Despite cybersecurity awareness training, employees are found engaging in new risky behaviors. As businesses look to refine their long-term remote work security strategy, SecurityAdvisor’s CEO Sai Venkataraman says it is essential for security leaders to recognize and proactively address security threats, protect confidential data and strengthen long-term remote work protection policy.
More than 50% of US workersOpens a new window worked remotely full-time in 2020, and an additional 18% worked remotely part-time. The blurring of workers’ professional and personal lives has been an ongoing trend but is now reaching a crescendo. The shift to a hybrid workplace has introduced new security risks and vulnerabilities that many IT and security leaders are only addressing right now.Â
To provide insights into these new security vulnerabilities, we recently ran an analysis of online employee actions that commonly lead to security incidents. We analyzed more than 500,000 website visits from employees in more than 20 countries in November and December 2020 and identified the most common risky behaviors used by remote workers.Â
Some are obvious, some are new, but the most vital lesson to pull from this data is that remote security policies are critical with the workplace’s uncertainty in 2021 and beyond.Â
Cybercriminals are Always the Top Threat
It’s important not to assign blame to employees when strategizing the human element of your organization’s security posture. The fact is that cybercriminals use an evolving blend of psychological operations (psyops), technical savvy, and targeting to lure even the most security-conscious employees into clicking a malicious link or responding to a baiting phishing email. These tactics are why employees visit compromised websites as one of the top risky employee behavior
A recent study from Alexa classified 46%Opens a new window of the top 1 million websites as “risky,†demonstrating an already hostile online environment for employees to navigate before the pandemic. Consider also that CNBC reported that the average worker spends 1.7 hours shopping onlineOpens a new window in December, and it’s no wonder why this placed so high on our list. Cybercriminals are getting better at guiding employees to fake websites and collecting their credit card and authentication data. Here’s an example of a fraudulent site our researchers discovered that impersonates a “new†Amazon site.
The holidays are a great time to perpetrate a fraud on generous and unsuspecting remote employees. CybercriminalsOpens a new window set up fake charities and fraudulent crowdfunding initiatives that leverage the holidays’ good cheer to lure employees into making contributions or sharing their financial information. The answer to this problem isn’t clear as security leaders that attempt to lock down risky internet browsing open themselves up to inhibiting employee productivity.
We also noticed a significant uptick in employees mistakenly downloading adware and crypto miners to their company devices. The latter will continue to rise as cryptocurrencies continue their popularity as investment opportunities. Cryptominers are particularly harmful because they harness enterprise IT infrastructure’s processing power to mine for various currencies. Â
Learn More: How To Keep Corporate Data Safe in the Face of Growing Shadow IT
Questionable Usage of Corporate Devices
Work-life integration fuels a new class of risky behaviors as employees increasingly use business laptops and personal devices. The top risky behavior that employees engaged in was the use of private VPNs and anonymizers. After decades of offering free content online, many publishers monetize their content and place it behind paywalls. Our data shows that roughly 3% of all enterprise employees download or watch pirated TV shows, movies, books, and other content types. Many consumers engage in this type of illegal activity, but it is especially alarming for security leaders if corporate devices serve as the conduit. Additionally, communicating personal and corporate data through VPNs is a considerable risk.Â
Adult content is also becoming a significant issue for businesses supporting remote workers. Mature websites often host bait-click functionality that delivers malware to endpoints. Newer variations of these types of attacks try to blackmail visitors using adult websites with personalized threats. These ‘sextortion’ scams create significant personal and professional risks for employees.Â
Learn More: 3 Cybersecurity Considerations to Secure Your Remote Business
Limited Oversight Increases Shadow IT
A lack of oversight has encouraged many employees to use personal cloud storage accounts or download unauthorized productivity software. Under normal circumstances, shadow IT is the product of overly restrictive security policies, but that may not be the case in this instance. In companies’ haste to rapidly adopt SaaS platforms, many employees either weren’t adequately trained or saw their favorite apps and tools left by the wayside. Employees in this situation often use unauthorized software or plug-ins that require them to upload sensitive data online that can create vulnerabilities within an enterprise’s security posture. A growing number of employees even backup corporate data to their personal Google, Dropbox, or Box accounts.Â
Using personal apps for business is risky for enterprises as sensitive data is now outside of their purview and subject to employees’ data security capabilities. Further, the organization is at risk because this practice may even violate data handling requirements in their customer and partner contracts.
Employee risk will never go away entirely, but businesses can implement policies and technologies to help support their ‘human firewall.’ Risky behaviors don’t correct themselves; security leaders must coach employees. While users cause the majority of security breaches, it’s not typically an intentional act. Educated employees are a powerful resource for security leaders that must identify and remediate security threats and protect sensitive data.Â
Let us know if you liked this article on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!