Study: Employee personal devices pose risk to corporate data
Trend Micro has released the results of its Head in the Clouds survey, which revealed how smart home devices and their apps represent a major weak link in the corporate cybersecurity chain, as the lines between work and home life are increasingly blurred. The company surveyed more than 13,000 remote workers across 27 countries to learn more about the habits of distributed workforces during the pandemic.
The survey found that 36% of Australian workers use personal devices, such as smartphones, tablets and laptops, to access corporate data, often via services and applications hosted in the cloud. These devices may be less secure than corporate equivalents and exposed to vulnerable IoT apps and gadgets on the home network. Almost half (41%) of remote workers in Australia surveyed did not have basic password protection on all personal devices.
Dr Linda K Kaye, a cyberpsychology expert, said the fact that so many remote workers use personal devices for accessing corporate data and services indicates that there may be a lack of awareness about the security risks associated with this.
“Tailored cybersecurity training which recognises the diversity of different users and their levels of awareness and attitudes around risks would be beneficial to help mitigate any security threats which may derive from these issues,” Dr Kaye said.
The survey found that 49% of Australian remote workers have IoT devices connected to their home network, with 8% using lesser-known brands. Many of these devices have well-documented weaknesses such as unpatched firmware vulnerabilities and insecure log-ins. These could allow attackers to gain access to the home network, then use unprotected personal devices as a stepping stone into the corporate networks they are connected to. Malware infections picked up at home and brought into the office via unsecured personal BYOD devices present further risks to enterprise networks post-lockdown.
The survey found that 68% of Australian remote workers connect corporate laptops to the home network; while these devices are likely to be better protected than personal devices, there is still a risk to corporate data and systems if users are allowed to install unapproved applications on these devices to access home IoT devices. Bharat Mistry, Principal Security Strategist at Trend Micro, noted that IoT has empowered simple devices with computing and connectivity, but not necessarily adequate security capabilities.
“They could actually be making hackers’ lives easier by opening backdoors via which they could compromise corporate networks. This threat is amplified as an age of mass remote working blurs the lines between private and company devices, putting both personal and business data in the firing line. Now more than ever, it is important that individuals take responsibility for their cybersecurity and that organisations continue to educate their employees on best practice,” Mistry said.
With more BYOD connected to home networks amidst the pandemic, it is concerning that almost half of Australian remote workers have IoT devices connected to these networks, providing a direct route for cybercriminals to access corporate networks.
“As remote working becomes the norm, organisations must enforce clear policies on acceptable device usage to combat threats caused by smart home networks and personal devices. Education and awareness training is also encouraged to ensure employees are across best practice security including identifying email threats, malicious files and malicious URLs,” said Ashley Watkins, Managing Director, Commercial, Trend Micro ANZ.
Employers are urged to ensure their remote workers are compliant with existing corporate security policies. If needed, companies should refine these rules to recognise the threat from BYOD and IoT devices and applications. Companies should also reappraise the security solutions they offer to employees, using home networks to access corporate information. Shifting to a cloud-based security model could effectively alleviate many home working risks.
The Attorney-General's Department will recommend that the ACSC's Essential Eight threat...
As organisations increasingly rely on user data and employees access sensitive information from...
Enhancing AI-driven solutions with machine learning and augmented intelligence could help CISOs...