When the work computer is the personal computer
With so many people working remotely, the line between employees’ work and personal lives are more blurred than ever before. With the widespread adoption of laptops and the expectation that some work would be done at home, the company PC has become the de facto home computer, used for everything from school projects to applying for other jobs.
A new study from Mimecast indicates that 74% of South African respondents admitted to extensively using company devices for personal matters, including private e-mail (66%) and online shopping (51%).
Duane Nicol, cyber security specialist at Mimecast, explains that because many workers don’t have laptops of their own, they end up using their work devices for personal activities. “It’s probably for this reason that we see that younger people are more likely to use their work devices for personal use. Seventy-nine percent of respondents in the 16-24 age group worldwide reported using their company-issued devices for personal use as opposed to 42% of those older than 55.”
He adds that because more people are working from home, increasingly reliant on online services to stay in contact with friends and family, they’ve been using their work device more and more for personal activities.
“This is not without risk,” he says. “Not only are home environments inherently less secure than the office, but as people return to the office, they’re not about to stop doing what has now become second nature. This means that the already overstretched security teams are going to have to implement policies to mitigate this risk.”
Cyber criminals are quick to take advantage
One trend during COVID has been the rapid shift of cyber criminals to focus their efforts on people isolated by lockdowns, or newly working from home. Using phishing, taking advantage of the lower security on home networks, poor password management and lower awareness around information protection has created more opportunities for criminals than when the devices are secured behind a corporate network.
“Our research showed that more than 33% of South African respondents were downloading and installing software for personal use, emphasising the importance of implementing some basic policies around device usage. While it won’t solve every problem, restricting the privileges that staff have on their work machines severely limits the potential for malicious software being installed,” says Nicol.
Proper cyber security awareness training remains critical to successfully protecting organisations and users from malicious activity. “Sadly,” he says, “many education efforts fall on deaf ears, the content is boring and not memorable, it’s not regular enough or it’s simply too long to keep the audience interested. Users either ignore requests to complete cyber security training or simply ignore the supplied information. However, we see that the combination of training and innovative education strategies empowers users to make better decision around their personal cyber security.”
He adds that the risks should never be downplayed. “Our State of Email Security Report, published earlier this year, indicated that 45% of SA organisations were impacted by ransomware in the last 12 months, 44% were hit by an attack spread by an infected user, and 76% experienced downtime due to a cyber attack.
Companies are continuing to bolster their cyber defences, looking towards a combination of traditional security measure and new technologies, including cloud-based cyber security systems, to minimise the risk of becoming another statistic.
“Security vendors are constantly introducing new capabilities, but technology on its own isn’t enough, because it still relies on companies to adopt and embrace it. This is a costly exercise, especially considering the ever-widening global skills gap.”
Technology alone won’t solve your security challenges
Nicol comments that there are some key actions that IT teams can take to minimise the risks they face:
- Emphasise that users are part of the solution, rather than continuously labelling them as the biggest risk. Organisations need to make security a part of their culture and provide engaging, bite-size chunks of information that people can use, rather than classroom or e-mail-based learning.
- Evaluate all technologies within your organisation and establish where you can get more value through integration. We’ve seen that customers who take advantage of these integrations maximise their investment, by allowing security information to move seamlessly between systems.
- Assume that all your employees will use company devices in their personal capacity and evaluate your strategies based on this. You’re not going to be able to stop this so rather find ways to de-risk it.
There is no strategy or technology that can guarantee your organisation will be secure. However, by taking advantage of the investments you’ve made and assisting your users to be part of the solution, it’s possible to mitigate many of the most severe risks.