Yubico has released a new report that suggests that many organizations did not take the proper steps to protect themselves when they transitioned to a remote work environment. The results are based on the feedback of 3,006 employees, owners, and executives in France, Germany, and the UK, each of whom worked for (or owned) a company with more than 250 employees, and each of whom used a work-issued device while working from home.
The problem, according to Yubico, is that most of those workers are still using outdated security measures. Fifty-four percent reuse the same password for multiple accounts, and 22 percent are still writing those passwords down. That trend was even more pronounced at higher levels, with 41 percent of owners and 32 percent of executives putting their passwords to paper. Generally speaking, people in leadership had worse cybersecurity habits than their lower-level counterparts, and were also more likely to abuse their device privileges. For example, 23 percent of owners and 15 percent of execs used a work device to watch TV and illegal streams, compared to only seven percent of rank-and-file workers. However, many workers did use work devices for personal reasons, with shopping and banking being some of the most common.
Many of those employees did express concern about their company’s cybersecurity posture. Most (60 percent) believe that the responsibility ultimately falls on the IT team, but were hesitant to interact with that team due to the lack of support from upper management. Tellingly, more than half (51 percent) would try to solve an IT problem on their own to avoid the hassle of filing an official report with the IT department, while 40 percent wouldn’t immediately tell IT if they clicked on a suspicious link.
That last figure is particularly troubling, since it could expose the organization to a number of security threats and make it more difficult to respond effectively. Unfortunately, organizations do not seem to be taking the threat seriously, with more than a third (37 percent) of the respondents reporting that they never received any kind of cybersecurity training. Meanwhile, only 22 worked for an organization that had adopted two-factor authentication during the pandemic. Those that did were more likely to opt for legacy solutions like SMS passcodes that are vulnerable to phishing, rather than strong security keys built to the FIDO standard.
“The research shows that many organizations are still finding their feet in these new, mostly virtual, work environments, and while this flexibility can deliver new opportunities for businesses and employees, they shouldn’t ignore the growing cybersecurity risks that come with it,” said Yubico Founder and CEO Stina Ehrensvärd.
The findings echo earlier reports from Yubico (and others) that have repeatedly shown that many organizations still have bad password behavior. Having said that, Yubico has found that businesses are becoming more aware of the benefits of multi-factor authentication, and that many organizations implemented an MFA solution to protect workers during the pandemic.