Employees
working from home on a company-provided computer are demonstrating a
clear lack of cybersecurity knowledge through high-risk behavior,
according to a report released by Ivanti, the automation platform
that helps make every IT connection smarter and more secure. The 2021
Secure Consumer Cyber Report found that one in four consumers admit to
using their work email or password to log in to consumer websites and
applications such as food delivery apps, online shopping sites and even
dating apps.
The
report found that consumers are neglecting to implement fundamental
security safeguards across smart IoT devices at home, which could have
serious security ramifications on both the individual and the enterprise
amid increased and ongoing remote work spurred by the COVID-19
pandemic. As consumers often recycle passwords, the report findings
indicate enterprises are at risk every time credentials are stolen from
breached consumer websites, making it paramount for organizations and
consumers to ensure there is a separation between login information used
for work and personal apps or websites.
The
pandemic significantly expanded the enterprise attack surface when
millions of people worldwide began working from home, and organizations
struggled to maintain business continuity and provide secure access to
company resources and tools.
The
Secure Consumer Cyber Report surveyed 1,000 Americans working from home
amid the pandemic on a company-provided computer to examine how
consumer and enterprise cybersecurity habits have changed. The report
also revealed that companies have taken steps to shore up cybersecurity.
However, nearly one in four companies still fail to follow the Zero
Trust security best practices, such as multi-factor authentication
requirements and corporate workspace segregation policies, necessary to
stay ahead of the attack curve.
"The
FBI issued a warning about an increase in credential stuffing attacks
in September 2020 and yet consumers are still using work emails and
passwords to log in to consumer apps and websites, putting the
enterprise at significant risk of a credential stuffing attack," said
Phil Richards, CSO at Ivanti.
"Given
the increase in data breaches of consumer-based companies and online
communities, it is very likely that enterprise email and passwords are
already exposed on the dark web. Companies across all industries must
implement a Zero Trust model to ensure that entities accessing corporate
information, applications, or networks are valid and not using stolen
credentials," said Richards.
Enterprise Security Falls Short in Key Areas
This
year we have seen insecure, unmanaged and unsanctioned IoT devices
become a highly popular attack vector at home and work. While the
situation might be better than it was at the start of the pandemic, the
Secure Consumer Cyber Report indicates enterprises still have work to do
heading into 2021 in critical areas such as:
- Secure access tools: 30% of respondents said their organization does not require remote workers to use a secure access tool, such as a VPN.
- Security software: 28%
of employees said they were not required to have specific security
software running on their devices to access certain applications while
working remotely.
- Password updates: 24% of companies do not require their employees to update their password every six months or use a one-time password generator.
Enterprises
will continue to face an expanding attack surface as the surge of
consumer devices in the workplace persists into next year and beyond.
Automated access enforcement rooted in a Zero Trust framework of
discovery, authentication, verification and segregation is essential to
mitigate these IoT risks.
The
findings in the inaugural Secure Consumer Cyber Report are based on a
survey conducted by Ivanti in November 2020. The survey took place
online and used a nationally representative sample of 1,000 people over
18 working in the U.S.
Download a full copy of the 2021 Secure Consumer Cyber Report.