The global response to the COVID-19 pandemic has accelerated several trends. More employees than ever are working from home. New remote workers are in an undiscovered land – sheltering in place with spouses, kids, friends, extended families, online delivery services and more. And, cybercriminals are using our focus on the pandemic to intensify phishing attacks.
As a company dedicated to securing billions of transactions and identities every day, we wanted to explore how employees were handling the cybersecurity challenges that come with remote work at such a large scale. Our Remote Work Cyber Security Survey of 1,000 US professionals revealed key data security challenges, habits and attitudes experienced by employees working from home.
Maybe it shouldn’t be surprising that many employees are not following best practices to secure passwords from online hackers or members of their own households. An astounding forty-two percent of employees surveyed still physically write passwords down, 34 percent digitally capture them on their smartphones and 27 percent digitally capture them on their computers. Additionally, nearly 20 percent of the employees surveyed are using the same password across multiple work systems, multiplying the risk of sensitive data if one password is compromised or stolen.
The human factor is critical. The survey responses highlight that employees surveyed are well aware both of phishing scams in general (82 percent) and of phishing scams specifically related to COVID-19 (81 percent). But far too many open their organizations and themselves to attack:
- 45% say they have received a COVID-19-related email from an unknown sender;
- 24% say they’ve clicked on a link from a COVID-19 themed email before determining their legitimacy;
- Just 36 % deleted the suspicious COVID-19 email;
- Only 12% percent reported the suspicious COVID-19 email to their organization.
Given tools and scale available to bad actors and cybercriminals, these are pretty good odds in their favor.
So, what’s an organization to do?
Encryption combined with advanced authentication can provide employees the simplicity they want and the zero trust safeguards companies require. Today, a corporate security perimeter is less relevant than ever, so companies should implement robust, multifactor authentication, which adds an extra layer of protection by requiring additional credentials to enable remote access to company networks. If a cyber-attack, like a phishing email for example, exposes employee passwords and usernames, multifactor authentication could prevent an attacker from successfully accessing the account as it requires other forms of proof you are who you say you are.
The other way to overcome poor password practices is to go passwordless. Passwordless solutions that leverage smartphone biometrics, can deliver the frictionless experience employees seek and the confidence organizations require. And go beyond the passwordless experience to deliver true passwordless authentication with a credential-based implementation that merges the security of smart cards with the convenience of employee smart phones.
If you are interesting in learning more ways to secure your remote workforce, consider the below resources: