Before the coronavirus pandemic forced the workforce to work from home, employees conceded some flaws: There's a knowledge gap in security best-practices.
Four in 10 employees believe it's "maybe" possible for malware to infect devices that are "too close" to each other, according to a survey of more than 1,000 U.S. employees by Osterman Research in partnership with MediaPRO.
That's the sound of CISOs everywhere slapping their foreheads.
From the perspective of non-technical employees, cybersecurity is IT's problem. The reality is, responsibility stretches across departments. Inadequate, irregular training adds to the myths and confounds the workforce at large.
Employee awareness around security has shifted in the last five years, despite efforts by technology vendors, said Michael Osterman, president of Osterman Research, during a webcast Wednesday. The tech industry has undergone an evolution from vendors claiming technologies and tools would replace employee security training.
CIO Dive asked cybersecurity experts what security "myths" employees frequently believe. It's time to clear the air.
Passwords are foolproof.
Everyone uses authentication, in their personal lives and for work, but relying on passwords gives users a false sense of security.
"Passwords, regardless of how strong they are, do not ensure that your account will be secure, Ben Goodman, SVP of global business and corporate development at ForgeRock, told CIO Dive.
Four in 10 employees feel "very confident" their current passwords are strong and have yet to be compromised, according to the report.
But confidence does not provide adequate protection.
While recycling passwords is risky behavior, password managers aren't the ultimate solution either, said Goodman. "They still require a user to provide a password for access that can be attacked." Passwords make security feel convenient for users, passwords' continuity is in question. Historically, compromised authentication led to a number of major data breaches.
Passwords "must become a thing of the past," said Goodman. If employees feel "pain" trapped under their identifiers, organizations can adopt authentication methods outside of passwords, similar to Apple's use cases of facial recognition.
"The reality is, Apple products are susceptible to security breaches, but they are targeted less often given that they do not assume the majority of the market of systems," James Carder, CSO and VP of LogRhythm Labs, told CIO Dive. While Apple does build strict security controls into its products, there are incidents of failure.
When organizations eliminate passwords, they get a shot at greater security and rely on identity, not the name of a beloved pet to protect enterprise data.
Cloud security equals data center security.
The cloud changed how organizations approached security, and it left some people skeptical.
Tools that sufficiently protected data centers "do not translate to the public cloud," Chris Hertz, VP of cloud security sales, DivvyCloud by Rapid7, told CIO Dive. Despite this, organizations are eager to "embrace" self-service access for developers and engineers, disregarding privilege (and security risk) associated with the users.
Organizations often misinterpret the cloud provider's role in security — the bulk of responsibility falls on the customer. The provider is "responsible for the security of the cloud itself, while the customer is responsible for secure and compliant operations in the cloud," said Hertz.
The shared responsibility model can become murky, leading to misconfigured databases. Organizations are accountable for knowing all "niche" services, including unmanaged but used devices, Anurag Kahol, CTO and co-founder, Bitglass, told CIO Dive.
While the cloud has changed how organizations do security, a common misconception is cloud security is weaker than on-premise solutions. But "even enthusiastic cloud adopters may see security as an obstacle," said Hertz.
One-quarter of employees think transferring data from work using a personal cloud server that scans for viruses is acceptable, according to the report.
Organizations can avoid cloud-related security issues "by employing the necessary people, processes and systems at the same time as cloud adoption, not weeks, months or years later," said Hertz.
Phishing emails are obvious.
Today's successful phishing schemes weren't sent by a Nigerian prince. Most are sophisticated or at least speak to human emotion.
More than one-quarter of employees aren't confident in their ability to spot a phishing attack, nor are they able to identify at least two indicators of a malware infection, according to the report.
An employee's lapse in judgement can take a toll on an organization. "Even users who have deep technical expertise fall victim of phishing attacks," said Carder.
Tools can supplement human detection, or automate it to a certain extent.
The coronavirus pandemic is amplifying the volume of attacks, weeding through every potentially malicious email is nearly impossible. It's especially difficult when phishing schemes feed on human nature, and anxiety. Proper identity and access management tools or built-in security protocols from email providers could tie up loose ends.
Cyberattacks happen to other people.
Not all security risks are lost on general employees. The majority, 90%, of employees know there is risk associated with "using a personally managed file-sharing solution" to access company data while working remotely, according to the report.
"People assume in the vast internet universe, why would a hacker target them," Teddy Nicoghosian, director of technical marketing at Pulse Secure, told CIO Dive.
It's a valid thought, but one that results in security complacency: passwords stay the same, employees use public Wi-Fi, and data travels on unencrypted on mobile devices. Only half of employees find unencrypted data on mobile devices have minimal risk, according to the report.
As employees work remote and as some companies adopt enterprise contact tracing apps, Bluetooth is another security risk employees don't consider. Employees will leave Bluetooth constantly running; "even just the signal can alert malicious actors," said Nicoghosian.