Lack of Threat Awareness Creates Hybrid Work Risks

Most Americans are unaware of cybersecurity threats, and although more are concerned about cybersecurity, nearly six in 10 have downloaded or installed software, apps or cloud storage programs not approved by their IT department.

These were the concerning findings from the 2021 Unisys Security Index, which surveyed 11,000 consumers in 11 countries, including 1,000 in the U.S.

When asked why they did so, 45% of respondents said that the software or apps they downloaded were better than the tools their company provided. Meanwhile, 43% of respondents said their company did not provide a good alternative option.

The survey also highlighted the low level of cybersecurity knowledge among U.S. citizens, with more than six in 10 (62%) admitting they are not familiar with the threat of SMS phishing (SMiShing), which is when a scammer texts asking for personal or financial information.

About three-quarters of respondents said they were unaware of SIM jacking, which is when a scammer gets your phone number transferred to a phone they control, and more than half (51%) of people surveyed say they are not wary of clicking on links in a text message, email or social media app.

In addition, nearly three-quarters (72%) of respondents revealed they do not know where to report a scam should they be victimized.

Bringing Consumer Apps to Work

Hank Schless, senior manager of security solutions at Lookout, an endpoint-to-cloud security company, said employees want to use products they’re already comfortable with and have as few platforms to manage their data as possible.

“This may lead them to want to use the same apps for work-related material that they use at home,” he said. “For example, if they already use Dropbox for personal reasons, they may prefer to store and share work-related data from it, as well.”

Schless noted there’s also the risk of employees unintentionally sharing data outside of approved corporate apps: For example, they may unintentionally save a document with sensitive compliance-related data to a personal Google Drive account.

As the survey responses indicated, there may also be solutions that work better for that employee’s lifestyle than what the organization offers.

“If an individual prefers to be able to access data from any device, they may favor a cloud-based platform that enables them to be productive from anywhere versus a private app that requires them to tunnel in through a VPN,” he said.

Ben Pick, senior application security consultant at nVisium, an application security provider, said companies need to empower their employees to perform their tasks.

“This can be done by streamlining approvals for new software and tools to be used,” he explained. “Additionally, by implementing adequate access controls, companies can limit the risk of installing malicious software by reducing the impact of a potential exposure.”

From Pick’s perspective, focusing on the education of employees is not an adequate solution: The company needs to shift its priorities to accommodate a growing list of tools to augment required tasks.

“Overly burdensome tools to perform file management and software inventory would require an unsustainable team to investigate each alert,” he warned. “Therefore, capable employees who fully understand their environment are much more beneficial than adding another tool.”

He also pointed out that the more restrictive a company, the more employees will circumvent those imposed restrictions.

“Companies which prioritize completing a job over doing so securely will be grooming their employees to ignore policies,” Pick said.

CASB Solutions at Work

Schless added that cloud access security broker (CASB) solutions help organizations gain visibility into cloud apps and data, extend uniform access controls and centralize access control policies.

He said there are a few ways organizations can identify a unique CASB that fully equips them to stop breaches.

A CASB that enables them to create conditional access policies from any mobile device, laptop or PC ensures only secure users and devices can access sensitive data regardless of where they do it from.

Advance data loss prevention (DLP), user and entity behavior analytics (UEBA) and native digital rights management (E-DRM) are all necessary aspects of a CASB that can help an organization ensure full protection of data.

Schless said the CASB should also be able to help identify and prevent shadow IT as well as mitigate the risk of data movement between corporate and personal accounts on the same app.

“All of this is done to securely enable remote workers and protect sensitive data from both intentional and unintentional data leakage,” he said. “It’s safe to say that most employees aren’t intentionally putting their company at risk by using unapproved apps, but they may not realize the greater risks at play.”

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 243 posts and counting.See all posts by nathan-eddy