As of March 2020, nearly 60% of “knowledge workers” have been working from home, roughly double the number in 2019. While this has represented a major cultural shift for many workplaces, it’s also opened the door for a wide array of hacking and phishing schemes. One of the primary issues is that many workers are using their own personal, and often unsecured, devices to access crucial and sensitive data at work.
“[T]he short-term capital savings... is easily outweighed by the expense and reputational damage to an organization that’s possible when an employee clicks on malware, a phishing scam or other compromising media,” says CyberScout founder and chairman Adam Levin. “There are too many variables, and any personal device that connects to the company network where sensitive data is accessible has to be considered a liability, be it a phone, tablet or computer. Further, any cost savings may be negligible after the cost of security cleanup is factored in.”
Employees who are providing their own hardware often have significantly less oversight for what software is installed on their devices, and may be sharing devices with children who are easier targets for phishing and hacking.
Many companies that do provide their employees with devices neglect the installation of timely updates. A recent survey from DSA Connect found that 13 percent of workers use hardware that has not been upgraded for anywhere between three and five years. Older and unpatched hardware can represent a large part of an organization’s attackable surface.
“I understand why employers don’t necessarily want to spend money on upgrading their technology and many will be under pressure to cut their budgets due to the financial strain caused by coronavirus. However, they should not only assess the impact on employee productivity from not upgrading, but also the greater risk they face of suffering a cyber-attack and a serious data breach,” said DSA Connect Chairman Harry Benham.
The problem isn’t confined to hardware, either. Pirated and/or unlicensed software used by employees can also expose corporate networks to malware and leave them less secure.
“[M]any companies have a ‘don't ask, don't tell’ policy when it comes to unlicensed software,” said Levin. “If a business owner has an employee who is able to get their work done, there's not a lot of incentive to intervene or check if they've paid for all of the software used to do that work… any business depending on software it hasn't paid for is being penny wise, because the cost of a compromise can be astronomical--if not an extinction level event.”
Companies, especially those with remote workforces, should be willing to provide work-specific devices to employees. It provides a greater level of control as to whether or not it is being used securely, and mitigates many of the risks of BYOD (bring your own device) workplaces.