An April survey commissioned by CyberArk of 3,000 remote office workers and IT professionals in the United States, UK, France and Germany found that 77 percent of remote employees are using unmanaged, insecure devices to access corporate systems, and 29 percent are letting other household members use their corporate devices for personal activities such as gaming, shopping and schoolwork. 40 percent of IT teams have not increased security protocols despite the massive transition to remote work, but despite this 94 percent of these IT teams are confident that they can secure their new remote workforce.
This is the latest in a long line of surveys showing that corporate IT teams are too sanguine about the huge increase in challenges they face from the new remote working environment. The disconnect between the clear increase in unsafe cyber hygiene by employees — using unmanaged, insecure personal devices to access corporate networks, and allowing family members to use corporate devices for personal reasons — and the confidence of IT teams that they can keep networks secure should concern C-suites, boards, investors and regulators. The disconnect also helps explain why according to Mandiant Security Validation 53 percent of attacks infiltrate corporate networks unnoticed.
Remote work and remote consumption (forcing companies to digitize faster to meet consumers where they are) has massively increased the digitization of companies across industries. This is partly why the message ‘two years of digital transformation has occurred in two months’ has become common in corporate updates. Add to this the increase in hacker activity that has accompanied this increase in corporate attack surfaces over the past few months, and the response by 40 percent of IT teams in this survey that they have not increased security protocols also looks problematic. This combination of lax security awareness and overconfidence that security protocols do not need to be tightened highlights that increased staff training on cyber risks and adherence to policies and processes intended to manage them is needed. This is the front lines of good cyber governance, and it is deficient across many companies that underperform.
Management would be wise to refocus staff and resources on the cyber threat alongside the continued operational and commercial adaption to a digital-first world.