A remote chance of protection: lockdown 3.0 presents a security risk for enterprises who have lost faith in their vendors
As the UK continues its third lockdown, business IT infrastructure protection is under increasing threat, as almost three-quarters of Chief Information Security Officers (CISOs) recognise that their employees are less likely to adhere to cybersecurity measures while working remotely.
While the resultant peril is coming from inside staff members’ homes, executives believe security vendors have a role to play in making remote working practices safer.
New Kaspersky research conducted with both security leaders and employees highlights concerns around lockdown-induced cybersecurity challenges. These findings derive from a survey with more than 240 CISOs – or those in similar executive positions – for companies employing more than 250 people. The study was complemented by an omnibus survey of 2,000 UK adults, working full or part time, to discover the severity of this issue.
The survey revealed that more than one-third of UK employees are less sure of security measures when working from home, while a similar percentage feel that following their employer’s security protocols is less important when working remotely. A concerning one in 10 either don’t know if their devices are connected securely at home, or admit that they aren’t. While this danger isn’t necessarily a new revelation, it is a new outlook on the dynamic between vendors, businesses and their employees, and is an especially pressing concern given that widespread working from home is set to continue throughout 2021.
A 2019 report revealed that 52% of enterprises experienced breaches due to employees’ inappropriate IT use. However, these statistics, less than two years on, don’t place the blame directly at either employers’ or employees’ doors. Rather, according to Kaspersky’s research, almost six in 10 security leaders claim they find it difficult to action the guidance provided by security vendors in relation to their business. A similar percentage agree that the information they receive from cybersecurity vendors isn’t even relevant to their organisation in the first place as a result of the communications gap.
This disconnect between vendor provision and enterprise action is equating to an underprepared or underinformed workforce, at an increasingly critical time. As many as 63% of security leaders go on to say that the information being provided by vendors is too complicated to even try and share with their staff. Almost as many state that this complexity is compounded by a lack of time or resource to try and understand and then communicate it to colleagues.
This message misstep is most starkly demonstrated by 58% of CISOs believing that vendors don’t understand the threats they actually face. The resultant mixture of mistrust at a transaction level and miscommunication on an internal level has severe consequences among the consumer contingent now being left – quite literally – to their own devices. Without adequate training and guidance throughout the chain, more than a quarter of UK employees admit they have bypassed their employer’s security measures to download unauthorised software, while 30% confirmed they have connected to a mobile hotspot while working from home in order to get around their employer’s security measures.
Not understanding the significance of the security being installed is one thing, but to feel confident enough to bypass it entirely highlights the potential dangers that lie ahead for enterprises in ongoing pandemic times. It is vital that this cycle of miscommunication is broken on both sides of the equation so that vendors attain a better understanding of businesses’ needs, and so that businesses receive more tailored and constructive messaging with their products. However, while this relationship is naturally one that evolves over time, there are more immediate steps that all enterprises should be taking to ensure protection during the upcoming months. These include:
- Enforcing strong passwords, and updating them when required
- For employees working remotely, ensuring they use a corporate VPN
- Ensuring that updates on laptops and devices are carried out regularly
- Storing data in one place, so that if a system is compromised, data can be retrieved much more easily
- Encrypting important data
- Regularly backing up data
- Ensuring that staff apply network encryption and a strong administrator password to their routers to ensure they are secure
- Investing in webcam covers for employees for when they’re not in use, and encouraging workers to select appropriate settings when in group meetings that blur backgrounds to ensure privacy
- For companies that have adopted a BYOD policy, limiting how often staff carry out personal tasks, such as banking or personal email, on work devices.
- All steps should be underpinned by regular IT cybersecurity training and workshops to keep employees abreast of the current industry climate and aware of what dangers to look out for.
“The fact that so many employees feel confident and safe enough to bypass the messages they’re being given by their employers is concerning. It would be easy to attribute the problem to this communication within enterprises, but we shouldn’t overlook the statistics relating to vendor understanding and messaging. If businesses and CISOs don’t feel they are receiving guidance and information that is tailored to their needs and resources, they’re less likely to translate the actual significance of cybersecurity to their colleagues. Given the ongoing reliance on remote working that we’re expecting in 2021, it’s vital that this relationship improves quickly,” comments David Emm, Principal Security Researcher, Kaspersky.