IT pros say remote workers are evading security precautions by half
Many organizations’ security measures aren’t only circumvented by hackers. They are also circumvented by remote workers.
In a report on remote workforce security released on Monday, 52 percent of U.S. IT and cybersecurity professionals surveyed said remote employees found workarounds to organizations’ security policies.
In addition, Cybersecurity Insiders and Axiad, a trusted identity solutions provider based in Santa Clara, Calif., found that remote workers were least likely to comply with multifactor authentication (35 percent), mobile device managers (33 percent), and password managers (26%).
“This means that even if a company has invested in strong authentication technology such as multifactor authentication, they are still at risk unless they can encourage employees to comply with their policies,” the report noted. “This is even more challenging with a remote or hybrid workforce, as employees are not in the office to work with their IT team to deploy and use new technology,” it concluded.
Click here for a detailed Network Security Checklist for Businesses of all sizes.
The threat of insider attacks is on the rise
Employees do not always have their employer’s best interests at heart when they end-run security policies and protocols.
As employers have less visibility into what employees access, employees have taken risks with company assets, such as stealing sensitive data for personal gain or use.
Employees are using company devices that require network security – such as email gateways, web gateways, intrusion detection systems, or firewalls – to safeguard those devices.
The devices are now connected to the public internet, so most of those protections are practically useless.
Behaving badly is discouraged
Is there a way to discourage employees from circumventing security policies?
The best way to achieve this goal is to use minimal friction security policies.
The employee will not be able to bypass the security if it is invisible.
If you make security easy for your users, or even transparent, they will be more likely to adhere to your policies.
Yet there will always be people with malicious intent that need to be guarded against. To be able to identify and respond quickly to malicious activity, it is essential to monitor and audit users’ activities regularly.
The employees circumventing security policies typically do not do so maliciously.
They want to accomplish their tasks efficiently, and they see security as holding them back.
Most employees won’t intentionally violate security policies.
Sometimes users don’t know how to do something correctly. Other times, they know how to do it, but it’s impossible.
End-users find it difficult to comply with security policies sometimes. Whenever it becomes impossible to do things the right way, they choose to do them however they can.
Here is an example of how two-factor authentication could be implemented. Authentication via a notification can be done by clicking a link. A code can also be required. Choosing the one-click approach over entering a code is more conducive to ease of use for the user.
Trying to do the right thing
To be more productive, some employees may think they must overcome their organization’s security.
An employee may be used to having access to files and applications that are not remotely available.
When that occurs, a worker might try to circumvent network restrictions to gain access they were used to at the office.
Employees will often try to sidestep policies if they do not understand the reason for them.
They may believe it is just an extra step or an unnecessary obstacle that interferes with their work.
They may even begin to resent the policy or organization if the extra work is significant enough.
The majority of employees do not realize how important the modern threat landscape is, or they may believe that they are too small to be targeted by cybercriminals, a misconception that often leads to big problems.
Making Lemonade Out of Lemons
We shouldn’t be surprised that employees find workarounds to security policies.
It is not surprising that employees find ways around security controls since we want our employees to be clever and creative.
The recommendation is to tap into the creativity that circumvents security controls.
It is imperative that employees share their circumvention methods with the security team, not so that the security team can block them outright, but so that the security team can work to find or build safer, paved paths that will make employees more productive.
Security teams can build trust by keeping security simple, open, and collaborative, enabling and rewarding employees so that they feel comfortable disclosing how they circumvented a security control. The Manifesto for Modern Cybersecurity states that transparency should override mystery, practicality should override process, and usability should override complexity.