A decentralised workforce and remote working practices create an attractive target for cyber criminals. The use of personal devices, a lack of privacy and the use of new, unfamiliar technology all provided fertaile ground for those looking to profit from cybercrime. The volume and sophistication of cyber threats continues to grow, exacerbated by human errors, typically caused by lack of awareness or training. In the face of these risks to valuable or sensitive data, organisations seem confident in their security posture. However, the EMEA survey shows that this confidence is not supported by the facts with surprisingly high number of respondents failing to take advantage of modern security tools and practices.
Phishing Attacks, Human Error and Ransomware are the Biggest Security Concerns.
Almost 60% of organisations surveyed have seen an increase in phishing emails or SMS messages in the last 12 months, and one in five organisations has fallen victim to a phishing attack. These numbers may be even higher, as between 23% and 29% of businesses could not or would not say whether they had seen instances of threats increasing. If an attack remains undetected, sensitive data is at an even greater risk because countermeasures are taken far too late, or not taken at all.
Phishing (71%), human error (56%) and ransomware (47%) are seen as the top three IT security threats by businesses in the next 12 months. These concerns are linked. For example phishing attacks are becoming more sophisticated and more difficult for employees to detect. This is particularly prevalent on mobile devices where the user is working on a smaller screen, may be distracted or multi-tasking, and where URL links and email addresses can not be verified as easily as larger format laptops or desktops.
Many Organisations Lack Basic, Important Security Measures.
Against a backdrop of growing and evolving cybersecurity threats, it is clear that organisations need to review the adequacy of their security measures for remote and hybrid working and do more to protect their data and assist their employees in thwarting potential cyber attacks. However, our survey shows that many organisations lack important security measures.
- Just over one-third (37%) of organisations have a mobile threat defence solution in place, despite phishing being considered the most serious threat over the coming year. Only the same percentage of respondents performed regular penetration and vulnerability testing for mobile devices.
- More than half of respondents (58%) allow the use of third-party app stores (other than the Apple Store or Google Play Store), a common way for malicious applications to be downloaded onto devices.
- One in two organisations do not have Data Loss Prevention (DLP) controls in place to prevent corporate data from being copied from emails or applications into personal file-sharing services such as Dropbox or Google Drive.
- The situation is better, but still far from adequate, when it comes to basic security measures such as the use of Virtual Private Networks (VPNs) or Multi-Factor Authentication which are still not used by one in five respondents.
- Of those organisations which have , or plan to introduce a Unified Endpoint Management (UEM) solution, just over one-third (35%) do not use the solution’s advanced mobile security and data protection features, which represents a missed opportunity to improve security.
Too Little is Being Done For Employee Awareness.
Human error was identified as the second-biggest anticipated cyber threat in the coming 12 months, and employee awareness is an important factor in averting potential security threats, particularly in relation to phishing and social engineering. Yet, worryingly, one-third (33%) of organisations have not provided any kind of mobile security awareness training to employees.
Confidence in Security is Misplaced.
Our survey showed that respondents’ confidence in their data security is high, with almost three quarters (73%) either very confident, or fairly confident, in their ability to secure corporate data on remote or mobile devices. However, our survey shows this confidence may have been misplaced:
We asked ‘Has mobile security awareness been delivered to your organisation?’
6%– I don’t know the answer
33%– No
61%– Yes
Read the Full EMEA Report
Learn how to implement technology solutions that meet the changing demands of employees, address the growing and evolving security risks and unleash the potential of a fully digital workplace.
Read HERE
Our Recommendations.
Our survey shows that there are still different security standards, and security technologies, for different device types, with security teams typically applying less stringent controls on mobile devices than either laptop or desktop devices. Cyberattacks – especially phishing attacks – are steadily increasing and becoming more professional. The rapid implementation of widespread remote working practices due to Covid-19 has opened up new vulnerabilities. Companies are not doing enough to protect their data in terms of both the application of security technology and raising employee awareness on security issues.
Organisations should:
- Adopt Zero Trust security principles wherever possible, supported by clear policies on who, when, how and with which device corporate data and applications can be accessed.
- Introduce clear separation between business data and private data, with sufficient security standards for business data and privacy policies for private data.
- Use an integrated tool (ideally a UEM platform) to centrally manage and secure all endpoints and ensure devices are configured to comply with security policies, that secure apps and software updates are deployed, and that corporate data can be wiped from devices when necessary.
- Use Virtual Private Networks (VPNs) to ensure that data exchanged between employee devices and the organisation’s network is encrypted and secure.
- Adopt security technologies that detect and identify risks before they cause damage. For example, technology to detect phishing attacks or malicious apps, or to protect digital identities, could significantly reduce the risk posed by careless employee behavior.
- Educate employees through regular, mandatory information security awareness training and exercises such as simulated phishing attacks to inform them on best practice and help them to identify and report potential security incidents.
Security does not need to be a barrier to positive user experience. In fact, modern security can enhance the employee experience, providing a robust security posture to support future hybrid and remote working models.