Cybersecurity company Trend Micro recently released a survey that showed how smart home devices and their apps represent a major weak link in the corporate cybersecurity chain as the lines between work and home life increasingly blur.
The latest numbers come from Trend Micro’s Head in the Clouds study survey, it collected the responses of more than 13,000 remote workers across 27 countries, including more than 500 in Malaysia.
The survey’s most notable finding is that over one third (36%) of remote workers surveyed do not have basic password protection on all personal devices. Although the vast the study did find that 62% protect their personal devices with a password, it is unclear how strong it is. Trend Micro noted that Multi-factor authentication (MFA) is better, although it is only used by 38% of respondents, while disappointingly less than half (46%) have security software installed.
At least 77% of Malaysian respondents connect corporate laptops to their home network. Although these machines are likely to be better protected than personal devices, there is still a risk to corporate data and systems if users are allowed to install unapproved applications on these devices to access home IoT devices.
Additionally, about 35% Malaysian respondents have uploaded corporate data to a non-work application in the past.
Interestingly, the survey revealed that 39% of workers use personal devices to access corporate data, often via services and applications hosted in the cloud. This includes the use of personal smartphones, tablets and laptops which may be less secure than corporate equivalents. They are also exposed to vulnerable Internet of Things (IoT) apps and gadgets on the home network.
With so many remote workers using personal devices to access corporate data, there seems to be a general lack of awareness about the security risk associated with this, observed Dr Linda K. Kaye, a cyberpsychology expert.
According to her, companies need to conduct cybersecurity training informing employees of best practices. These training should also be tailored in a way that recognises the diversity of different users as well as their level of awareness and attitudes towards these risks.
It is not surprising given the current state of things during this global pandemic that more than half (52%) of global remote workers have (IoT) devices, which are notoriously insecure, connected to their home network where their personal devices and work devices are also on.
The study revealed that about 10% are using lesser-known brands, many that have well-documented weaknesses such as unpatched firmware vulnerabilities and insecure logins. Such lapses in security could theoretically allow attackers to gain a foothold in the home network, then use unprotected personal devices as a stepping-stone into the corporate networks they’re connected to.
Trend Micro believes there could be an additional risk to enterprise networks post-lockdown if malware infections picked up at home are physically brought into the office via unsecured personal devices at organizations with bring-your-own-device (BYOD) practices.
“IoT has empowered simple devices with computing and connectivity, but not necessarily adequate security capabilities,” said Trend Micro Malaysia and Nascent Countries managing director Goh Chee Hoh.
“They could actually be making hackers’ lives easier by opening backdoors that could compromise corporate networks. This threat is amplified as an age of mass remote work blurs the lines between private and company devices, putting both personal and business data in the firing line. Now more than ever, it is important that individuals take responsibility for their cybersecurity and that organisations continue to educate their employees on best practices.”
As a precautionary measure, Trend Micro recommends employers ensure their remote workers are compliant with existing corporate security policies. If needed, companies should refine these rules to recognise the threat from BYOD practice and IoT devices and applications.
Adding on, companies should also reappraise the security solutions they offer to employees using home networks to access corporate information. Shifting to a cloud-based security model can alleviate many remote working risks in a highly cost-efficient and effective manner.