Firms still concerned about the WFH cybersecurity threat

More than a year later, more than eight out of 10 businesses remain concerned about the security risks of employees working remotely

Posted 3 June 2021 by Christine Horton

Despite being more than a year into remote working, four fifths (82 percent) of businesses remain concerned about the security risks of employees working from home.

That’s according to the 2021 Thales Global Data Threat Report, a commissioned study conducted by 451 Research, part of S&P Global Market Intelligence.

The study reveals that managing security risks is undoubtedly getting more challenging, with nearly half (47 percent) of businesses seeing an increase in the volume, severity, and/or scope of cyber-attacks in the past 12 months.

Attacks on the rise

Of those who have ever experienced a breach, two in five (41 percent) happened in the last year. This number has nearly doubled from 21 percent in 2019, marking a significant shift in the threat posed.

Globally, malware (54 percent) is the leading source of security attacks, followed by ransomware (48 percent), and phishing (41 percent). Yet, when it comes to how attacks occur, internal threats and human error are still of great concern to industry. A third of businesses stated that malicious insiders (35 percent) and human error (31 percent) are the greatest risks to them, followed by external attackers (22 percent).

Despite the increased risk remote working has posed to enterprises throughout the pandemic, nearly half (46 percent) of businesses report that their security infrastructure was not prepared to handle the risks caused by Covid-19. In fact, only one in five (20 percent) of organisations believe it was very prepared.

Multiple industries at risk

This lack of protection is affecting some industries more than others it seems, with just under two thirds (61 percent) of retailers surveyed experiencing a breach or failing an audit involving data and applications stored in the cloud in the past year – the most of any industry surveyed. More than half of organisations in the legal (57 percent), call centre (55 percent), transportation (54 percent), and telecoms (52 percent) sectors also suffered the same fate in the last 12 months.

Multicloud complexity increases risks

As increases in attacks continue, businesses are turning to the cloud to store their data in this digital-first world. Half (50 percent) of businesses report that more than 40 percent of their data is stored in external cloud environments. Despite this, only 17 percent of businesses have encrypted at least half of their sensitive data stored in the cloud. On top of this, complexity is an increasing issue, with many respondents now using at least two PaaS (Platform as a Service) providers (45 percent) and/or two IaaS providers (Infrastructure as a Service). A quarter (27 percent) of businesses are currently using more than 50 SaaS (Software as a Service) apps.

“Teams across the globe have faced huge security challenges over the last year as companies accelerated their digital transformation and cloud adoption initiatives,” said Sebastien Cano, SVP for cloud protection and licensing activities at Thales. “When migrating to multicloud solutions, data management can quickly spiral out of control. Organisations not only risk losing track of where their data is stored across multicloud environments but also fail to protect sensitive data in the cloud. With once unprecedented amounts of data now being used and stored in the cloud, it is vital that businesses deploy a robust security strategy based on data discovery, protection and control.”

Future challenges and the road ahead

Companies are recognising the issues they are facing and are attempting to address them with ‘zero trust’ strategies. More than three quarters (76 percent) of respondents’ cloud strategy reportedly rely to some degree on zero trust security. Almost half (44 percent) of respondents selected zero trust network access (ZTNA)/software-defined perimeter (SDP) as the leading technology to invest in during the pandemic. This was followed by cloud-based access management (42 percent) and conditional access (41 percent). In fact, a third (30 percent) of global respondents claim to have a formal zero trust strategy and those with a formal Zero Trust strategy are less likely to also report having been breached.

“The native controls and protections available in cloud environments address a set of necessary capabilities, but they’re often insufficient to deliver effective protections for sensitive data and workloads, especially when it comes to compliance with regulations such as GDPR and the implications of the Schrems II ruling,” said Eric Hanselman, chief analyst at 451 Research, part of S&P Global Market Intelligence.

“Organisations need to increase their use of encryption and ensure they take full advantage of encryption’s benefits by controlling the secrets that protect their data through BYOK (Bring Your Own Key), HYOK (Hold Your Own Key) or BYOE (Bring Your Own Encryption) approaches. Organisations also need to make internal changes to ensure that personnel at all levels understand the security challenges and to properly align investment priorities. Senior executives need to obtain a more complete understanding of the levels of risk and attack activity that their front-line staff are experiencing.”