Skip to main content

Employees are returning to the office. Make sure they don’t bring bad security habits with them

security
(Image credit: Shutterstock / Golden Sikorka)

Covid-19 moved offices remote practically overnight, and most organizations were unprepared – especially when it came to securing their networks. Now as more people get vaccinated and a return to the office is becoming a realistic option, company leaders are navigating both when to bring employees back and how to mitigate risk.

While the pandemic created plenty of new opportunities for cybercriminals to steal data, the best way to prevent new attacks is still going back to the basics. Here are some tips to make sure your team leaves their bad security habits behind.

Create a personal device policy 

In a recent study, 55 percent of organizations said they allow employees to access corporate applications on their personal devices. It’s a practice that became common during the pandemic when many businesses weren’t set up to give everyone access to a company-owned 

device. This opened up the door for phishing, malware and a host of other cyberattacks; as proof, researchers noticed an overlap last year in personal and corporate data collected from botnet logs (indicating keylogger malware infections on the users’ device). In other words cybercriminals were able to steal corporate logins from personal devices – information attackers can easily use to access company resources while evading detection. This could have been prevented had the devices been within corporate control.

Start rethinking how your applications are accessed from insecure home networks, and develop sound policies for employee access to company accounts on personal devices. This is especially important if you’re planning a hybrid workplace where employees will still work remotely part-time.  

If employees did download corporate data to their home computers during the pandemic, it should be removed immediately. Also review new email, system and vendor accounts that were set up remotely to make sure they are sufficiently secure

Adopt stronger password guidelines 

Easy-to-guess password choices are one of the top reasons for credential-based attacks like account takeover. You may also remember that 2020 ended with the largest supply chain attack in history. Poor password choices played a key role. 

Companies generally use hashing algorithms to convert stored passwords from plaintext to a scrambled set of characters that looks nothing like the original, in case of a breach. Unfortunately, even the strongest hashing algorithm means little when users choose weak or common passwords that can be easily cracked by criminals. Establish a policy that requires employees to choose passwords that are a minimum of 16 characters with a combination of upper and lower case letters and special characters – and educate them on the consequences of password reuse.

Even though it’s a well-known problem, password reuse remains too common. Among the 1.5B stolen credentials recovered in 2020, researchers found a 60 percent password reuse rate. That means people who were exposed in two or more breaches in 2020 were reusing passwords extensively. Encouraging the use of unique passwords for every account is the job of corporate security teams, but only users themselves can ensure that’s the case. Consider offering password managers as an employee benefit and encourage its use across work and personal accounts.

Forcing the use of multi-factor authentication (MFA) is also a good idea, requiring users to present multiple, distinct pieces of evidence (credentials + a physical device or authenticator code, for example) in order to log into accounts. MFA will act as a deterrent to some forms of cybercrime.

Practice proactive monitoring 

The earlier you identify a breach, the faster you can mitigate the damage. Cybercriminals are continually adapting and finding new ways to steal data. Keeping your network safe requires constant monitoring for signs of a breach: watching for increases in internet traffic, unusually large uploads of data out of your network, and any sudden, unauthorized changes in employee permission or access levels. 

It’s also a good idea to proactively monitor employee credentials for exposure in third-party data breaches (breaches of other companies that contain the employee’s corporate email address + password). Forcing a speedy password reset when login details are compromised can negate the possibility that the credentials will be used to break into the employee’s email or other work accounts and endanger corporate assets (remember the password reuse point I bought up earlier…).

Education and training  

People are the No. 1 source of cybersecurity problems, but they can also be the most essential part of the solution. All cybercriminals exploit weaknesses in human behavior, from password laziness to innocent-looking emails to execute their attacks. Create a continuous education and training program that helps your employees understand, recognize and respond appropriately to threats. Make it clear that these are policies they can use not only to keep corporate accounts safe, but to protect their own personal accounts as well. 

Establish an open-door policy with your security department so that the team feels comfortable reaching out with concerns, even if they turn out to be nothing. It’s better to be over-vigilant than miss the warning signs of a real attack. 

Returning to the office after a year or more of working remotely will be a big adjustment both for employees and corporate security teams. Enforce a personal device policy, create strong password guidelines that encourage employee compliance, stay proactive about threat monitoring, and create a continuing education program to keep both your enterprise and your employees safe.

Chip Witt, Vice President of Product Management, SpyCloud

Chip Witt is the Vice President of Product Management at SpyCloud, driving the company's product vision and roadmap.