JumpCloud recently commissioned a survey that went out to over 400 IT decision-makers across small and mid-sized enterprises (SMEs) that resulted in some incredibly interesting and insightful responses. Based on the responses we received, it’s clear that security is more top-of-mind than ever in many organizations. Why? Simply put, it’s due to the sheer number of employees working remotely and the new and increased security vulnerabilities that result from this workplace model.
Pre-pandemic, security was still a priority, but with most employees in an office setting every day, organizations had more direct control over employees and their devices. Many organizations still had on-prem IT infrastructure and there wasn’t as much to worry about in terms of device loss/theft and unsecured network usage when more devices stayed in the office and employees primarily used the in-office networks. Even in the pre-pandemic climate, there was a lot more that organizations should have been doing in terms of security, but the quick transition to remote work during the pandemic was the catalyst for change that was a long time coming.
Although the popularization of remote work has been extremely helpful for employees in terms of flexibility and safety, it presents new security obstacles for employers to overcome. A primarily remote (or hybrid) workforce introduces increased risk for organizations, because that same flexibility gives employees more freedom to stray away from good security practices and allows them to work from anywhere, including from unsecured networks, from personal devices, and in public places. This puts users and their associated devices at higher risk for cyber attacks and device loss/theft, leaving your organization’s resources vulnerable if not protected properly. The survey also showed us that many organizations think that they’re paying too much and getting little value from the point solutions they have in place to enable remote work, showing us that many IT teams need to find a comprehensive solution that provides more value than the current point solutions being used.
The 2021 survey results show us that security concerns and priorities for the second half of 2021 and into 2022 for SME IT leaders include:
- Improving security practices among remote employees
- Adding layered security or Zero Trust security for remote work, and;
- Finding some middle ground between spending more on security solutions and getting more value out of each solution
To make this happen, it is clear that on-prem IT infrastructure and point solutions are out, and holistic cloud IT infrastructure is in. This is where implementing a comprehensive cloud directory platform proves to be extremely beneficial. This type of solution provides employees with secure access to IT resources, forces employees to adopt better security practices, and helps IT teams manage devices and users all from one centralized place.
The Rise of Remote Work and Subsequent Decline of Good Security Practices
About 74% of survey respondents said that they either agree or strongly agree with the statement “I think that remote work makes it harder for employees to follow good security practices”. From there, we found that security concerns are a mix of internal and external threats — the top concerns are software vulnerability (39%), username and password reuse (37%), unsecured network use (36%), and device theft (29%).
Though it’s clear that the vast majority of respondents think that employees are part of the decline in good security practices, it’s important to remember that good security practices start at the top of the organization and flow down. If your organization went fully remote in 2020 but was unable to implement initiatives like requiring multi-factor authentication (MFA), adding conditional access policies, and finding a centralized remote device management system, that’s where improved security practices could have begun.
With these four security concerns top-of-mind, diving deeper into the specific risks that each issue poses is essential to deciding exactly which approach to increasing your security posture is best for you.
Remote work environments present new and increased risks to organizations of all sizes. A couple of examples are the use of personal devices for work and the increased time it takes to identify and react to software breaches and vulnerabilities across remote devices due to lack of a centralized device management system.
81% of survey respondents admitted that they have used a personal device for work purposes, and 34% said that a friend or family member has used their work device for non-work purposes. It’s easy to assume that these numbers are even higher among non-IT employees, as they are typically less-informed about risk. These stats highlight a few different problems — the software and built-in security on personal devices is not always up-to-date, these personal devices most likely contain other pieces of vulnerable software and applications, and work devices being used for personal use opens your organization up to more potential threats.
The main concern here is that these problems are out of your organization’s control when they’re happening on unmanaged personal devices, yet you will have to deal with compromised company resources if a malicious party takes advantage of these vulnerabilities.
On top of the issue of using personal devices for work and work devices for personal purposes, there is an omnipresent challenge of discovering and reacting to software vulnerabilities across remote devices in a timely manner. Without a unified device management solution that allows you to install and update software in place, reaction times are drastically increased which gives bad actors more opportunity and time to cause damage to critical company resources.
Username and Password Reuse
“Password fatigue” is a modern term that describes attitudes surrounding the login process. Every device, network, and application an average person logs into every day has slightly different password requirements, and remembering completely different passwords for each is nearly impossible. This leads to password reuse on both personal and work devices for the sake of simplicity. So, when an employee at your company reuses their personal password on their work device and applications, your organization’s important resources are left vulnerable. Phishing is incredibly common, and if that user falls victim to a single lure, any bad actors involved now have the password that gives them access to any resource provisioned to that user.
Another event that could cause rippling effects within your organization is an external data breach — usernames, passwords, and other information can be leaked from an unrelated website or application, and now the same password that a user attached to your organization’s resources is compromised. Setting password complexity requirements that are more stringent than average and implementing MFA are security best practices that can counteract these issues, but the survey found that even these can be challenging to adopt.
When asked about MFA use, we found that more than half of the survey respondents already require MFA across everything (53%), and an additional 31% said it is integrated but only across certain applications. However, out of those who don’t use MFA at all, 31% said it is too complicated, and another 31% said they didn’t think they needed it. On one hand, the fact that 84% of respondents have already adopted MFA and require it at least for some applications in their organization is a great statistic; on the other hand, that so many organizations still think it is too complicated or that they don’t need it at all is troubling. This points to a strong need for increased education on security best practices, as well as the need for easier, more streamlined MFA implementation capabilities.
Unsecured Network Usage
Another huge security concern among IT teams is the use of unsecured networks among remote team members. These employees are either connecting to an open home network or an unsecured public WiFi network, each of which can increase risk for the organization. Without the proper infrastructure and policies in place that support secure connections to sensitive or critical systems, employees may inadvertently fall prey to external threats. This presents an opportunity for organizations to improve resource security by educating employees on network security best practices and implementing network-related policies.
Device Loss or Theft
Last but not least, due to the popularity of remote work, on the list of security concerns among IT admins is device loss and theft. With so many organizations supporting the work-from-anywhere (WFA) model, the risk of company devices being lost or stolen has increased dramatically. In a worst case scenario, an employee with access to confidential company resources finds their laptop stolen from a coffee shop when they briefly wandered away. Whether the user of the laptop was still logged in when it was stolen or their system’s password requirements are lax, the thief now has access to everything that your user had access to.
This situation, and any bad situation that’s less dramatic that comes up, are preventable when your organization employs better security practices as a whole. But unlike before, when the plan of attack involved bolstering network security infrastructure and keeping devices within the domain (and often physical presences), this now means designing security practices that focus on protection and prevention at the user level, like having password complexity requirements and MFA set up as wide-ranging as possible, utilizing policies that change the default settings on devices like lock screen timeout, and putting a comprehensive device management system in place that lets you lock users out of their account when their device is compromised.
Zero Trust Security
This overall decline in good security practices since the sudden shift to remote work can be traced back to both employees and employers. Good security practices start with solid strategies and trickle down through organization-wide implementation. Risk from software vulnerability, password reuse, unsecured network usage, and device loss/theft can largely be mitigated by the implementation of a Zero Trust security initiative. “Zero Trust” is a security model that’s built upon the philosophy that an organization should not automatically trust that a user says they are who they say they are, that they are using safe equipment / network paths, and have the proper access rights — instead, every access transaction must be verified before authorization is granted.
This approach to security is more necessary than ever with so many employees working from home, coffee shops, or even a different city, state, or country from where IT is based. This model improves security no matter where employees are trying to work from because it is centered on the verification of their identity, devices, networks, and access rights. And many techniques to implement Zero Trust can improve an organization’s security without interrupting employees or adding undue complications to the end-user’s experience.
From the survey, we found that 46% of respondents plan to adopt Zero Trust security before the second half of 2022 and 21% have already implemented it. These numbers show that while many organizations did not take this initiative during the transition to remote work, they are now recognizing that Zero Trust is essential to enable secure remote work that follows best practices.
However, it should be noted that the same survey found that the champion of Zero Trust within an organization is quite varied. When asked who was championing the adoption of a Zero Trust model, responses ranged from personal leadership (32.8%), to department heads (35.4%) and even executive leadership (17.9%). Given the stakes, changes in workflow and investment in both time and budget required to roll out Zero Trust Security in a meaningful way, it is absolutely essential that the whole of leadership is on board.
Cost vs Value for Enabling Remote Work
With the current remote and hybrid work landscape, there’s a strong need across organizations to implement a variety of different security initiatives. As it stands, we found that 62% of IT decision-makers think they pay for more tooling than they need to manage user identities, and more than half (56%) of respondents said they are spending too much to enable remote work. The realization that needs to be made here is that user identities are at the center of everything, including secure remote system and device management. Too many organizations are still paying for a multitude of point-solution platforms to securely manage their remote users, systems, and devices separately, when the answer to these problems lies in a single, comprehensive cloud directory solution.
A lot of the current overspending is the result of implementing multiple point solutions to fix different problems that came up with the shift to remote work, such as needing a user directory, SSO, MFA, RADIUS, LDAP, and general cross-OS device management, not to mention an IGA solution to manage audit logging and compliance. This makes sense, given that IT admins were faced with a sudden and significant challenge that threatened to ruin entire organizations if they could not adapt quickly. The luxury of time needed to research, evaluate, and migrate solutions was not afforded to most.
However, with the ongoing need to improve security for remote and hybrid work environments, 58.4% of IT departments surveyed said that they plan to spend more on remote management technologies, and 55.9% also plan to spend more on security technologies since remote work has introduced new risks. With the fear, uncertainty, and doubt that came with the initial phases of the pandemic largely in the past, these budget increases can go towards a holistic solution, and you can stop paying for numerous separate solutions that don’t give you nearly as much value for your money as you need to continuously improve your organization’s bottom-line and security practices.
Ready to transition to a comprehensive solution and stop paying too much for point solutions that never live up to expectations? Try JumpCloud’s Cloud Directory Platform and enjoy all of its functionality for free for up to ten users and ten devices. Your JumpCloud Free account allows you to check out the Directory Insights tool, set up MFA and password complexity requirements, apply security policies, utilize our Cloud RADIUS or LDAP services, and implement Zero Trust security among many other things! If you need any help getting started, you’ll also receive ten days of 24×7 premium in-app chat support