Want to improve corporate security? Prioritize personal security

Employees are both under-educated and over-confident about their personal security practices. Enterprises should work to educate and provide tools to their employees to combat this.
Written by James LaPlaine, Contributor

Corporations aren't doing enough to improve their employees' personal security practices. Credentials remain the highest targeted data type as they are the gateway to ransomware and data theft. 61% of data breaches in 2021 involved the use of stolen and misused credentials. Bad actors took advantage of a global pandemic to increase the number of phishing attacks, the cause of stolen credentials in 36% of breaches -- a 9% increase over last year -- according to the Verizon 2021 Data Breach Investigations Report

We know one of the best ways to protect corporate data is to require multi-factor authentication (MFA). The use of MFA is expanding, more than 50% of enterprises provide an option to use MFA, and, according to Yubico and 451 Research, over 74% of organizations say they are increasing investment in MFA solutions. 

Major platforms, such as Salesforce, announced that all logins to their platform will require MFA in February 2022, and organizations like the IRS have taken a strong stance on the requirement for MFA. Every platform should follow suit, and companies that command a premium to offer MFA should be publicly shamed (see the SSO Wall of Shame) into making this a core part of all of their offerings. While the increasing adoption and additional spending are good trends to see, progress has been too slow.

To improve overall corporate security, enterprises should be actively educating and providing tools for employees to follow these same practices in their personal lives. When we attach the word corporate to security we're letting employees off the hook. We're sending the message that at work you have to follow secure processes -- implying that at home they have no such requirement.

In August 2020, MalwareBytes Labs reported 20% of organizations experienced breaches due to remote workers. This number is likely underreported given the rapid increase in remote workers and the length of time the pandemic has impacted the workforce. Equally alarming, employees themselves are overconfident in their likelihood to be the cause of a breach. 61% of respondents in Egress' Insider Data Breach Survey for 2021 answered that they felt they were equally or less likely to be the cause of a data breach while working from home.

The slow adoption of security best practices is often attributed to tool complexity and user experiences. We are all creatures of habit, and if we encourage the use of password managers, multi-factor authentication, and firewalls for personal use we would see the resistance decline for implementing these tools in the enterprise. 

Given how connected we all are, the rising demands of working anywhere, and increasingly savvy bad actors who capitalize on a remote workforce, enterprises can no longer contain their efforts to the office space and ignore the home environment. The costs for education and licensing that support employees at home is a small investment that will pay big dividends in increased security at work and provide a boon for protecting employee personal data.

Editorial standards