WFA bodes ill for cybersecurity

The divide between the amount of cybersecurity that can be brought to bear between large and small organizations appears to have widened in the wake of the COVID19 pandemic. More employees may be back at work in an office but the number that are also working more regularly from home has substantially increased. The trouble is most people work for smaller organizations that as it turns out too often didn’t really do all that much to shore up their cybersecurity during the pandemic.

A survey of 5,800 workers in the U.S. conducted by PC Matic, a provider of antivirus software, finds a little more than a third (36%) are continuing to work remotely. Only 39% of those workers report that their employer-provided them with a device to work from home and 91% report their employer did not provide them with any form of AV software for the devices they are using at home.

Now many employers are going to assume that employees are savvy enough to acquire and install their own AV software. However, the survey also notes that 38% of employees report they are not using a virtual private network (VPN). Roughly also note they don’t receive any type of IT support while working from home either.

The primary reason employees are not getting access to the cybersecurity technologies they need is the bulk of the workforce in the U.S. is employed by smaller companies that don’t have much in the way of cybersecurity expertise or available budget. Larger companies, in the meantime, are starting to implement zero-trust best practices that are based mainly on identity access management (IAM) tools and platforms. There is at this point, however, nothing easy about IAM. A survey of 300 IT executives conducted by Forrester Consulting on behalf of ForgeRock, a provider of IAM tools, and Google Cloud finds a range of issues ranging from deployment challenges to lack of expertise is holding up adoption of IAM.

For example, 66% of respondents say that process issues, such as flexibility and agility of IAM systems and the ability of those systems to support hybrid cloud worlds, are impeding their adoption. In addition, 88% of respondents said technology issues, such as limited IAM functionality, lack of product scalability, and the inability to manage identity and access across current applications, are preventing adoption, while nearly half (48%) cited a lack of cloud IAM expertise as an issue.

Now the chance a smaller organization is going to be able to master IAM better than an organization with a lot more resources is slim to none. There’s nothing necessarily new about the fact that smaller organizations have considerably less secure IT environments than larger entities but it’s also clear that this divide is about to become much wider. The challenge is that most large organizations are dependent on a supply chain made up of a dizzying array of smaller companies that cybercriminals are becoming more adept at identifying and targeting. An employee of a small company working from home using a wireless network that doesn’t even have a VPN is now the weakest cybersecurity link in an extended supply chain.

There’s no doubt a larger cybersecurity conversation is about to be had about the whole work from anywhere (WFA) movement. A global survey conducted by Lenovo finds 83 percent of IT decision-makers from businesses surveyed said they expect post-pandemic work to be remote at least half the time. With more people logging into corporate applications from anywhere the number of cybersecurity incidents will rise. The issue is that cybersecurity teams that work for larger companies will face is they don’t exercise any real influence over the behavior of employees that work for smaller companies. Many of those employees are often privy to all kinds of sensitive data emanating from the larger companies that are their customers. It may require a few major breaches before this whole WFA phenomenon is properly addressed from a cybersecurity perspective. In meantime, savvy cybersecurity teams may want to start thinking through what it really means to implement zero-trust best practices across an extended enterprise that includes all kinds of entities that today don’t have any meaningful cybersecurity capabilities of their own.