IT Relaxing Security Policies During WFH While Employees Step Up Their Efforts
IT workers may have had the toughest transition to the WFH model. Not only were they tasked with preparing entire organizations for remote work, setting them up with the right equipment and ensuring access to the right technologies and software—and doing it in a matter of days or less—but many on the IT staff also were tasked with managing the security of their co-workers as they worked from home.
A survey conducted by 1Password found that employees are appreciative of the hard work by the IT department, with 89% saying they had no complaints about the IT team. Maybe this response was a result of another part of the survey that found 1 in 3 IT personnel had relaxed or weren’t enforcing security policies, including allowing more shadow IT to be used.
This almost seems like a backward approach. Without the controls of being onsite, the logical conclusion would be stricter security protocols and tighter rein over employee behavior in a WFH model. But that’s not the case. In fact, Matt Davey, COO of 1Password, said the company’s research finds that employees are doing a good job policing themselves on security protocols and requirements, with 58% of IT workers saying employees are doing better at following security rules at home than they do in the office.
“Prior to conducting our research, we feared people would be more relaxed at home and more likely to slip up,” said Davey. “We were pleasantly surprised to see that only 20% of workers don’t follow the company’s security policies at all times.”
The reason is productivity. About half of employees admit they circumvent IT rules to be more productive in the 9-5 atmosphere with its pressure on efficiency. But at home, every employee’s workday is unique. Everyone had to adjust to quarantine and working more efficiently has taken on a new urgency. Workers have stepped up to use security to help with productivity, and IT has helped that by relaxing some rules.
Shadow IT Still a Risk
Just because employees may have been given access to shadow IT and personal devices doesn’t mean the security risk has disappeared. And that’s even more so during the transition to remote work, said Davey.
“Employees are using third-party apps, services and devices to get their work done more efficiently,” he stated. “These are often deployed without oversight from the IT team—perhaps because there’s no precedent for remote work, so existing security guidelines might not match the new working reality or perhaps because shadow IT is simply just the quickest route to solving a problem.”
Shadow IT is also a serious password security threat to organizations. IT already lacks password management oversight to these unknown devices and applications, and there is even less ability to ensure best password security practices are used in WFH situations.
Turning to Password Management Systems
“Convincing enterprise users to have good passwords isn’t a problem; the problem is empowering them to actually create them. A password should be complex and randomly generated, and humans aren’t great at being random,” said Davey. The solution may be found in a password management system to generate more complex and secure passwords that add to the security of shadow IT and all other remote access.
“My philosophy when it comes to passwords is to be good by being lazy.” Davey explained. “There’s no site that’s too small where password reuse can’t find a way of getting a company into trouble, and we’ve seen time and time again that most users aren’t great at coming up with their own passwords. By providing a password manager that saves and fills strong passwords for employees, enterprises actually make it easier to do the secure thing than it is to do the familiar, unsecure thing.”
No matter how well employees are managing security while remote working, IT must stay diligent to any possible threat. And that requires efforts that really aren’t that difficult to manage, Davey said.
“When enterprises are looking to avoid getting hacked, they should prioritize two things: providing tools for unique passwords and a secure second factor,” he said.
With passwords, Davey recommends employees use a randomly generated password that’s entirely unique to each account—ideally, 20 characters for character-based passwords and four words for word-based ones. When adding the second factor, IT should opt for something like a physical security key or authenticator app. SMS might be an easy solution for IT and workers, but it is vulnerable to SIM-swap attacks, which occur when a hacker steals an employee’s mobile identity by transferring the phone number to a new SIM card in their possession, he said.
WFH has been a challenge for everyone, but compromises between IT and employees, as well as shoring up the password weak link, has put security front and center—in a good way, for once.