Decentralized working models have made the security team’s job harder, impacting the control they had over their organization’s security posture. They’ve been forced to depend on employees and suppliers taking responsibility for protecting the data they handle, and on technology working as it should. This sounds like the recipe for a lot of sleepless nights. However, a recent Apricorn survey reveals relatively high levels of trust in people, third-party vendors and tech. Is this trust misplaced?
IT security professionals across North America and Europe responded to questions about security practices and policies during remote working conditions over the past 12 months. Nearly 40% had between 16-20 years’ cybersecurity experience.
Unsurprisingly, concerns over the cyber-risks brought about by remote working are high, with 60% agreeing that new COVID-induced work conditions have created data security issues within their organizations, and 38% saying that data control during the pandemic has been very hard to manage. Three-quarters (75%) have put COVID-centric policies in place.
However, rather than driving IT practitioners to put their guard up and double down on efforts to maintain control, the opposite seems to be the case, with security professionals appearing more relaxed than might be expected.
Off-Site Must Not Mean Out of Mind
It’s been widely reported that employees tend to loosen their security stance when working outside of the office setting, but it appears that those with responsibility for that stance are doing the same. Shockingly for such seasoned security professionals, one in five respondents to Apricorn’s survey admitted their own work devices had been used by other members of their household.
They also appear to have faith in employees to ‘do the right thing’: 45% allow the use of personal USB devices that connect to corporate systems within the firewall, exposing the organization to the risk of attack. Compromised, personal USB sticks are one of the fastest growing methods used by cyber-criminals to introduce malware.
Just under half of respondents (49%) believe that individual employees within their organization simply don’t consider themselves to be targets for attackers looking to access company data.
An organization’s people are arguably its greatest security asset, but to build that critical ‘home front’ line of defense, IT teams must keep them front of mind, equipping them with the knowledge, policies and tools needed to protect data and assets beyond the corporate firewall. This includes ensuring they understand that they are potential targets, and understand the role they have to play.
The Third-Party Risk
The research also showed high levels of trust in vendors, with more than a quarter of respondents (27%) stating they’re not concerned about data being lost this way – despite suppliers being a major cause of data breaches. Ponemon reports that 53% of organizations have experienced a data breach as a result of a third-party vendor.
Efforts to build a culture of security should extend beyond the workforce, with vendors and partners also being educated in the specific regulations and risks relevant to the organizations, and the security practices they are expected to follow. It’s a good idea to enshrine these within supplier contracts.
Faith in Technology
IT professionals are also confident in cloud technologies, with a quarter (25%) not concerned about cloud security even though they’ve seen an increase in usage from employees working remotely. Nearly a fifth (19%) of those that do have concerns have still not put processes or policies in place to govern the storage of data in the cloud.
Allowing employees in myriad disparate locations to access central data, services and resources in the cloud has been a huge blessing for companies, enabling them to maintain their operations. Cracking down on cloud usage therefore isn’t the answer, but ensuring that the associated risks are managed is critical.
Implementing end-to-end data encryption will enable organizations to remain secure as their operating environments and working models continue to shift, safeguarding information in transit and when stored. Providing employees with approved hardware encrypted USBs and hard drives will help to mitigate the BYOD risk, giving them a way to securely store and back-up data offline and move it between locations.
Apricorn’s survey highlighted a number of areas where cybersecurity professionals' security practices and attitudes were more relaxed than one might anticipate, given the current circumstances. Businesses must take steps now to identify their blind spots and correct them with policies and processes around how data should be handled, both within and without the organization and via agreements with their partners.
Remote working is set to continue beyond COVID-19, and cyber-attackers are getting into their stride when it comes to targeting the resulting weaknesses. There’s simply no room for overlooking or underestimating threats. Organizations should be both comprehensive and proactive in implementing a multi-layered, data-centric approach to cybersecurity that covers people, process and technology. Right now, a healthy dose of scepticism might well prevent a costly breach.
