Data Shows Careless Employee Behavior Make the Holidays the Most Challenging Time of Year for Enterprise Security Teams
The holiday season is fraught with consumer fraud. Holiday shoppers - both in-store and online - open themselves up to substantially higher risk without even knowing it. However, what doesn’t get as much attention is the vulnerabilities that are created within enterprise organizations. Meaning, when employees choose to use work-issued devices and corporate network resources (WiFi) to do their holiday shopping online, security teams have a massive challenge with this surge in browsing and in online transactions. For many companies, it's a matter of when, and not if, that compromises occur.
This time of year features a substantially higher bandwidth and resource consumption rate, both inside organizations and outside, as professionals surf and shop online. As people flood the internet during this season, the risk increases by order of magnitude.
The team at Morphisec decided to take a closer look at how enterprise cyber threats increase during the holiday season by examining whether or not professionals’ interaction with their enterprise’s network and endpoints change during the most wonderful time of the year.
To do so, we commissioned the Morphisec: Holiday Impact on Enterprise Security Survey, a study administered to 1,000 US working professionals between the ages of 25-64 and weighted for the US population by region and gender, and also part of our Threat Index Series of surveys examining cyber trends and perspectives. Here’s what we found:
- 47% of employees will use their personal devices for work-related activities.
- About half of professionals will use a work-issued computer or mobile device for online shopping or gift searching.
- Government and education workers least likely to use a work-issued device for online shopping, most likely to take precautions when doing so.
The Troubling News: There’s a Blurred Line Between Work & Personal Devices
While bring your own device (BYOD) policies continue to rise across enterprises, the holiday season is a time where the back-and-forth use between work and personal devices further blurs without the proper oversight of cybersecurity teams.
Of employees that have the option of working remotely, one-in-four working professionals said they will work remotely more frequently over the holiday season. Furthermore, 47% of employees will use their personal devices for work-related activities as they travel during the holiday season. Are employees protected from advanced attacks while on their work-issued device but outside the corporate network?
Unless patch management policies extend to personal devices, those phones, tablets and laptops are much more likely to demonstrate significant security loopholes in the form of unpatched application vulnerabilities and un-updated security software that is easy to exploit. To make matters worse, employees are likely connecting their devices to unsecured WiFi during their travels, or just through activity on their machines at home.
Those that work in the real estate industry (65%) were the most likely to note they will use their personal devices for work-related items as they travel during the holiday season, while those in the finance & insurance industry were the least likely (40%).
Gift Searches & Online Shopping Continues to Shift to Work Devices
With shoppers now buying more of their gifts online rather than in physical stores, it’s not a surprise that there continues to be an increase in workers using the connected devices they’re in front of the majority of the day (work devices) to undertake their gift searches and online shopping.
Our survey found that 49%, or about half of professionals will use a work-issued computer or mobile device for online shopping or gift searching at some point this holiday season. The findings are mostly in line with a recent Robert Half survey that found well over half of IT employees nationally plan to make online purchases from the office this season.
A recent CSO Online report found that 40% of cyber attacks committed by an organization insider were said to be unintentional or accidental. During the holiday period, it is essential for organizations to plan for increased traffic and protect themselves from workers that may accidentally hit malicious sites. This means the firewall needs to be tuned and equipped to inspect a higher volume of packets which could contain infected code.
When for example, Bob in accounting visits a site that he thinks is safe to shop at, but in reality it isn't protected or is already compromised, it is critical for an organization to have a well-architected whitelisting policy as well as the ability to monitor traffic to prevent threats that may make their way onto the user's machine.
Interestingly, the survey found that men (53%) were more likely than women (46%) to say they would use a work-issued computer or mobile device for online shopping or gift searching at some point this holiday season. When looking at the results by industry, those who work in the real estate industry were the most likely (76%) to say that they’d do so, followed by finance and insurance (56%).
Those who work in government and education, an area that typically has rigorous IT oversight, were the least likely to say they would use a work-issued computer or mobile device for online shopping or gift searching at some point this holiday season (45%).
The Good News? Employees Report They’re Taking More Precautions
The good news is that with the increase in the use of personal devices for work, and the use of work devices for personal activities, professionals seem to be taking more precautions.
In fact, 60% of employees say they take precautions ‘all the time’ when using a work-related computer or device to avoid becoming a victim of a cybersecurity attack. On the other side of the equation, 40% of professionals say they take precautions only sometimes or never, which actually makes the case for the fact that people think they will never be subjected to a real attack.
Looking at the breakdown by industry, government employees were the most likely (72%) to report that they take precautions ‘all the time’. Somewhat surprisingly, the finance and insurance industries had the second highest percentage (21%) of professionals saying that they never take precautions when using a work-related device. That could be a scary stat for security professionals in the financial securities market, which has proven to be more vulnerable to short-term cyberattacks based on the value and volume of data at risk to be exfiltrated.
With 1,579 data breaches exposing nearly 179 million records last year, and the fact that we are entering the fraud-filled holiday season, the increased vigilance noted by our respondents is a further sign that data security has become top of mind for the general public, not just the CISO and his team. It means consumers are starting to take the minimal steps necessary (perhaps) to start conducting transactions more securely. Maybe.
Whether traveling for the holidays and using a personal device to get some work done, or taking a break in the office to get some of your holiday shopping done, there are some steps that you can take to keep you and your organization safe from those who might not be making Santa’s “Nice” list this year:
Holiday Season Cyberattack Prevention Wish List
4 Tips for Professionals to Avoid Becoming the Weak Link in Their Company’s Cybersecurity
Adware Isn’t Only a Holiday Annoyance: Professionals shouldn’t be lulled into a false sense of security when they stumble across Adware via unfamiliar sites they are trying to shop on as they court the lowest prices. Potentially Unwanted Programs (PUPs) continue to be the largest group of threats prevented by Morphisec, representing 40% of all attacks.
Much of the adware being launched today borders on spyware and, as a threat, should not be dismissed as simply being AdWare. It incorporates sophisticated, evasive techniques that allow it to penetrate more effectively as can be seen by its continual ability to bypass static defenses, often that can trigger once an initial in-road has been established.
Programs Like 1Password Are Worth the Cost: Don't use commonly used or easily guessed passwords. Even if you have a creative password, many attackers are using credential-stealing techniques like keyloggers. They are betting on the fact that many users haven't shopped online since last Christmas, forgot their passwords, and have reset them using easily hackable passwords. Also, don’t use the same password for different accounts.
Nearly 90% of Millennials report reusing passwords across different accounts. This makes it easier for nefarious parties to gain entry to sensitive corporate data that you have access to.
Consider this - your non-Internet-savvy parents probably shop online during one time of year - the holidays. Are they going to diligently change and store updated passwords? Of course NOT! And they’ll use the most commonly used combinations with information that might be easiest to remember. Plus, Amazon has already disclosed a major data compromise as of today!
If an Offer is Too Good to be True, it Could be a Scam: Keep an eye out for fake coupon offers on social media and emails. To stay safe, always go directly to a verified source to see if the company is actually offering whatever promotions you've received elsewhere. You can also check for branding inconsistencies and hover over links to see where they'll take you. If you are unsure of a website or offer, don't engage with it!
As You Work from Home, Keep A Critical Eye Towards Who is Sharing Files: Working from home and remotely over the holiday season doesn’t just mean professionals are using their personal devices for work activities more. It also means collaborating with coworkers and sharing documents becomes more piecemeal. Keep an eye on who is sharing a file with you and what the file is. Weaponized PDFs are a frequently used technique in cyberattackers’ tool boxes.
Morphisec can help any size security team of any size to prevent advanced threats of any class. Contact us today.