from 600 IT professionals and remote office workers in the UK.
Speaking to SC Media UK, Rich Turner, SVP EMEA, CyberArk said: “Enterprises often fall into the trap of trying to protect everything via a perimeter-based approach. This overlooks the twin realities of an attacker only needing to get lucky once and - in an era of mass remote working, the cloud, automation and DevOps - the traditional perimeter being either too large to defend or no longer exists.
“Forward-thinking organisations identify the critical data and assets that security policy should focus on, restricting access to them to only the people, applications and services that need them to perform their role, and constantly review security policy to prevent ‘privilege creep’.
“The latter is the phenomenon whereby, for instance, as employees with high-level access leave the company, their privileged access is not revoked. This means their credentials remain in the infrastructure, unmanaged and unsecured. These represent a valuable resource for attackers seeking to access critical data and assets.”
And the risks to corporate security become even higher when it comes to working parents, the study found.
This group have had to rapidly convert to dual roles of full-time teachers, caregivers and playmates amid the Covid-10 crisis.
It is here that convenience appears to outweigh good cybersecurity practices when it comes to working from home.
- 57 percent insecurely save passwords in browsers on their corporate devices
- 89 percent reuse passwords across applications and devices
- 21 percent admitted that they allow other members of their household to use their corporate devices for activities like schoolwork, gaming and shopping.
Work from home security policies
The study found that while 91 percent of IT teams are confident in their ability to secure the new remote workforce, more than half (57 percent ) have not increased their security protocols despite a big change in the way employees connect to corporate systems.
The rush for new applications and services that enable remote work combined with insecure connections and the dangerous security practices of employees have “significantly widened the attack surface and security strategies”.
These need to be updated to match this new dynamic threat landscape, the report concluded.
This is especially true when it comes to securing privileged credentials of remote workers that could open the door to an organisation’s most critical systems and resources.
Turner said that major socio-economic events have always led to a sharp uptake in cyber incidents, and pointed out that the World Health Organisation (WHO) warned of an exponential increase in attacks due to the global and unprecedented nature of the ongoing health crisis, and its transformative impact on the way we work.
He added: “Responsibility for security needs to be split between employees and employers. As more UK organisations extend remote work for the longer term, employees must be vigilant."
It means constantly updating and never re-using passwords, verifying operating systems and application software tare up to date, and making sure work and communication only take place on approved devices, applications and collaboration tools.
“Simultaneously, businesses must constantly review their security policies to ensure employees only have access to the critical data and systems they need to do their work, and no more," he added.
"Decreasing exposure is critical in the context of an expanded attack surface.”
With an increase in the use of collaboration tools and home networks for professional purposes, best-practice security is “struggling to keep pace with the need for convenience” leaving businesses vulnerable, Turner said.