In part one of this two-part series, we learned that nearly 8 out of 10 respondents like working remotely and a significant proportion perceive themselves as more productive. In this article, we evaluate the security measures taken by these employees and what steps small to midsize enterprises (SMEs) can take to set up more secure remote work environments.
Press releases published this year
- 85% of respondents have faced phishing attacks at least once
- Two-factor authentication and antivirus software are popular measures for cybersecurity
- Only 30% of respondents use password management tools
- 59% of respondents who repeat passwords share them between personal and business accounts
- Key strategies to secure remote work environments
The era of remote and hybrid work has ushered in both newfound possibilities and unforeseen challenges for Australian SMEs. On the one hand, employees have embraced remote working models, and of those who were not working remotely prior to the pandemic, 39% believe they are more productive working fully remotely compared to when they were previously working in an office. However, on the other hand, what security implications do remote working models pose for companies?
Australian businesses should emphasise robust security measures as cybercrime reports increased by 13% from the previous financial year —totalling 76,000 which equates to one report every 8 minutes, according to the Australian Cyber Security Centre (ACSC). As a potential solution, effective password management can help ensure remote and hybrid employees are following safe and secure measures to protect themselves from cyber threats.
To find out how well-equipped businesses are against potential cyberattacks, we surveyed 1,024 fully remote or hybrid employees to evaluate the security measures and precautions they take to set up a safe and secure remote workplace. Furthermore, we analyse how well these employees are trained on security measures and how they manage their passwords. All survey respondents are either fully employed or work part-time for an SME. The full survey methodology is at the end of this article.
85% of respondents have faced phishing attacks at least once
Phishing is the term used to describe an internet scam where the scammer sends disguised emails or other forms of messages to try to deceive recipients. This could include getting such recipients to provide private information such as usernames and passwords. This method of luring private information is becoming increasingly common, where about 8 out of 10 remote and hybrid employees have encountered a phishing attempt, of which 67% have received more than one.
In addition to the rising number of security threats, the same ACSC report also highlights the danger of more sophisticated cybersecurity threats that make it easier for online criminals to replicate these crimes on a grander scale. Alarmingly, 48% of respondents who have received a phishing email said the phishing attempt was impersonating a company. This type of phishing attempt can be a major concern for businesses that outsource to external companies, where employees may be unable to distinguish between an official email and a phishing attempt.
Moreover, a significant proportion of the same subset of respondents (46%) ignore phishing emails once they realise their disguised mal-intention. This could be harmful, considering that reporting phishing emails can help identify threats and stop them from making an impact. Furthermore, nearly 1 in 4 (26%) of these respondents don’t change passwords after a phishing attack. In light of this, SMEs can make use of guidelines and a workplace policy to specify company procedures following a phishing attack. The Office of the Australian Information Commissioner (OAIC) outlines the following action items for a company to include in a data breach response plan:
- Identify the breach: record when the breach was discovered, the type of personal information involved, and the cause and extent of the breach.
- Contain the breach: assess the seriousness of the breach and act immediately. This can include contacting recipients to ask them to delete the email and change their passwords.
- Assess the risks of individuals associated with the breach: collect information about the breach and assess if further action is required, such as advising your systems administrator.
- Consider a breach notification: decide whether to escalate to a response team to conduct an initial investigation and notify the ACSC depending on the extent of the breach.
- Review the incident: follow up with a full investigation to prevent future breaches.
Only a quarter of respondents (25%) have installed email security software as one of the measures to ensure a safe and secure remote or hybrid working environment. Companies should be wary of the threat of phishing attacks on remote and hybrid employees, as a data breach can have long-lasting effects on a company’s reputation and significantly impact its bottom line. We investigated further to determine which other steps employees take to prevent such attacks.
Did you know?
Email is one of the most common methods scammers use to pry sensitive information from recipients. As such, email security software can help safeguard organisations from malicious email threats, phishing attacks, and data leaks. Such software tools help protect email accounts with built-in data encryption capabilities, advanced threat mitigation tools, and URL and attachment protection.
Two-factor authentication and antivirus software are popular measures for cybersecurity
In an office environment, companies may have a certain level of control in implementing security measures. However, in a remote setting, employees may be unaware of all the various potential security threats and use personal equipment for work or software outside the parameters of a company, which can jeopardise a company's security efforts.
To set up a secure remote work environment, our survey respondents most frequently cited setting up two-factor authentication software (2FA) (38%) and installing antivirus software (34%). Conversely, some of the least chosen measures to set up a safe and secure remote or hybrid environment are not working on desktop files (12%) and regularly changing their residential WiFi password (18%). Below, we list the most frequently cited measures remote and hybrid employees use to set up a safe and secure environment.
Additionally, only 25% of respondents cited that they have received IT security training, meaning companies may be exposing themselves to a higher degree of risk for a cyberattack. IT security training helps employees identify and avoid cyber threats in the workplace. Continuous and dynamic training can keep employees updated on how to protect their systems from evolving threats and can help reduce that level of risk, especially in a remote working environment.
Only 30% of respondents use password management tools
The importance of keeping sensitive information secure is more pertinent than ever with increasingly advanced cyberattacks. Employees working remotely must be extra vigilant when protecting sensitive information. In addition to IT security training, remote and hybrid employees who correctly manage their passwords can effectively build defences against a possible cyberattack.
We found that using unique passwords for every site was among the most chosen responses (43%) when asked about approaches to using passwords across multiple sites. However, some respondents also said they rely on memory (44%), and keep passwords on an Excel spreadsheet or document (30%). Surprisingly, only about 3 out of 10 (30%) respondents manage their passwords with password management add-ons or software.
Despite having unique passwords for every site, there may be cause for concern about the methods by which passwords are stored/used. Relying on memory for many unique passwords can result in an employee forgetting a password. Phishing attempts may take advantage of this by sending recipients emails informing them of expired accounts or requiring them to falsely update passwords. Additionally, employees who have their passwords stored on a document run the risk of exposing all their passwords to a hacker in the event of a security breach.
What are the benefits of password management tools?
Password management tools benefit users and IT teams by securing passwords within an encrypted digital vault and providing convenient access to unique passwords. Typically, passwords can be synced across devices and systems, and users need only remember one master password to gain access to their password vault. Once users are logged in, such password managers can generate complex passwords unique to every site and can autocomplete passwords whenever a login is required for a site.
59% of respondents who repeat passwords share them between personal and business accounts
31% of respondents use a few main passwords for different sites and 25% use one main password for all sites. While hackers may be delighted to read this insight, alarm bells should be sounding for organisations. In particular, a combined total of nearly 6 out of 10 (59%) of those respondents who don’t have unique passwords for every site, share passwords between their personal and business accounts.
Despite 42% of the same subset of respondents indicating that they changed their password within the last month, this alone may not be enough to keep hackers at bay if they can hack personal accounts that have a chance of sharing a password with business accounts. In terms of password strength, of these respondents, using passwords between 8-16 characters in length (45%) was most frequently cited, followed by using randomised letters, numbers and characters (31%). Significantly, 1 in 5 respondents (20%) use names for their passwords which can make them more exposed to hackers.
How to establish an effective password policy
Password policies provide structured guidelines for employees and can help establish a high level of security for organisations. Organisations can consider adopting the following security practices in their password policy:
- Passphrases: password length and complexity are essential to a strong password policy. A passphrase is a longer password that can be remembered as a sentence and contains upper and lower case letters, symbols, and numbers.
- Multi-factor authentication (MFA): MFA tools offer an added level of security that requires users to verify passwords or logins through multiple mobile devices and applications.
- Virtual private network (VPN):VPN software allows remote employees to access corporate networks through an encrypted connection securely.
- Testing and updates: passwords should be updated periodically and tested. In addition to periodic password changes, it is recommended to change passwords when there is evidence of a security breach.
Key strategies to secure remote work environments
In summary from the above analysis, organisations should evaluate how safely and securely their remote and hybrid employees are working and the level of risk they are exposed to. Among a rising demand and preference towards remote working, organisations can implement the following strategies to keep data breaches at bay:
- Establish well-rounded remote work policies: define policies that outline best practices for setting up a remote work environment and what is permitted, such as the official use of equipment and systems.
- Implement strong access management and controls: conduct an access management audit to identify and address vulnerabilities. Implement software solutions such as MFA, VPN, and cybersecurity software to prevent data breaches and enhance security.
- Educate employees on cybersecurity: provide ongoing training and teach remote employees how to identify and avoid potential cyber threats, such as phishing emails. In addition, encourage remote employees to adopt secure measures such as using strong passwords.
The data for GetApp’s 2023 Remote Work Survey was collected in April 2023 and comprised answers from 1,024 respondents. The following criteria were used to select respondents:
- Australian resident
- Employed full or part-time in a company with between 2 and 250 employees
- Aged between 18 and 65
- Works fully remotely or in a hybrid role in a position above trainee level
For the analysis of the survey, respondents were classified by regional location. Each region was classified according to the following criteria:
Urban: Living in an apartment/unit
Suburban: Living in a single-family-house/stand-alone dwelling in a city with more than 100,000 residents
Rural: Living in a single-family-house/stand-alone dwelling in a city with less than 100,000 residents