When it comes to public health, good hygiene is paramount in avoiding infection. For companies looking to prevent cyber attacks, the same logic applies. According to a report by Accenture, the average number of security breaches a company faces each year has increased by 67 percent since 2014. Additionally, Ponemon Institute found that the average cost of successful attacks increased 78 percent between 2017 and 2019, from $5.01 million to $8.94 million.
Companies need to look at how they approach cybersecurity from the bottom up to mitigate the risk posed by the growing threats to cybersecurity. Cyber hygiene practices like patching and updating user systems regularly, encouraging the use of multi-factor authentication, and limiting admin privileges need to become ingrained within organizations.
The growing importance of cyber hygiene is linked to the rise in remote workforces. Many remote workers use personal devices that are less secure than corporate ones, which makes them susceptible to attacks that would otherwise be blocked. Seemingly insignificant online habits, like saving passwords in browsers and lending family members corporate devices for personal use, can pose serious breach risk to companies as well.
Remote Workforces Create A Higher Security Risk
The last few months have shown that remote work doesn’t destroy productivity. Many companies have noticed improved performance and the potential to reduce overhead permanently. However, remote work still has some disadvantages. Almost three-quarters of VPs and C-suite IT leaders think that remote workforces present a higher security risk than on-site employees. They’re not wrong. More than 75 percent of remote employees don’t take any privacy measures when working in a public space, making them easy targets for hackers. Furthermore, nearly half of all remote workers say they transfer files between personal and work devices. By exposing data outside the corporate network, these bad habits could have devastating consequences for your organization.
Insisting that all employees use a VPN can help. But while VPNs provide some security of access, they need a dependable internet connection to work. Unfortunately, compared to corporate wireless networks, home and public WiFi networks are unreliable. Between 2017 and 2018, 81 percent of organizations reported experiencing WiFi-related security incidents due to employees using WiFi in public spaces like cafes and hotels. Ultimately, remote workers, especially those accessing corporate data through a browser on their personal devices, have to rely on endpoint protection tools. This increases the potential for a breach of sensitive corporate data, purely because users are outside the additional protections of the corporate network..
Higher Risk Means Cyber Hygiene Becomes More Critical
Even though the FBI has reported a 300 percent jump in cybercrime since the start of the COVID-19 pandemic, most employees aren’t phased. According to a recent study by the cybersecurity firm Promon, 77 percent of remote employees in the U.K. don’t have any security concerns about working from home. Now, more than ever, it’s vital that managers introduce workers to good cyber hygiene practices, such as: :
- Security Awareness Training: Untrained workers are more likely to make mistakes that lead to security breaches. While it’s impossible to eliminate mistakes completely, security awareness training can help equip remote workers with knowledge on how to avoid threats. The National Institute of Standards and Technology (NIST) has a useful framework on how to build this type of training program. The NIST suggests educating remote users on how to identify social engineering scams and spot spam websites, among other things.
- Regularly Updating Applications: Software updates are critical because they often patch security weaknesses uncovered since the previous iteration of the software was released. About 80 percent of organizations that experienced a data breach or a failed audit in 2016 could have prevented the incident with a patch or a configuration change. Even worse, 20 percent of all vulnerabilities discovered are usually “High” or “Critical Risk,” while a quarter of vulnerabilities take more than 90 days to fix.
- Limiting User Roles and Permissions: Granting users unnecessary system permissions can lead to misuse of privileges (either accidental or deliberate) and increased attacker capability. By implementing the principle of least privilege, which is based on the idea of giving just enough access to users to do their job, organizations can minimize damage if and when a user account is compromised. Even when managers grant users certain privileges, they should monitor user activity closely for unusual actions, like accessing sensitive information after working hours.
- Using Multi-Factor Authentication for User Passwords: Globally, 57 percent of companies use multi-factor authentication (MFA) for their passwords. Yet in the U.S., only 28 percent of organizations secure their accounts with MFA. This is a major issue. According to the Third Annual Global Password Security Report, employees reuse one password about 13 times. It comes as no surprise, then, that stolen and reused credentials contribute to 80 percent of hacking-related breaches. Using MFA, or at the very least two-factor authentication (2FA), adds an additional layer of security and reduces the risk of cybercriminals using stolen credentials to move an attack further.
Reduce the Security Risks of Remote Workforces
People have always been the weakest link in the cybersecurity chain. Even the best security tools can’t protect against someone who clicks on a link in a spearphishing email, reuses their personal password on a work account, or allows someone they shouldn’t to use their corporate device. These issues are magnified with remote workers, who are outside the ability of IT teams to monitor and ensure compliance, requiring paradoxically more work to ensure they remain compliant.
Ultimately, it’s important to understand that the remote workforce is here to stay. Regardless of whether employees work from home full-time or part-time, they create a higher risk for IT and security teams than employees working on-site. For this reason, it’s crucial that organizations invest money and time in teaching employees how to handle computer security. Only when employees practice good cyber hygiene regularly will enterprises be able to truly reduce the risk of disruption.
*** This is a Security Bloggers Network syndicated blog from Morphisec Moving Target Defense Blog authored by Roi Vaknin. Read the original post at: https://blog.morphisec.com/good-cyber-hygiene-remote-workforces