Enterprises Skimping On Basic Cybersecurity Controls

  • The benefits of connected medical devices outweigh the risks.
  • Despite remote security risks, businesses failing to take basic steps to mitigate risk
  • Still, many enterprises believe increased remote work will remain long after the pandemic passes
  • There are steps enterprises should take to mitigate data security risks

According to a survey from Visual Objects, when it comes to bolstering their information security defenses, a sizable percentage of organizations are still not putting into place the most basic of security controls. The Visual Objects survey was conducted among 500 full-time employees in the United States from Sept 17 through 23.

The survey found that employers don’t require that employees use secure WiFi networks. They aren’t conducting security awareness training for staff, such as avoiding phishing attacks, nor do they require two-factor authentication for access.

About two-thirds of companies are taking this lackadaisical approach. According to the survey, currently, only 35% of employees must use a secure WiFi network for work activities, which was the most commonly required security controls. When it came to requiring VPNs, that number fell to 31%, while two-factor authentication only reached 31%, and phishing awareness training only rose to 32% of organizations.

Employees at two-thirds of companies manage data risks goals by taking home their work computers, enabling employees to separate work data from personal files. Associate Filip Truta has been watching the remote work security trends closely. In his post, A Third of CISOs Have Relaxed Security Policies to Foster Remote-Work Productivity During COVID-19, New Research Shows a survey from Hysolate found. Simultaneously, 26% of CISOs tightened endpoint security and corporate access rules since the start of the pandemic, 35% relaxed their security policies to improve the productivity of remote workings. About 39% left security policies the same.

CISOs believe that traditional defensive controls fall short. “For example, CISOs say legacy remote access solutions such as virtual desktop infrastructure (VDI), desktop-as-a-service (DaaS), and virtual private networks (VPN), among others, are ill-suited to handle many of the new demands. Half of CISOs also believe security measures are hampering productivity when scaling remote-first policies. And bring-your-own-PC (BYOPC) policies further complicate organizations’ approaches to secure remote access, researchers note,” he wrote.

Yet, as enterprises put security controls in place, many employees will bypass those controls anyhow. “New research shows that the shift to an almost fully remote workforce has significantly changed the behaviors of ‘trusted insiders’ in 2020. In a series of interviews with hundreds of businesses across a diverse range of industries, researchers found a 450% increase in employees circumventing security controls to intentionally mask online activities and a 230% increase in behaviors that indicate intent to steal data,” Truta wrote in this post, based on a survey by DTEX Systems.

Investments are being made. “Endpoints remain challenging to protect in a remote environment, according to more than half of IT professionals in a new global survey by Cisco. And 66% say COVID-19 is driving an increase in cybersecurity investments to overcome these hurdles. Secure access is the top cybersecurity challenge faced by the largest proportion of organizations (62%) when supporting remote workers. One in two respondents said endpoints, including corporate laptops (56%) and personal devices (54%), are a challenge to protect in a remote environment 66% of respondents indicated that the COVID-19 situation will prompt an increase in cybersecurity investments.”

The cybersecurity investments necessary to secure remote workers can’t come soon enough. According to a recent survey from Enterprise Technology Research, or ETR, surveyed roughly 1,200 CIOs. According to this Reuters report, the CIOs are overall optimistic about IT budgets for the year ahead, expecting modest 2.1% budget increases, compared to the 4.1% decrease in 2020.

The survey also found a dramatic — permanent — increase, in fact, a doubling, of remote work from 16.4% before the pandemic to 34.4% next year. Why? Because more CIOs surveyed reporting an increase in productivity (48.6%) compared to 28.7% seeing a decrease in productivity.

That poll echoes previous poll findings, including this PwC poll from June, When everyone can work from home, what’s the office for? That survey found the vast majority of office workers want to work from home at least part-time. “PwC’s June survey of executives and office workers shows that a permanent flexible workweek (and perhaps workday) has broad support. Most office workers (83%) want to work from home at least one day a week, and half of the employers (55%) anticipate that most of their workers will do so long after COVID-19 is not a concern.”

Perhaps most interesting are the changes in remote work attitude. Before the pandemic, PwC found, 57% of employers want to give staff greater flexibility in work hours, better systems to work on remotely (55%), improved mobile work experience (53%), enhanced security policies to support remote workers (53%) and help in building networks and relationships (51%).

Roy Maurer, blogging at the Society for Human Resources Management, in his post How to Maintain Cybersecurity for Your Remote Workers advises businesses to dust off their remote-work security plans and provides the following areas where companies should focus to shore up defenses:

  • Setting up and communicating remote-work security policies.
  • Securing virtual private networks (VPNs).
  • Regulating personal-device use.
  • Addressing authorization and authentication.
  • Communicating with employees about phishing and malware campaigns tailored to the current crisis.
  • Securing communication and collaboration channels.
  • Providing vigilant IT support.

Maurer also advises employers to monitor remote work practices and provide cybersecurity awareness training against phishing attacks and encrypt sensitive data. All good advice. But as the Visual Objects survey showed, most organizations are failing to take even the most basic steps to raise staff security awareness. As pandemic infections begin to increase again in various regions of Europe and the U.S., those enterprises that haven’t started to take the most basic steps to protect their remote workers and help them defend themselves better — are going to pay a price. It’s just a matter of how high of a data breach price they pay.

Perhaps, now, with the data now clearly showing that the work from home trend will remain long after the pandemic is gone, enterprises will decide to invest what they need to ensure that their remote staff can work productively and securely.