The comforts of working from home could prove the perfect invitation for cybercriminals.
According to a report from global cybersecurity, Forcepoint, more than half of Australian workers use their corporate devices at home for personal use, and a further 19 per cent allow other members of their household to do the same, exposing companies to increased cybersecurity risk.
The Tiny Crimes report released in August 2021 surveyed 1017 employees.
The research investigated how the shift to working from home has impacted people’s behaviours and attitudes, revealing Australians are using Shadow IT at concerning rates.
In addition to using corporate devices for personal use, half the workers are using personal devices to access their employer’s documents and services while working remotely; 40 per cent use personal email or file-sharing cloud services for work purposes; and 29 per cent use a personal back up device to save corporate data.
Nick Savvides, senior director of strategic business APAC at Forcepoint, says there are risks associated with remote working due to basic cyber hygiene practices such as locking our screens, logging into VPNs and using passwords.
“At home or remotely, there is less workplace pressure to follow processes. You’re no longer in an office or supervised, it’s easy to relax on processes and standards; this gives an ‘in’ to cybercriminals.”
The biggest issues for shadow IT are where people using tools, such as laptops, smartphones for work not authorised by the business.
“Any suspicious unauthorised applications are blocked at work, however at home; they might not have those same protections and security in place.”
With lockdown ending some employees will head back to the office, however, the work from home will continue as an option.
“From a cyber security perspective we have to normalise the combination of working remotely and in the office – it’s here to stay and, we require new technology and policy changes,” adds Savvides.
At the start of lockdown there was a scramble to send everyone home; then figure out security later.
“We can’t go back to the way technology was and maintain the same set of risks conditions and tools and policies of the past. The last thing employers want is a scenario whereby people in the office are better protected than those at home,” he said.
Another study from Acronis, Cyber Readiness 2021, revealed similar results making remote employees attractive targets.
One in four remote employees reported struggling with the lack of IT support as one of the key challenges they faced this year.
The top-three tech challenges identified by remote employees globally were Wi-Fi connectivity, using a VPN and other security measures, along with a lack of IT support.
One in four remote employees are not using multi-factor authentication – making them easy phishing targets, with phishing being the most common attack type in 2021.
Targets were expanding and it is no longer just Microsoft Windows OS based workloads. Users reported a spike in attacks against Linux, MacOS, Android and iOS devices as well. Attackers are also going after virtualised environments.
To mitigate risk for remote workers Nick Savvides offers the following advice.
Only use the resources and guidelines given to you from your organisation. “If they don’t meet your needs, let someone at the office know rather than trying to bypass this. Ensure a high degree of caution.
“Everyone always says, I never thought it would happen to me! Without fail, it’s tragic; it can be stressful working from home; with home schooling, online shopping, etc. Drop your guard and it’s easy to slip on processes.”
Watch out for emails with a work home policy. “Criminals can hide behind slick emails, large companies have media exposure and this leaves them open to criminals to use information and email this to employees, be aware and report it quickly.”
What to do to help:
IT and security leaders can:
Prioritise key areas first. Which pieces of technology or policies need to change first as there are competing interest in transformation of cybersecurity.
Ensure you have good business engagement, it’s not just a technology problem, otherwise it will be challenging. It’s in everyone’s best interest to keep the organisation, and importantly the customer and client information, safe.
Ensure critical data is defined and adequately protected - remote and flexible working patterns will last far longer than lockdowns.
Rather than focusing on black and white IT usage policies that simply block access, look instead at uncovering the use of shadow IT and setting up new policies where necessary.
Communicate and raise awareness around IT security issues. Invest in more security training and threat detection solutions that help people perform better.
Choose IT training programs which challenge employees and create ongoing learning opportunities.
When possible, provide explicit and easy to follow instructions that can help employees take action to protect their home networks.
Business leaders can also:
Ensure that employees are comfortable in their home offices and provide supplementary equipment as needed.
Prioritise and facilitate a healthy work-life balance, consider for example regular meeting-free days, and supporting taking time off.
Identify ways, such as, anonymous surveys to tap into employees’ needs, workloads and stress levels, and how they may be impacted by ongoing stress. A person’s physical, mental and environmental state can contribute to whether they can pay attention, remember, and think critically.