A workforce that was rushed out of the office due to COVID-19 equates to opportunities for cybercriminals, an IBM report finds.
An IBM survey of professionals new to working remotely finds those employees pose serious security risks—and it may not be their fault.
The report surveyed more than 2,000 people new to working at home due to the COVID-19 pandemic, and found that while 80% are confident in their organization's ability to handle cyberthreats that arise due to remote work, 45% also said that they haven't received any additional security training since going remote.
IBM's study mirrors other findings about the state of cybersecurity during the pandemic, specifically that it's not keeping up by largely failing to provide security tools necessary to keep remote workers safe.
"The rapid shift to working from home has also changed the ways many organizations do business from moving face-to-face meetings to video conferencing calls to adding new collaboration tools—yet the survey showed many employees are lacking guidance, direction and policies," IBM said in a statement.
84% of respondents said they participate in at least one to five virtual meetings a week, and 54% said they were unaware of new policies put in place to protect those calls.
SEE: Security Awareness and Training policy (TechRepublic Premium)
TechRepublic's Karen Roby previously spoke to security expert Richard Bird about the biggest concerns involved with working from home, of which Bird listed three: Businesses are having difficulties adapting to the decentralized security needs of a remote workforce, people at home may not behave as safely, and bad actors thrive in uncertainty.
That last point has been backed up by other findings, specifically that data breaches have risen during the COVID-19 shutdown.
A rise in breaches coupled with an unprepared workforce is bad news, and IBM again found that companies may not be preparing their workers: 42% of respondents said they work with personally identifying information (PII) in the course of their day, and 58% said they were unaware of any new security policies around managing such data.
53% of respondents said they're using a personal computer to work from home, and an identical percentage said none of the devices they use for work were administered by their employer. These numbers decreased slightly for employees working with PII, but they're still largely in the same boat.
SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)
"Working from home is going to be a long-lasting reality within many organizations, and the security assumptions we once relied on in our traditional offices may not be enough as our workforce transitions to new, less controlled surroundings," said the head of IBM's X-Force Red security team, Charles Henderson. "Organizations need to use a risk-based approach with work-from-home models, then reassess and build from the ground up."
IBM's report creates a grim landscape for WFH security, but keep in mind that all of the responses come from employees: It's entirely possible some may be unaware of new security policies despite their employers trying to make them aware. Emails can be missed, training can be skipped, and there are other ways to fall through the security training cracks when you're not physically in the office.
That may not be the case, though: a study from 1Password did find that remote workers were doing their part to stay safe, with 63% of IT leaders surveyed saying users were doing a better job adhering to security policies when working remotely.
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Kubernetes security guide (free PDF) (TechRepublic download)
- Information security policy (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- All the VPN terms you need to know (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)