Employees working from home on a company-provided computer are demonstrating a clear lack of cybersecurity knowledge through high-risk behavior, according to a report released last week by US-based IT security company Ivanti. The 2021 Secure Consumer Cyber Report found that one in four consumers admit to using their work email or password to log into consumer websites and applications, such as ones for online shopping or food delivery.
The survey found that consumers are neglecting to implement fundamental security safeguards across smart IoT devices at home, which could have serious security ramifications on both the individual and the enterprise amid increased and ongoing remote work spurred by the COVID-19 pandemic. As consumers often recycle passwords, the report findings indicate enterprises are at risk every time credentials are stolen from breached consumer websites, making it paramount for organizations and consumers to ensure there is a separation between login information used for work and personal apps or websites, Ivanti said.
The Secure Consumer Cyber Report surveyed 1,000 Americans working from home amid the pandemic on a company-provided computer to examine how consumer and enterprise cybersecurity habits have changed. The report also revealed that companies have taken steps to shore up cybersecurity. However, nearly one in four companies still fail to follow the Zero Trust security best practices, such as multi-factor authentication requirements and corporate workspace segregation policies, necessary to stay ahead of the attack curve, according to the company.
"The FBI issued a warning about an increase in credential stuffing attacks in September 2020 and yet consumers are still using work emails and passwords to log in to consumer apps and websites, putting the enterprise at significant risk of a credential stuffing attack," said Phil Richards, CSO at Ivanti.
"Given the increase in data breaches of consumer-based companies and online communities, it is very likely that enterprise email and passwords are already exposed on the dark web. Companies across all industries must implement a Zero Trust model to ensure that entities accessing corporate information, applications, or networks are valid and not using stolen credentials."
According to the company, the findings indicate enterprises still have work to do heading into 2021 in critical areas such as:
-Secure access tools: 30% of respondents said their organization does not require remote workers to use a secure access tool, such as a VPN.
-Security software: 28% of employees said they were not required to have specific security software running on their devices to access certain applications while working remotely.
-Password updates: 24% of companies do not require their employees to update their password every six months or use a one-time password generator.
-Enterprises will continue to face an expanding attack surface as the surge of consumer devices in the workplace persists into next year and beyond. Automated access enforcement rooted in a Zero Trust framework of discovery, authentication, verification and segregation is essential to mitigate these IoT risks.