Organizations still rely on weak security for remote workers
A new survey of enterprise IT security leaders showed almost 80 percent believe remote workers are at more risk for phishing attacks now because they’re isolated from their organizations’ security teams.
Despite the significant threat increase, more than 59 percent of respondents felt solutions such as video training (27%), email reminders (20%), and VPNs (12%), were sufficient solutions by themselves to keep organizations safe from what those surveyed said were the biggest security breach fears: damage to brand and reputation, and legal jeopardy.
A question about threat literacy among remote workers found that 81 percent of IT leaders felt their employees understood that 90 percent or more ransomware attacks originated through email phishing. Eighteen percent felt their employees didn’t know that, or didn’t know if employees understood the threats caused by email phishing attacks.
Steps IT leaders took over the past 12 months to mitigate the growing danger to remote workers included video training courses on how not to fall victim to a phishing attack (27 percent); the deployment of anti-phishing software (26 percent); regular email communications to workers to be vigilant (20 percent); one-on-one (by video conference) training with new employees (13 percent); deploying a VPN (12 percent). Two percent of those polled felt employees already knew enough not to open suspicious-looking emails, or links they didn’t trust.
Asked if these counter measures were sufficient to protect remote employees from phishing attacks, the overwhelming majority of IT pros—79 percent – felt they were. Just 15 percent said no. Asked if employees understood different types of phishing attacks, such as business email compromise or domain spoofing, almost 50 percent of respondents said “very well,” 39 percent said “quite well,” and 10 percent said not quite well. “Not at all” and “I don’t know” scored 1.25 percent and 1.5 percent, respectively.
Only 52 percent of those surveyed felt their organization understood which areas of the business were the most vulnerable to attacks. The rest of the respondents answered “quite well” to “I don’t know,” leaving a large gap in understanding which employees from what departments within an organization were the most at risk.
Despite the confidence in their organizations’ preparedness against the increase in sophisticated phishing threats to remote workers, 76 percent of IT leaders admitted their organization would pay, or was likely to pay a ransom if their entire system was locked down through malware. Twelve percent said their company was unlikely to pay, 7.25 percent said their employers would not pay, and 5 percent didn’t know.
“This survey has uncovered a complex situation wherein IT leaders understand threats to their remote workers have grown significantly worse, yet they feel the organization is protected well enough against them through weak solutions or in some cases, just email reminders,” said Tony Pepper, CEO of Egress. “This shows that there is a lot of trust given to employees, who are suddenly shouldering the burden of not falling victim to what has become an exponentially worse threat environment.”
Why do you think employees are more vulnerable to targeted phishing attacks as remote workers (in order of importance):
- More removed from the org’s security team
- Distracting work environment
- Working from multiple or personal devices
- Pressure to appear more productive
- Phishing attacks have become more sophisticated
What level(s) or your organization is/are responsible for protecting IT systems and infrastructure:
- CISO – 367 respondents
- CTO – 152 respondents
- IT Department – 605 respondents
- Other – 21 respondents
The poll was conducted in July, 2021 and surveyed 800 technical staff and executives from companies across the U.S. and U.K. Company sizes ranged from 250 to more than 5000 employees across healthcare, legal, finance, government, and the information services industries. All respondents either had ‘responsibility for IT systems security’ within their organizations, or were part of a team with responsibility for IT systems security. Seventy percent of the companies are privately held, 30 percent are publicly traded.