The mass shift to working from home precipitated by the Covid-19 pandemic created massive security challenges, ones that were difficult to solve even if workers could be convinced to practice nearly perfect security hygiene. A new study from HP indicates that employee buy-in is far from 100%.
A full 30% of remote workers under the age of 24 say that they circumvent or ignore certain corporate security policies when they get in the way of getting work done. While the young cohort is most likely to buck the system, 67% of IT leaders say they get “weekly” complaints about restrictive policies and 48% of all workers feel that these measures are a waste of time.
Working from home blurs lines between personal spaces and corporate security
The study was conducted by HP’s Wolf Security division. Entitled “Rebellions & Rejections,” it surveyed over 8,400 office workers that moved from an in-person role to working from home after the outset of the pandemic. 1,100 IT staff with decision-making roles were also included.
The study’s title lets you know what to expect right from the outset. 91% of respondents say they feel pressure to compromise security for business continuity, and 76% of the IT respondents said that security sometimes had to take a backseat to business continuity needs during the pandemic period. 83% of the IT respondents believe that this state of frustration and rebellion has created a “ticking time bomb” for a breach of their organization’s network.
The report points out that this is not a temporary problem, with 23% of respondents expecting to continue working from home post-pandemic and an additional 16% expecting to now split work time between home and the office. With nearly half of all employees expecting to do at least some amount of working from home going forward, millions of vulnerable endpoints have opened up that can lead directly into corporate networks.
Chief information security officers are well aware of this issue, but the friction caused by the situation is leading to rebellion among a substantial chunk of those working from home. Some employees are using personal devices that they do not associate with corporate security policies. Others feel that requirements are slowing work down too much. And some simply remain unaware of the policies they’re being asked to follow while working from home: 39% of those under the age of 24 say they do not know what the data security policies are, and only 36% of all workers say they have been given training on protecting home networks and devices.
Changes to security policies have been nearly universal; 91% of respondents said that policies had to be adopted to account for increased working from home, and 78% of IT teams blocked access to certain websites or applications as part of this change. Pushback from users to these changes is also nearly universal (80%), as is discontent in the IT ranks at having to deal with this new wave of complaints and issues.
Increase in cyber attacks keep IT teams busy
What threats are keeping IT teams up at night given the proliferation of improperly secured devices in employee homes? Over 80% of respondents say they are dealing with increases in ransomware, firmware attacks, exploitation of unpatched vulnerabilities that have been disclosed to the public, data leakage and “man-in-the-middle” attacks.
Respondents also voiced high levels of concern about IoT threats, targeted attacks and firmware attacks against printers. 83% of the IT respondents said that they viewed these new vulnerabilities as a “ticking time bomb”; the same number said that trying to enforce corporate cybersecurity policies on those working at home has become “impossible” due to the mix of personal and business circumstances. 69% also felt they were unfairly being cast as the “bad guys” in this situation, when the policies generally originate from the executive suite.
Achieve similar outcomes without simply implementing restrictive policies
Since working from home appears to be the new normal, what can be done to rectify the situation? For starters, the HP Wolf team suggests that policy must be viewed through the lens of psychology. The end user has a dual view of cybersecurity: they see it as necessary for protecting personal accounts, such as banking, but frequently see it as a hindrance at work that gets in the way of getting their job done. IT teams need to think about what might be done to achieve the same outcome in place of simply implementing a raft of restrictive policies that employees will very likely ignore or circumvent whenever possible.
The study authors also suggest improving security outcomes by finding ways to divide some of the load that the put-upon IT teams carry between the rest of the organization, and fostering a more collaborative security culture.
Saryu Nayyar, CEO of Gurucul, adds: “Corporate security professionals need a better understanding of how remote workers are doing their jobs so they can work collaboratively in designing cybersecurity systems that meet those needs. Monitoring activities in WFH environments and assessing the risk of specific activities should be a cornerstone of that effort.”
And from Rajiv Pimplaskar, CRO of Veridium: “While enterprises and users are starting to adopt passwordless authentication methods like “phone as a token” and FIDO2 for customer and Single Sign On (SSO) portals and enterprise applications, vulnerabilities still exist across entire categories of cases such as, 3rd party sites, VPN (Virtual Private Network) and VDI (Virtual Desktop Infrastructure) environments, all of which are particularly vulnerable in the current WFH explosion … Companies need to adopt a more holistic modern authentication strategy that is identity provider agnostic and can operate across all use cases in order to build true resiliency and ensure cyber defense against such actors.“