Security faux pas: 56% of employees use personal computers to WFH

Using nonwork authorized tech at home places company data at risk, especially since 23% of employees are unsure what security protocols exist on their devices, Morphisec found.

During this unexpected remote work era, more than half (56%) of employees reportedly use their personal computer as their work device, a Morphisec report found. This practice puts company data at risk of cyberattack, with 23% of employees confirming they are unsure of what security protocols are on their devices. 

SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)

The coronavirus pandemic accelerated the remote workstyle, forcing companies to quickly shift staff to work from home (WFH). Many organizations either didn't have remote workers, or only had a partial remote staff, making this change particularly drastic. 

Morphisec's 2020 WFH Employee Cybersecurity Thread Index, released on Tuesday, examined how more than 800 US employees are coping with these changes, determining the biggest concerns and obstacles associated with the new experience.

"We've seen anywhere between a doubling or a tripling of the amount of attacks that we blocked since COVID. When I say about a tripling, that's over 170,000 attacks a week across the five million end points," said Andrew Homer, vice president of security strategy and business development at Morphisec, a unified threat prevention platform that stops zero days, exploited, fileless malware, and more.

"We've seen that like 25% of all the people who went home and have very strict company guidelines around security protocols aren't even following them," Homer said. "From an IT management hygiene standpoint, it's next to impossible for them to maintain the governance, to actually know what their employees are doing." 

Adjusting to WFH 

While COVID-19 accelerated the WFH trends, organizations were already moving in that direction. The number of remote employees grew by 44% between 2014 and 2019 , according to FlexJobs.  

Despite the enterprise gradually moving toward remote work, the stark shift brought on by the coronavirus revealed that WFH was a completely new experience for nearly half (49%) of office workers, the Morphisec report found. 

This surge in WFH employees has placed a great deal of pressure on IT departments at office-based organizations. Before the pandemic, IT professionals had plenty of time to add additional security measures to remote employee's company-provided machines.

However, with office-based businesses quickly having to become fully remote, the timeline to secure devices shifted from weeks to days. IT was forced to quickly create the architecture they needed to rapidly move entire companies to remote status.

Security professionals were not only tasked with the challenge of quickly creating a remote environment, but they also had to handle the larger attack surface created by such a workstyle. Moving outside of office walls, organizations aren't able to guarantee employees are working on secure devices or trusted Wi-Fi connections, the report found. 

Despite the strain placed on IT teams, the majority (62%) of employees rated their company and IT department's response to shifting to a secure workforce as above average or better.  

Remote work security concerns 

While WFH presents a slew of security challenges, the majority (75%) of employees say they either usually or almost always follow the advisory of their IT department or security staff when it comes to cybersecurity guidance, the report found.

The most common tip from IT teams is to be wary of suspicious emails, attachments, or pop-ups (56%). The second most common tip is to ensure antivirus software is connected  and active (48%), followed by updating software and patches frequently (46%), the report found. 

With the transition to WFH happening overnight, many employees didn't have their corporate devices with them, forcing them to use personal devices instead. These devices aren't equipped with the same precautions and security measures as work devices, putting corporate data at risk, Homer said. 

However, even being on corporate devices can be dangerous, as the devices are exposed to other individuals in the household, Homer noted. 

"We've seen a tenfold increase in the amount of adware, [which] is games, or unwanted software on these devices. That's indicative of kids using their parents' machines," Homer said. 

"That's really concerning because adwares have become the delivery mechanism of putting malicious, highly nefarious malware onto these machines,"  Homer said. "Now that we're outside the corporate network, the end point itself has become ground zero."

Being outside of the office also means that employees are on their own Wi-Fi networks, which have proved to not be as sturdy as in-office connections: Some 26% of respondents reported having frequent or very frequent issues with their Wi-Fi connections. 

"There's a lot of things that go out the window. Network security is largely out the window," Homer said. "One in four experienced problems with Wi-Fi, and traditional security today relies on Wi-Fi."

The report also identified some of the most used applications for remote workers. The most essential work applications included productivity suites like Office 365 and GSuite (42%); however, these apps are also another avenue of security vulnerability, causing 39% of respondents to be extra cautious when opening, the report found.

Large companies are realizing they must have automated self protection baked into employee end points, Homer said.  

"In other words, the ability to stop and prevent and block and attack, without alerting people, which is a radical departure from how companies do it today," Homer noted. "Today, companies assume that [hackers] are in and then report back every single event.

"When you have a dirty environment, it's equivalent to like going into a city; you have all this noise, and people can't make heads or tails out of what is a good event versus what's a bad event because they're blending the personal and work activity on the same machine," Homer said. "They now need an architecture [focused] on prevention, not on detection, that stops the attacks."

What makes all of this even worse is that security hygiene was already an underlying problem within organizations. And with remote work adding to the list of security vulnerabilities, companies found themselves unprepared to tackle that dilemma, Homer said. 

The key is to focus on tools and strategies that put an end to an attack before it even starts, so that devices are never compromised to begin with, he added. 

For more, check out Clear guidelines for remote work will boost security and control access on TechRepublic

Also see 

Businessman working on laptop. Protection network security computer and safe your data concept. Digital crime by an anonymous hacker

Image: iStockphoto/marchmeena29