When organizations made the decision earlier this year that work-from-home was the new norm during the COVID-19 pandemic, it appears that many considered security an afterthought.
It’s been well-documented that almost as soon as the World Health Organization (WHO) formally declared COVID-19 a pandemic in March, phishing emails and spam attacks increased as fraudsters and cybercriminals attempted to either spread malware or steal credentials.
At the same time, the pandemic forced many organizations to send workers home and have them perform their duties from there—even when many employees didn’t have experience working remotely, or adequate security in place to ensure that they weren’t targeted by attackers looking for easy ways to steal data or infiltrate a large corporate network.
How inadequate was the security response to the WFH shift? A recent survey conducted by IBM Security and polling firm Morning Consult of 2,000 U.S. adults who are now working from home sheds some light on what’s changed—and what CISOs and their security teams need to do to fix this issue.
Survey Reveals Lack of Security
The IBM and Morning Consult study found that 93 percent of those surveyed were confident of their organization’s ability to keep personal identifiable information (PII) secure while working remotely. At the same time, however, 52 percent report that they are using their personal laptops for work—often with no new tools to secure it—and 45 percent haven’t received any new security training.
Digging further into the study, another 61 percent of respondents report that their organizations have not given them new security tools to help protect those laptops and other devices, even though they are now connected to corporate networks that may contain sensitive data. The study also found that 66 percent of respondents have not been provided with new password management guidelines, while 35 percent said that they are still reusing passwords for business accounts.
Charles Henderson, the global managing partner and head of IBM X-Force Red, believes that responses to the survey show that the rush to move workers into home offices meant security considerations were put off.
“The biggest takeaway here is that employees and organizations are not prepared for our new work-from-home normal, and the data shows it's because their employers aren't giving them the resources they need,” Henderson told Dice. “Now, it should also be noted that the reason these resources aren't available is because many organizations were rushed to adopt work from home models.”
He added: “Organizations weren't prepared for this remote shift and are now just starting to rethink the security aspects of it. At the end of the day, keeping the lights on is more important to organizations than security. While security may be a component of keeping the lights on, in 2020, there have been business continuity risks that organizations have just never seen before.”
Beyond Shadow IT
The IBM and Morning Consult survey also calls to mind a term, once out of fashion, that is starting to creep back into conversations. It’s the notion of “Shadow IT,” where workers are using devices or services not approved by the IT department and that lack strong security protections.
One of the main reasons Shadow IT has returned at this moment is that, when many workers were sent home, laptops and other equipment remained in short supply. This means some employees improvised and used personal devices to get the job done, Henderson explained.
The big difference now is that almost everyone in the organization is using Shadow IT. “I think the biggest takeaway from this is that this is a new reality for organizations,” Henderson said. “Shadow IT implies compartmentalized rogue usage—and right now, it’s not rogue if everyone is doing it. When the majority of an organization goes rogue, they’re no longer rogue.”
The consequence of this is that, by mixing business and personal devices, as well as corporate and personal passwords, employees and their organizations are vulnerable to hacking, whether it’s through brute-force attack methods or credential stuffing. It’s one reason why now is the time to rethink the security controls and processes that are in place.
“If employees aren’t provided the tools to do their jobs, they will seek ways to do things on their own,” Henderson said. “When we see that 35 percent of those new to working from home are reusing passwords for business apps or accounts, it also highlights an opportunity for organizations to offer solutions like password managers to help employees avoid password reuse.”
Rethinking Security Post-COVID-19
To counter some of the security issues that have crept in since work-from-home started, Lisa Plaggemier, chief strategy officer at MediaPro, which provides cybersecurity and privacy education, believes that now is the time for security teams to start raising awareness of the potential cyberthreats that lurk in home offices.
Plaggemier suggests starting out by sending good security practice reminders in company newsletters, Slack channels or other ways employees communicate.
Another way to improve cyber hygiene is for the security team to start leveraging the IT help desk and build good security practices when employees reach out for technical help.
“Leverage your IT help desk staff to provide security advice. If they’re helping an employee with their home router, ask if the password is complex and unique—and hopefully not still the default password,” Plaggemier told Dice. “Calls to the help desk for password reset issues should be accompanied by advice on password complexity. Give your IT staff some pre-built messaging to help them communicate important points to employees.”
IBM’s Henderson advises to go beyond training, and encourages CISOs and their teams to conduct more threat modeling and adversary simulation to help better understand how attackers can exploit weaknesses, especially when targeting WFH environments. With that knowledge, organizations can build a better defense.
“I advise clients to use the results to answer these two questions: How do I better detect an attack, and how do I better protect myself from an attack? This helps to identify security gaps in this new normal,” Henderson said.