Hackers aren’t the only ones evading security measures of many organizations. So are their remote workers.
In a report on remote workforce security released Monday, 52 percent of the U.S. IT and cybersecurity professionals surveyed revealed they experienced remote workers finding workarounds to their organizations’ security policies.
The report, prepared by Cybersecurity Insiders and sponsored by Axiad, a trusted identity solutions provider in Santa Clara, Calif., also found that the top three security policies and protocols remote workers were most resistant to comply with were multifactor authentication (35 percent), mobile device managers (33 percent) and password managers (26 percent).
“This means that even if a company has invested in strong authentication technology like MFA, they are still at risk unless they can encourage employees to comply with their policy,” the report noted. “This is even more challenging with a remote or hybrid workforce, as employees are not in the office to work with their IT team to deploy and utilize new technologies,” it added.
Employees circumventing security policies don’t do it, typically, with malicious intent, explained Axiad COO Jerome Becquart.
“They want to do their work in the most efficient way possible, and they perceive security as getting in their way,” he told TechNewsWorld.
Most employees don’t want to intentionally circumvent security policies, added Jen Kraxner, strategic advisory director at SecZetta, a third-party risk management company in Fall River, Mass.
“Sometimes it’s because they don’t know how to do something correctly,” she told TechNewsWorld. “Other times, they know how to do it, but it’s too hard.”
“Security policies don’t always make it easy for end users,” she continued. “When it becomes too hard for them to do it the right way, they choose to do it however they can.”
She cited the way two-factor authentication could be implemented as an example. One way is to be sent a notification that allows you to authenticate with a click. Another way is to require entering a code. The one-click approach has ease-of-use for the user in mind more so that the entering a code approach.
Oliver Tavakoli, CTO of Vectra AI, a provider of automated threat management solutions in San Jose, Calif., explained that in organizations that take security seriously fewer employees generally think about circumventing security policies.
“But when there is poor user experience — for example, needing to enter a second factor for authentication every time your laptop comes out of hibernation mode; the percentage of non-compliance. such as running software to ensure your laptop never hibernates even when you’re away, tends to rise,” he told TechNewsWorld.
In some employees’ minds, they may think they need to overcome their organization’s security to be more productive.
“An employee may be used to having access to files and applications that aren’t available remotely,” said Saryu Nayyar, CEO of Gurucul, a threat intelligence company in El Segundo, Calif.
“A worker may try in those cases to subvert network restrictions to gain access they were used to having in the office,” she told TechNewsWorld.
Erich Kron, security awareness advocate at KnowBe4, a security awareness training provider in Clearwater, Fla., explained that if an employee does not understand the reason for a security policy, or if the organization has a weak security culture, employees will often look to sidestep policies.
“They may believe it is just extra steps they must take to do their job, or needless hurdles interfering with production,” he told TechNewsWorld.
“If the extra work is significant enough, they may even begin to resent the policy or the organization,” he added.
“Employees often do not understand just how significant the modern threat landscape is,” he said, “or may believe that they, or their organization, is too small to be targeted by cyber criminals, a common misconception that often leads to big problems.”
Lemons Into Lemonade
It shouldn’t surprise that employees are finding workarounds to security policies, observed Sounil Yu, CISO of JupiterOne, a Morrisville, N.C.-based provider of cyber asset management and governance solutions.
“We want our employees to be clever and creative, therefore it’s no surprise that employees find ways to skirt security controls,” he told TechNewsWorld.
He recommended organizations tap into the creativity that’s circumventing security controls.
“What is important is that employees share those circumvention methods with the security team, not so that the security team blocks those methods outright, but so that the security team can work to find or build safer, paved paths that enable employees to be even more productive,” he said.
“To build trust across the company so that employees feel willing and safe to disclose how they circumvented a security control, the security team needs to keep security simple, open and collaborative, enabling and rewarding by embracing one of the core principles stated in the Manifesto for Modern Cybersecurity, which is to favor transparency over obscurity, practicality over process, and usability over complexity,” he added.
Insider Threats Increasing
Not all employees, however, have their employer’s best interests in mind when they end-run security policies and protocols.
“Remote work has significantly increased insider threats from employees taking risks with company assets, such as stealing sensitive data for personal use or gain, as employers have less visibility into what employees are accessing,” observed Joseph Carson, chief security scientist at Thycotic, a Washington D.C.-based provider of privileged account management solutions.
“Employees have company devices that were dependent on network security — such as email gateways, web gateways, intrusion detection systems or firewalls — to protect those devices,” he told TechNewsWorld
“Now, most of those protections are pretty much useless because the devices have been moved to the public internet,” he said.
Discouraging Bad Behavior
How can organizations discourage employees from evading security policies?
“Utilization of security policies which have minimal friction is the best way to achieve the goal,” said David Stewart, CEO of Approov, of Edinburgh, UK, which performs binary-level dynamic analysis of software.
“If the security is invisible, then the employee has no incentive to bypass it,” he told TechNewsWorld.
Chris Clement, vice president of solutions architecture at Cerberus Sentinel, a cybersecurity consulting and penetration testing company in Scottsdale, Ariz. recommended using incentives.
“Find ways to make security easy or even transparent to your users and compliance with your policies will be high,” he told TechNewsWorld.
“Still, there are always people with malicious intent that need to be guarded against,” he added. “Regular monitoring and auditing of user activities is necessary to be able to quickly identify and respond to malicious behavior.”