Employees working from home on a company-provided computer are demonstrating a clear lack of cybersecurity knowledge through high-risk behavior, according to a report released by Ivanti.
Using work passwords for consumer websites
The report found that one in four consumers admit to using their work email or passwords to log in to consumer websites and applications such as food delivery apps, online shopping sites and even dating apps.
The report found that consumers are neglecting to implement fundamental security safeguards across smart IoT devices at home, which could have serious security ramifications on both the individual and the enterprise amid increased and ongoing remote work spurred by the COVID-19 pandemic.
As consumers often recycle passwords, the report findings indicate enterprises are at risk every time credentials are stolen from breached consumer websites, making it paramount for organizations and consumers to ensure there is a separation between login information used for work and personal apps or websites.
The pandemic expanded the enterprise attack surface
The pandemic significantly expanded the enterprise attack surface when millions of people worldwide began working from home, and organizations struggled to maintain business continuity and provide secure access to company resources and tools.
The report surveyed 1,000 Americans working from home amid the pandemic on a company-provided computer to examine how consumer and enterprise cybersecurity habits have changed. The report also revealed that companies have taken steps to shore up cybersecurity.
However, nearly one in four companies still fail to follow the zero trust security best practices, such as multi-factor authentication requirements and corporate workspace segregation policies, necessary to stay ahead of the attack curve.
“The FBI issued a warning about an increase in credential stuffing attacks in September 2020 and yet consumers are still using work emails and passwords to log in to consumer apps and websites, putting the enterprise at significant risk of a credential stuffing attack,” said Phil Richards, CSO at Ivanti.
“Given the increase in data breaches of consumer-based companies and online communities, it is very likely that enterprise email and passwords are already exposed on the dark web. Companies across all industries must implement a zero trust model to ensure that entities accessing corporate information, applications, or networks are valid and not using stolen credentials,” said Richards.
Enterprise security falls short in key areas
This year we have seen insecure, unmanaged and unsanctioned IoT devices become a highly popular attack vector at home and work. While the situation might be better than it was at the start of the pandemic, the report indicates enterprises still have work to do heading into 2021 in critical areas such as:
- Secure access tools: 30% of respondents said their organization does not require remote workers to use a secure access tool, such as a VPN.
- Security software: 28% of employees said they were not required to have specific security software running on their devices to access certain applications while working remotely.
- Password updates: 24% of companies do not require their employees to update their password every six months or use a one-time password generator.
Enterprises will continue to face an expanding attack surface as the surge of consumer devices in the workplace persists into next year and beyond. Automated access enforcement rooted in a Zero Trust framework of discovery, authentication, verification and segregation is essential to mitigate these IoT risks.