- With people using their work devices to access personal online accounts, companies have an obligation to increase security awareness training. Six in ten users experienced at least one cyberthreat in the last year, including scam calls and phishing, according to a Bitdefender survey of more than 10,100 global participants collected in June. The survey, released Tuesday, included data from users between 18 and 65 years of age.
- While the majority of respondents use their personal phone to access personal online accounts, at least 37% use their work laptop, desktop, or smartphone to do so.
- Fifteen percent of participants reported no use of any online security product or service, while 30% do not use antivirus software for their mobile device, whether phone or tablet.
Despite the rapid shift to remote work, the personal security habits of employees have not changed much since pre-pandemic. Users still recycle their passwords, or don't update them, despite a spike in more online accounts.
Bitdefender found the primary method for password management for more than half of users (52%) is memorization. One-third of respondents use the autofill option on their devices, and 28% write them down in a physical format. Just one-quarter of respondents use a password manager.
But password managers are more likely to be used on work devices, not personal ones. "In the consumer space, the end user is in charge of choosing their own defense mechanisms and policies," said Alex "Jay" Balan, director of security research at Bitdefender. This is not the case for enterprises.
"No matter how much security training is applied, the sheer volume and diversity of users in a corporate setting, make it mandatory to operate under the assumption 'you can't trust anyone,'" Balan said. "As strange as it sounds, in the case of a security incident in the enterprise, you can't blame the user."
While personal behaviors were not entirely influenced by remote work, security organizations changed for the better. "It enforced better monitoring tools, better security tools as, indeed, the way users accessed company resources has fundamentally changed," Balan said. The only issue was that these changes were done "on fast forward," which is why some cyberattacks still slipped in.
Consider the July 2020 Twitter hack. It's an example of how a lapse of employee judgement and a successful social engineering campaign led to malicious lateral movement. Or employees are duped onto a malicious website, where malware can now run. "Are your defenses like EDR or XDR able to detect and alert the instant the user is compromised?" said Balan.
Balan recommends companies actively search for "blind spots" in their infrastructure.
Credential stuffing scenarios, for example, are indicative of using compromised passwords, typically exposed in another breach. It's "likely they are using them on the corporate network, maybe slightly modified by just one character at the end," said Balan. "It's 2021 and there are still authentication forms that don't have MFA mandatory. Do you have MFA mandatory absolutely everywhere? You should."
MFA is a corporate security practice that users will have to use if they intend to access work data from their personal devices. "Anything that touches even a little bit [of] corporate data has to be managed by the organization's security team," Balan said. Companies cannot dictate user security behaviors online, but they can influence them with basic training.