A decentralised workplace creates an attractive target for cybercriminals. The use of personal devices, a lack of privacy and the use of new, unfamiliar technology all provided fertaile ground for those looking to profit from cybercrime. The volume and sophistication of cyberthreats continues to grow, aggravated by human errors, typically caused by lack of awareness or training.
In the face of these risks, organisations seem confident in their security posture. However, the EMEA survey shows that this confidence is misplaced as a surprisingly high number of respondents is failing to take advantage of modern security tools and practices.
The biggest security concerns
Almost 60% have seen an increase in phishing emails or text messages in the last 12 months. One in five organisations has fallen victim to an attack. These numbers may be even higher, as between 23% and 29% of organisations could not or would not say whether they had noticed an increase. If an attack remains undetected, sensitive data is at an even greater risk because countermeasures are taken far too late, or not taken at all.
Phishing (71%), human error (56%) and ransomware (47%) are seen as the top three security threats in the next 12 months. These concerns are linked. For example, phishing attacks are becoming more sophisticated and more difficult for employees to detect. This is particularly prevalent on mobile devices where the user is working on a smaller screen, may be distracted or multi-tasking, and where URLs and email addresses can not be verified as easily.
A lack of basic, important security measures
Against a backdrop of growing and evolving cyberthreats, it is clear that organisations need to review their remote working security measures. Besides, they need to do more to protect their data and assist their employees in thwarting potential cyberattacks as our survey shows that many organisations lack important security measures.
Just over one-third (37%) of organisations have a mobile threat defence solution in place, despite phishing being considered the most serious threat for the coming year. Only the same percentage of respondents performed regular penetration and vulnerability testing for mobile devices.
Besides, more than half of respondents (58%) allow the use of third-party app stores (other than the Apple Store and/or Google Play Store), a common way for malicious applications to find their way to sensitive corporate data. This is a serious concern as one out of two organisations do not have any Data Loss Prevention controls in place to prevent this data from being copied.
When it comes to basic security measures, such as the use of VPNs or Multi-Factor Authentication, the situation is better, but still far from adequate. One out of five respondents is still not making use of either. Of those which have introduced or plan to introduce a Unified Endpoint Management (UEM) solution, just over one-third (35%) do not use any advanced mobile security and data protection features. This indicates a missed opportunity to improve security.
It’s all about creating awareness
Human error was identified as the second-biggest anticipated cyber threat in the coming 12 months. Awareness is an important factor in averting potential security threats, particularly in relation to phishing and social engineering. Yet, one-third (33%) of organisations have not provided any kind of mobile security awareness training to its employees.
Misplaced confidence in security
Our study shows that respondents’ confidence in their data security is high. With almost three quarters (73%) either very confident, or fairly confident, in their ability to secure corporate data on remote or mobile devices. However, this confidence may have been misplaced as 39% indicates not being aware of any mobile security awareness training being delivered to their organisation.
Our recommendations
There are still different security standards, and security technologies, for different device types, with security teams typically applying less stringent controls on mobile devices. Cyberattacks – especially phishing attacks – are steadily increasing and becoming more sophisticated. The rapid implementation of remote working practices due to COVID-19-pandemic has opened up new vulnerabilities. Companies are not doing enough to protect their data and raise employee awareness on security issues. Thereby organisations should:
- Adopt Zero Trust security principles wherever possible. These should be supported by clear policies on who, when, how and with which device corporate data and applications can be accessed.
- Introduce a clear separation between corporate and personal data, with sufficient security standards for both.
- Use an integrated tool, ideally a UEM platform, to centrally manage and secure all endpoints. Thereby they ensure that devices are configured to comply with security policies, that secure apps and software updates are deployed, and that corporate data can be wiped from devices when necessary.
- Use VPNs to ensure that data exchanged between employee devices and the organisation’s network is encrypted and secure.
- Adopt technologies that can detect and identify risks before they cause damage. For example, technology to detect phishing attacks or malicious apps, or to protect digital identities, could significantly reduce the risk posed by careless employee behaviour.
- Educate employees through regular, mandatory information security awareness trainings and exercises such as simulated phishing attacks to inform them on best practices and help them to identify and report potential security incidents.
Read the full report
Providing a robust security posture is key when looking to enrol a future-proof modern workplace. Ready to get started? Download our free report for tips and tricks on how enhance modern security without sacrificing on employee experience.