Ever-present in all attack chains is one factor that technology struggles to mitigate: humans. Unpredictable and hard to secure at scale, people present a far more reliable attack vector than any exotic vulnerability. The added problem 2020 has brought many IT teams is remote working and keeping businesses safe while everyone sits comfortably at home.
Research reveals risky remote working behaviour
We dug into this in our recent industry report, which asked 300 IT security leaders about the state of modern security.
Questions to security teams about how much they trusted users presented an interesting dichotomy. While 73% of them said they trusted employees to follow advice, 87% said that most threats could be prevented if employees followed best practice.
Reading between the lines, this perhaps shows the kind of simmering frustration many security teams have for the user.
Diving into some of the data reveals why. Since lockdown, 67% of respondents had noticed their employees undertaking unsanctioned activity on work devices and networks. For example, 35% of employees were seen using streaming services such as Netflix or Amazon Prime Video, which doesn’t exactly speak volumes for policy adherence.
The age-old sin of reusing work credentials for personal accounts, such as social media and gaming sites, was also present in 34% of security teams quizzed.
Given such services can be breached en-masse, this presents a significant opportunity to an attacker who will typically identify work email addresses from any stolen cache and use them to launch targeted attacks.
This particular risk is underlined by the fact that a significant 86% of people agree email security threats have become more sophisticated over the last decade, spiking in volume by half over the lockdown period. It is clear threat actors agree people are the best point of attack.
However, while it may be the enabler for many problems, security leaders are positive on the power of the cloud to help them resolve these issues. Many of those questioned detailed how it had enhanced organisational capabilities for increasing security, with 72% agreeing that it put them in a strong position to deal with cyber threats. Only 10% said it has made security worse.
How to reduce the risk from hazardous remote working behaviour
First and foremost as a business you need to provide the best security solutions available to be able to protect your workforce from the different number of threats. Modern email security, capable of protecting employees against the growing volume of sophisticated Business Email Compromise and Account Takeover attacks, for example, is the front-line of such an approach.
Multi-layered protection that combines algorithmic analysis, threat intelligence and executive name checking, as well as traditional pattern-matching technologies, is needed to effectively protect from advanced targeted attacks, halt multi-channel attacks starting over email and stop more scattergun spam. It’s also advisable to put extra rules and policies in place to protect high-value targets.
In today’s cloud application-heavy workspace, a CASB should also be considered to help stop employees from carrying out malicious, or unintended, sharing of sensitive data.
As Ragnar Heil, Microsoft MVP, says in the report: “You need tools in place to control unintended data breaches. Use a CASB to block user actions that could later cause a data breach – like sharing organisational data externally.”
Such technology will allow teams to apply rules and policies to individuals, or specific groups, dictating exactly what data they can access and share while using everything from Google Docs to Dropbox.
Relying on user credentials to log into just about every business service in use is now the norm. So, protecting access to those accounts should be too. An adaptive MFA is a valuable tool to help mitigate the risk presented by remote employees who insist on using company credentials to sign up for non-work services. MFA ensures stolen credentials cannot be used to gain access to your organisation’s environment, challenging the user based on contextual flags like change in location or device, and providing adaptive delivery of session-specific, real-time generated one-time passcodes.
This makes it very difficult for attackers with stolen credentials to access company applications and services.
However, to ensure the business is protected on all fronts, employee education should be incorporated in with the overall security strategy. It is important organisations run regular, ongoing awareness campaigns with employees to outline and ensure adherence to company cyber security policy, and bolster this with educational messages delivered by security services. Regular training should also be held to make people aware of emerging threats such as new phishing techniques; how to spot them and what to do when they think a malicious link has come in.
For a deeper understanding of how security teams view the threat from the user, download the report here. As we adapt to new and more flexible ways of working mid-long term, it should provide a useful insight into how you can use security to empower, rather than inhibit, large remote teams.