Authored by: Goh Chee Hoh, Managing Director for Trend Micro Malaysia and Nascent Countries
It is often said that employees are the weakest link in the corporate cybersecurity chain. This would certainly explain why phishing attacks have become the number one threat vector for cyber-attacks. During the COVID-19 crisis, organisations have arguably become more exposed than ever to the potentially insecure user behaviour of their remote workers.
This is partly because, given the large numbers of home workers involved, many may not have the luxury of using a corporate laptop. Personal equipment could be less well secured, while the home environment may feature more distractions than the office. What is more, stretched IT teams and budgets mean those that do have a security-related problem may not get the support they would normally.
No two employees are the same
This is a concern. So how concerned do we need to be about our employees? A recent global study by Trend Micro based on the responses of over 13,000 remote workers in 27 countries, including more than 500 in Malaysia, highlights where best practice is occurring, and where things may be going wrong. With over three-quarters (86%) of Malaysian respondents working more from home during the pandemic, IT and business leaders need to know where the risks are, so they can take concrete steps to address it.
In doing so, they must also remember that no two employees are the same. We worked with an independent cyberpsychology expert Dr Linda K. Kaye to look at the results of the study and found that there are actually four distinct personas in every organisation. Understanding these will help to inform more effective staff training and awareness, although technology controls are also an essential part of any security strategy.
The first bit of good news is that, despite working in physical isolation from colleagues and managers, an overwhelming number of employees (72%) said they have become more security conscious during lockdown, with only 4% claiming to be less so. What does this mean in practice?
It means understanding that approved corporate platforms should be used to send files and recognising that using a non-work application for company business is a security risk. It’s also about taking instructions from the IT team seriously, as 91% of Malaysian respondents said they do, agreeing that they have an important responsibility to keep the organisation secure.
It is also about understanding that it’s risky to click on unsolicited emails, even ones promising attractive offers like free cloud storage or faster internet speeds. And knowing definitely not to click if using a corporate laptop.
But there is still a long way to go
Unfortunately, that is where most of the good news ends. We also found a large amount of poor security practice which could expose organisations to serious cyber-related risks. These included:
WiFi and remote working issues: Nearly two-fifths (37%) of Malaysian respondents said they always or often use public WiFi without using the company VPN, potentially exposing their browsing and passwords to eavesdroppers. A third (33%) have even worked on sensitive documents in view of members of the public without using a privacy screen shield.
Exposing work laptops to online threats: Only 11 % said they never use their work laptops for personal ends. Just over two fifths, 42% of Malaysian respondents said they do so freely and a further 47% only during business trips. Such activity could mean exposing corporate data to malware found on torrent sites, non-approved app stores, adult content sites, and more.
Personal devices used to access work data: Cyber risk is also multiplied the other way around: if remote workers use potentially less well protected personal devices to access corporate systems. Two-fifths (39%) of respondents said they often or always do so.
Shadow IT and non-work apps: Perhaps even more concerning is the fact that almost two-fifths 35 %) of remote workers have uploaded corporate data to a non-work app. Although these may be legitimate applications, the fact they are non-sanctioned by IT compounds the challenges of visibility and control associated with shadow IT.
Fortunately, there is plenty that organisations can do to mitigate risky employee behaviour, even in the context of mass remote working.
IT security managers must combine strict policies on acceptable usage, such as reviewing the corporate policy for BYOD and assessing the risk based on the sensitivity or criticality of the data, combined with enhanced education and awareness training. The latter should focus on best practice security including how to spot phishing attacks, using practical tasks and real-world simulations to drive behavioural changes.
Remote working is set to become the norm long after the current pandemic has receded. Now that the initial rush to support the distributed workforce has subsided, it makes sense to start planning in earnest to mitigate the risks highlighted in this study.