What do users and IT have in common? They’re both to blame for poor remote security practices

0 Comments

One in four remote workers reuses work credentials on consumer sites, but IT isn’t doing them any favors by reportedly failing to provide essential protection while away from the office.

cybersecurity

Image: iStockphoto/Metamorworks

Remote work has proliferated since the beginning of the COVID-19 pandemic, but nearly a year in cybersecurity hasn’t caught up, leaving businesses incredibly vulnerable. The thing is, IT software company Ivanti found, it isn’t just end users to blame for the shortcomings. 

More about cybersecurity

SEE: Identity theft protection policy (TechRepublic Premium)

Ivanti’s 2021 Secure Consumer Cyber Report surveyed 2,000 remote workers in the U.S. and U.K. in November 2020, and while all survey respondents said they were using company-owned hardware they still reported taking risks that could lead to major security breaches.

One in four U.S. respondents, and one in five from the U.K., reported using their work email or password to log in to consumer sites or applications. 

“Given the increase in data breaches of consumer-based companies and online communities, it is very likely that enterprise email and passwords are already exposed on the Dark Web,” said Ivanti CSO Phil Richards

“The FBI issued a warning about an increase in credential stuffing attacks in September 2020 and yet consumers are still using work emails and passwords to log in to consumer apps and websites, putting the enterprise at significant risk of a credential stuffing attack,” Richards said. 

In addition to reusing work credentials for consumer purposes, 49% of U.S. respondents and 39% from the U.K. reported being allowed to access company assets from personally owned devices. Combine the use of unsecured devices with recycled business credentials and the likelihood of a breach grows.

The report also found that nearly half of respondents from both the U.S. and U.K. (48% and 47%, respectively) have IoT or smart devices on their home networks that don’t have two-factor authentication enabled. Compromised IoT devices give an attacker a foothold on a network, “which could have serious security ramifications on both the individual and the enterprise,” Ivanti said.

Consumers, the report concludes, need to be sure they’re practicing good habits, like not recycling business usernames or passwords for personal use, ensuring all smart devices on home networks are secured, and setting up firm boundaries between work and personal hardware and their uses.

Remote workers aren’t solely to blame for the poor state of pandemic-related security: Businesses aren’t doing their part to provide their workers with the tools they need to be secure, respondents said. 

Twenty-eight percent said they “were not required to have specific security software running on their devices to access certain applications while working remotely,” and 24% said their organization doesn’t require regular six-month password updates or the use of one-time password generators. In addition, 30% said their company doesn’t require them to use a secure connection like a VPN when accessing company resources.

This leads to the inevitable question of what businesses can do to protect themselves when remote work is likely to be the new normal and bad habits among users aren’t likely to go away. The solution that Ivanti proposes is zero-trust security.

“Companies across all industries must implement a zero-trust model to ensure that entities accessing corporate information, applications, or networks are valid and not using stolen credentials,” said Richards.

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

Under zero trust, a user’s device is restricted to only what portions of the network they need in order to do their jobs, and connected devices are always assumed to be dangerous. Proving a node is safe once doesn’t mean it’s safe in a few minutes, and everything a user’s machine does is closely scrutinized and constantly checked for suspicious activity.

“By implementing a zero-trust security strategy that seeks to verify every user, device, app, and network before granting access to business resources, CISOs ensure employees stay productive and secure, wherever they work,” the report said.

Also see