According to new research released Tuesday, many employees and managers in the United States and United Kingdom value trust in the workplace more than financial compensation.

A survey of 500 workers and managers in the US and UK by Osterman Research for cybersecurity firm Cerbi found that nearly half of participants (47%) said they would take a 20% pay cut in exchange for higher trust by their employer.

Other characteristics the researchers found highly prized by employees included flexibility (48%), autonomy (42%), and being able to choose the applications needed to work effectively (39%).

The State of Employee Trust Report by Osterman and Cerby examines the impact of zero-trust principles that many companies are increasingly adopting as a solution to their cyber security needs as a result of the use of “unmanageable applications” by workers and managers.

“Apps are closely linked to the level of employee engagement and empowerment. If employers try to block apps, which they often do, it negatively affects trust,” in San Francisco said Matt Chiodi, chief trust officer at Cerbi, a zero-trust architecture provider for unmanaged applications located at .

“Sixty percent of employees said that if an application they want is blocked, it negatively affects how they feel about the company,” Chiodi told TechNewsWorld.

“The answer is not for employers to block these apps, but to find solutions that allow these unmanageable apps to be managed,” he said.

fret over control

Security teams resent the use of unmanaged applications, also known as shadow IT, for a number of reasons. “Employees come and go. An organization can end up with thousands of unused credentials accessing its resources,” explained Szilwezter Szebeny, CISO and co-founder of Tresorit, an email encryption-based security solutions company in Zurich.

“With a mountain of passive access, hackers are bound to find something that will go unnoticed and pave the way for them to infiltrate the organization through lateral movement,” Szebeny told TechNewsWorld.

Unsupportable applications can put an organization at risk because it has no control over the security practices imposed on the programs’ development and management, said John Yoon, vice president of product strategy at ColorTokens, an autonomous zero-trust cybersecurity solutions provider in San Jose. Caliph.

“In addition, the organization has no oversight of the applications’ security update requirements,” Yoon told TechNewsWorld.

Without any control over the application, organizations can’t trust it with access to their environments, said Mike Parkin, a senior technical engineer at Vulkan Cyber, a provider of SaaS for enterprise cyber risk prevention in Tel Aviv, Israel.

“Letting employees choose the best tool for the job, especially when it’s running on their own device, is welcome,” Parkin told TechNewsWorld.

However, he stressed, “this requires some compromise with the organization choosing the application and the employees willing to give up if their preferred app is not on the approved list.”

Clearwater, Fla. Roger Grimes, data-driven defense evangelist at KnowBe4, a security awareness training provider in the U.S., took a hard look at the issue.

“It’s up to an organization’s cybersecurity risk managers to determine whether the risks incurred are worth the benefits,” Grimes told TechNewsWorld. “You don’t want the average end user to decide what is or isn’t risky for the organization any more than you want the average passenger flying an airplane.”

worth the risk?

The applications are considered unmanageable because they often don’t support common security measures, such as single sign-on and automatically adding or removing users, Chiody explained.

“It presents a risk to a business, but business users still need those applications,” he said. “Businesses need to find ways to get those applications to the point where they can be managed, so that those risks are reduced.”

Labeling applications unmanageable is misleading, says Marcus Smiley, CEO of Epoch Concepts, an IT solutions provider in Littleton, Colo.

“They’re built without support for modern, industry security standards, which makes them harder to monitor and secure,” Smiley told TechNewsWorld, “but means they can’t be managed like other applications.” , they can be managed in different ways. ,

“When unmanageable applications are being used, there is always some reason,” he said. “Many organizations need better communication between IT and employees to clarify company policies and the reasons behind them.”

“IT should also provide channels for requesting applications and be proactive in providing more secure options for problematic ones,” he added.

Smiley said that in some situations, allowing unmanaged applications with oversight is appropriate to ensure that best-identity-management practices and more secure configurations are implemented instead of less secure ones.

“Ultimately, there is no such thing as a risk-free cyber security strategy,” he added. “Every security program – even those that fall under zero trust – involves trade-offs between mission-critical business functionality, productivity and risk.”

balancing act needed

The safest approach is to have any application reviewed prior to adoption by an individual or team with cyber security expertise to identify any issues that may arise from the use of the software or service, ensure that Assuming the legal terms are acceptable, as well as a plan for ongoing maintenance, recommended Chris Clements, vice president of solutions architecture at Cerberus Sentinel, a cybersecurity consulting and penetration testing company in Scottsdale, Ariz.

“Unfortunately, many organizations do not have the expertise or resources to properly assess these risks, resulting in the process not happening at all, or as bad, taking weeks or months,” Clements told TechNewsWorld. which hurts employee morale and productivity.” ,

“Balancing cyber security risk with employee needs is a practice that organizations need to take more seriously,” he said. “Allowing a Wild West approach will inevitably introduce cyber security risks. But on the other hand, being overly rigid can lead to choosing product or service solutions that heavily compromise usability and user convenience or completely Deny approval from.

“These can create frustration and lead personnel to leave the organization or actively subvert security controls,” he continued.

Misusing zero-trust principles can also add to that frustration. “Zero trust is for data, access, applications and services,” Chiodi argued. “But when it comes to building trust on the human side, companies should aim for higher trust. The two are not mutually exclusive. It’s possible, but there’s going to be a shift in how employers use security controls.”

“By giving employees technology choices, companies can show that they trust their employees to make technology decisions that help them do their jobs better,” says Allegro Solutions, a cybersecurity consulting company in West Hartford, Conn. Principal Karen Walsh said.

“By reinforcing it with education around the mindset of compromising,” they build a stronger relationship with the members of their workforce, Walsh told TechNewsWorld.

Nearly 50% of all phishing attacks in 2021 were aimed at taking away the credentials of federal, state and local government employees, according to a report released Wednesday by the endpoint-to-cloud security company.

Phishing attacks on civil servants increased 30% from 2020 to 2021, with one out of every eight workers exposed to phishing threats during this period, a report prepared by Lookout and 200 million devices and 175 million apps Based on the analysis of unknown data from The company deals with federal, state and local government customers.

While malware delivery is dominated by mobile phishing attacks outside the public sector, credential theft is on the rise, a 47% increase in 2021 compared to the previous year, as malware delivery declined by 12% during the same period .

Compromised credentials provide an easy way for those threatened to get their hands on the valuable data that governments hold.

“The first thing that comes to mind is nation-state actors trying to establish a presence on government networks,” said Mike Fleck, senior director of sales engineering at cloud-based security provider Siren in McLean, Va.

“Fraudsters will also be interested in access – think fake unemployment claims and “cleaning up” of stolen vehicles,” he told TechNewsWorld.

“When it comes to government,” said Lookout Senior Manager for Security Solutions Steve Banda, “there is going to be some highly confidential information available that is going to be valuable to some party somewhere, either a malicious person or nation state.”

Expansion in BYOD Government

The report also noted that all levels of government are increasing their reliance on unmanaged mobile devices. The use of unmanaged devices in the federal government increased by about 5% from 2020 to 2021 – and closer to 14% for state and local governments during the same period.

“We’ve seen a lot of change in what organizations are starting to do with mobile devices,” Banda told TechNewsWorld. “There is a big shift toward unmanaged, especially as agencies become more comfortable adopting BYOD strategies.”

“Remote work has certainly accelerated BYOD,” he said.

While the increased use of unmanaged equipment suggests an expansion of remote working, it may also be a recognition of the benefits of BYOD for employees and agencies.

“I’ve had separate work and personal phones before, and it’s very easy to do everything on one device,” Fleck said.

“Covid forced remote work faster than any government procurement cycle,” he explained. “It is understandable that agencies were forced to adopt BYOD policy faster than their ability to purchase and deploy mobile device management platforms.”

Greater Phishing Exposure

Permitting the use of unmanaged equipment also indicates that agencies are finding that employees can work effectively remotely, maintained a safety awareness advocate at KnowBe4, a safety awareness training provider in Clearwater, Fla. .

“Modern software and tools allow for unprecedented collaboration capabilities, and the tools being used are more capable than ever,” he told TechNewsWorld.

“With the onset of Covid forcing many organizations that were resistant to working remotely to implement the strategy, a lot of organizations have seen benefits in allowing this to continue,” he said.

More than a third of state and local government employees are using personal devices for work in 2021, the report said, adding that these agencies are leading the adoption of BYOD.

While this offers employees more flexibility, it acknowledged that these unmanaged devices are more frequently exposed to phishing sites than managed devices, as unmanaged personal devices connect to a wider range of websites and more diverse types. use of apps.

“My experience shows that remote workers may be more vulnerable to phishing because they are working in an environment that blurs the line between job and home life than they are in the office. become more comfortable and less alert,” Krone said.

Ray Stein, CSO of Mainspring, a provider of IT-managed services in Frederick, MD, said remote workers are no more likely to fall for a phishing scam than other employees.

“But without the supervision or protection of an enterprise firewall, it’s easy to reach them through different channels,” he told TechNewsWorld. “This increases the number of phishing scams they are exposed to, leaving them more vulnerable than long-term office workers.”

old android version

The report had good and bad news about government employees running older versions of Android on their phones.

The bad news was that nearly 50% of state and local government employees are running the older Android operating system, exposing hundreds of device vulnerabilities to them.

The good news is that this is a marked improvement in 2021, when 99% of mobiles were running older versions of the operating system.

The report states that keeping the mobile operating system up to date is the best form of cyber security. However, government agencies or departments may choose to delay the update until their proprietary app is tested, it continued. This delay creates a vulnerability window during which a threat actor can use a mobile device to access an organization’s infrastructure and steal data.

“New releases or versions of the OS build on their previous releases, including all security enhancements and improvements,” said Stuart Jones, director of the CloudMark division at Proofpoint, an enterprise security company in Sunnyvale, Calif.

“Without the latest version of the OS,” he told TechNewsWorld, “the benefits of these enhancements are not available on the device or for the user.”

Stein said that in 2021, Google’s Threat Analysis Group (TAG) discovered at least nine zero-days affecting its products, including Android devices.

“Patches for those vulnerabilities were included in Android updates, but users stuck on older OS versions may not benefit from them,” he said.

need for extreme caution

Banda said it can be challenging to keep pace with Android due to its fragmented environment.

“To update to a certain level, you must have the correct combination of mobile operator and device manufacturer’s firmware,” he explained. “There are a number of factors that determine whether you can take on release.”

Not only does this make it difficult for the user to keep their Android version running, but it also makes it difficult for employers to keep the devices secure. “A company needs to know who is running which version of Android,” Banda said. “They have to figure out how to get that visibility and create policies so everyone can get up to speed on the latest version available to them.”

After working in the federal space for most of his career, Sami Allini, a biometrics specialist at Contrast Security, a maker of self-protecting software solutions in Los Altos, Calif., said he’s tormented about how long adversaries will exploit and infiltrate government institutions.

“As an activist in this field, one must be vigilant about all interactions, including those with colleagues,” he told TechNewsWorld. “As this report shows, phishing, a form of social engineering, is on the rise, and for good reason. Social engineering is one of the most effective ways to gain access to information or property that someone has access to. Shouldn’t have passed.”