Of the many effects the COVID-19 pandemic has had on business, one of the most dramatic has been the way hundreds of millions of employees around the world have been forced to work from home (WFH). Within a matter of weeks in early 2020, WFH went from an occasional employee convenience to be the only way many organizations could continue to function.
The scale of this change was extraordinary. A YouGov survey of global office workers commissioned for this report by HP shows that 82% worked from home more since the start of the pandemic. This has prompted a reassessment of WFH as having compelling economic and personal benefits. It seems likely there will be a permanent change in working patterns that organizations must adapt to maintain competitive advantage. In fact, the findings showed that 23% of office workers globally expect to be predominately WFH post-pandemic, and a further 16% expect to split their time equally between homeand office-based working.
However, the danger is that organizations embrace WFH without assessing how this environment amplifies existing security threats. The volume of corporate data being accessed from home has risen substantially, including sensitive financial records, putting more information at risk. All the while, the number of endpoints – personal and employer provisioned – being used to access the corporate network from beyond the traditional network perimeter has exploded.
The data in this report highlights the limitations of the perimeter security model for securing remote workers, including the burden it places on security teams. Often, endpoint devices such as laptops, PCs, and printers are left exposed, raising the chance that security incidents become invisible until the damage is done. These blind spots mean many businesses could be headed for a fall.
HP Wolf Security is the company’s new integrated portfolio of hardware, software, and services designed for this new normal. In this HP Wolf Security report, we provide a multi-dimensional view of the security issues at play. We combine findings from a global YouGov online survey of 8,443 office workers who have shifted to working from home during the pandemic with a global survey of 1,100 IT decision-makers (ITDMs), to gain both sides of the story. The data is further enriched with real-world threat telemetry from HP Sure Click virtual machines (VMs) – which illustrates these risks – along with analysis from leading analyst firm Kuppinger Cole providing the global context.
Examining the issue through these different lenses, this HP Wolf Security report will discuss:
Cybercriminals have been quick to capitalize on the chaos. As with the pandemic, cyberattacks appeared in waves, starting with an early phase where criminals realized organizational defenses were more vulnerable to attack than usual. According to figures from the World Economic Forum (WEF), between February and April 2020, there was a 238% increase in global cyberattack volume.
Fending off such attackers has become increasingly difficult, as distributed workers are no longer protected by the corporate firewall, with many accessing critical data via insecure connections. Of respondents in the ITDM survey, 89% are concerned that employees are not using a secure connection, such as a VPN.
As a result, the perimeter has shifted from the network to the endpoint. The survey of ITDMs revealed that 91% believe endpoint security has become as important as network security now that more employees are working from home. A further 90% of ITDMs agreed the pandemic experience of 2020 has highlighted the growing importance of strong endpoint security in defending the increasingly perimeter-less organization; 91% say they spend more of their time on endpoint security than they did two years ago.
The nature of the endpoint is constantly evolving and diversifying. According to Kuppinger Cole: “The many connected devices that employees use in their working from the home environment have contributed to the breakdown of the corporate IT infrastructure and network, including printers.” Home environments are now full of devices targeted by cybercriminals, such as Internet of Things (IoT) devices, which Kuppinger Cole noted are notorious for weak security design. This includes printers, which are often overlooked by security teams, with a 2020 study cited by Kuppinger Cole finding that more than half (56%) are accessible via often-used open printer ports that could be hacked.
The shift to home working has changed the nature and scale of cybersecurity risk. In many organizations, this has not yet been fully appreciated, often because it’s less visible or underestimated. An interesting facet of this has been a culture change. A device used in the office lives a relatively tame existence; take the same device to the home environment and everything changes. At home, employees do things they would never do in the office, which can quickly multiply cybersecurity risks in ways that can be hard to keep tabs on.
Illustrative of this issue, this HP Wolf Security report shows that 76% of office workers surveyed say that WFH during COVID-19 has blurred the lines between their personal and professional lives, in effect merging work and home into a single environment. When asked about how this affects their use of corporate devices, 50% agree that they now think of their work laptop as a personal device.
Further to this, and potentially more concerning, 30% admit they have allowed someone other than themselves – e.g., a partner, child, or friend – to use their work laptop, often more than once a day. Of those that have shared their device, 27% say they know they are not meant to, but they feel they ‘had no choice due to these being exceptional times.
The effect of this ownership psychology is that employees become less wary of security risks, meaning work devices are being increasingly used for a growing range of personal tasks – 84% of ITDMs are concerned that employees using their work devices for personal tasks during the pandemic has increased their company’s risk of a security breach.
When asked, ITDMs estimate that around a third (33%) of their employees are using their work computer for personal things (e.g., playing games, browsing for fun), when in reality this number is much higher. 70% of office workers surveyed admit to using their work device or letting someone else use their device for personal tasks – with 46% admitting to using their work laptop for ‘life admin’, a figure that rose to 61% for 25 to 34-year-olds. Four in ten office workers surveyed admit to using their work devices for homework and online learning, which rises to 57% for parents of children aged 5 to 16.
Another clear trend has been for employees to access corporate networks using personal devices. When asked, ITDMs estimate that just over half (53%) of their workers are using personal devices for work-related tasks. Again, the real fi gure is higher – this HP Wolf Security report shows that 69% of offi ce workers surveyed have used their personal laptop or personal printer/scanner for work activities since the start of the pandemic. They have been using personal devices for a wide range of tasks more often in the past year, including:
The danger of this behavioral aspect of technology is that organizations end up being subjected to risks they can no longer see. Anxiety about this is clear within HP Wolf Security’s global ITDM survey, with more than a third (35%) stating that a lack of control over how corporate devices are being used and by whom is one of their biggest challenges at present. ITDMs expressed several concerns relating to new employee behavior that they felt are increasing organizational risk, including:
And they are right to be concerned. Of those surveyed, 51% of ITDMs said they had seen evidence of compromised personal devices being used to access company and customer data in the past year, while 45% had seen evidence of compromised printers being used as an attack point in the past year.
Furthermore, 54% of ITDMs reported they had seen evidence in their organization of a higher number of phishing related attacks in the last year, while 56% had seen evidence of an increase in web browser-related infections, and 51% said they had found users using unpatched endpoints in the last year.
The big question remains: in a world where people can work from anywhere, how do we build the distributed, hybrid workforce of the future, without exposing the enterprise to an increased level of cyber risk? An employee lending their child their work laptop to download games could be considered reckless but also understandable as people try to juggle home life with work, and it is clear from the data they are not alone. This is about more than a single moment in time. While the pandemic has spurred businesses into action and accelerated the shift to WFH, the pandemic is likely to have changed the way people work forever. Organizations must quickly assess how they manage this risk in this new normal and enable workforce mobility and security at the same time.
Cybercriminals are more sophisticated, organized, and determined than ever. Digital and data transformation is widening the attack surface. Despite their best efforts, overstretched IT and security teams are struggling to keep up. Against this backdrop, endpoint security is more vital than ever as the first line of defense. If an employee can be tricked into bypassing a control, ignoring a warning, or simply being careless, then it’s as if that control doesn’t exist. When security fails, it often fails badly, allowing attackers to gain a foothold in systems, exfiltrate data, spy, and disrupt at will. This is not new, but the advent of WFH exposes the problem on a new scale.
The extreme fix to this is to resort to the technological equivalent of lockdown. Access is restricted, layers of authentication are added in an uncoordinated way, and device usage is constrained by optimistic policies. With WFH, this quickly causes problems, hurting employee productivity and reinforcing the idea that security gets in the way.
The alternative, often championed by the industry, is ‘detect to protect’, looking for signatures and codes known to be bad. However, the rise in ‘polymorphic’ auto-generated malware – i.e., machine-generated malware – frustrates such approaches. The next generation of detection tries to address this by using machine learning to spot possible mutations, but malware developers have access to these tools; they can automatically test their code and tweak it until it evades detection, giving them confidence it will stay off the radar. Some attacks always slip through the net.
Re-balancing the need for security against the needs of the worker requires a completely different model of endpoint and WFH security. Built on the principles of Zero Trust, which states that nothing should be trusted implicitly, access to resources should be assessed based on context – e.g., user, device, location, and security posture. Critically, this applies not only to individual devices but to different elements on the endpoint itself, including firmware, application security, the integrity of the OS, and the account or user accessing data.
A more distributed, the digital world doesn’t have to mean a more vulnerable world. As the cyber world constantly evolves, so must cybersecurity. The technology of the near future will be secure by design and intelligent enough to not simply detect threats but to contain and mitigate their impact, as well as to recover quickly in the event of a breach. Helping our customers safely navigate this dynamic digital ecosystem is what drives us at HP.
With this front of mind, HP is introducing HP Wolf Security – our newly integrated portfolio of secure by design PCs and printers, hardware-enforced endpoint security software, and endpoint security services – to help customers navigate this challenging landscape and to defend against the plethora of new attacks and risks related to our increasingly distributed way of life. The HP Wolf Security platform builds on over 20 years of security research and innovation to offer a unified portfolio for customers focused on delivering comprehensive endpoint protection and cyber-resiliency.
Rooted in Zero Trust principles, HP Wolf Security provides defense-in-depth and enhanced protection, privacy, and threat intelligence, gathering data at the endpoint to help protect the business at large.
HP Wolf Security helps organizations to defend against both known and unknown threats – even Zero-Day vulnerabilities. Combining hardware-enforced software and security features with industry-leading endpoint security services, HP Wolf Security implements layered security and enables seamless integrations with the wider security stack. As such, customers benefit from robust, built-in protection from the silicon to the cloud, from the BIOS to the browser.
For too long, the endpoint has been seen as a victim, outclassed by adversaries that could only be contained using network detection. This was always optimistic. Once a threat escapes from the endpoint, the danger it poses is hugely magnified. The right place to stop threats is exactly where they occur, in the specific layer of software that was compromised. No attack should ever be able to leave a compromised endpoint with powerful privileges.
HP Wolf Security helps to defend businesses against threats relating to remote working and will continue to bring out new security features to help users stay ahead of evolving threats. Examples today include:
All this leads back to HP’s overriding purpose: We are here to reduce the ever-growing pressure on IT and security teams as they navigate unprecedented levels of cyber risk, and to help their users and customers so they can continue to work safely from home or remotely. Go to HP Wolf Security’s home page to find out more.
The findings in this report are made up from four separate data sources:
HP Security is now HP Wolf Security. Security features vary by platform, please see product data sheet for details.
HP Sure Access Enterprise requires Windows 10 Pro or Enterprise. HP services are governed by the applicable HP terms and conditions of service provided or indicated to the Customer at the time of purchase. Customers may have additional statutory rights according to applicable local laws, and such rights are not in any way affected by the HP terms and conditions of service or the HP Limited Warranty provided with your HP Product. For full system requirements, please visit Www.hpdaas.com/requirements.