Poor passwords leave workers at risk of phishing attacks

Online security is a major concern for remote and hybrid workers with a recent study uncovering a concerning strike rate for employees targeted by phishing attacks. With the potential for company or client data to be at risk, it’s essential employers do all they can to stave off a cyber attack or data breach.

Key points

• A recent survey found that 85% of respondents have been the victim of phishing, a type of scam where someone sends emails or messages intended to trick the victim into handing over passwords or personal data
• 67% of those who have experienced a phishing attempt have had it occur multiple times
• Password security is varied for remote and hybrid workers: 30% of people store passwords in a spreadsheet or document while 59% use the same passwords for personal and business accounts
• Only one-quarter of employees have received some sort of online security training

The average employee spends about one-third of their week working remotely, often at home, but also in cafes, public spaces or interstate for work trips. Many workers who don’t have the ability to officially work remotely, nurses, catering staff or personal care workers, may be required to do some form of online training in their own time at home.

For each employee who has to work at home, there’s one thing they have in common: they use passwords. According to GetApp, their recent survey revealed that 43% of remote and hybrid workers use unique passwords across the websites they frequently visit, with 57% sticking to the same master password or group of passwords for multiple sites.

That figure on its own is worrying enough; if an employee’s password was compromised it could allow scammers or hackers to access multiple accounts and websites with ease. But when you consider that one-third of respondents also store their passwords in a spreadsheet or document, and nearly two-thirds use the same passwords for personal and business accounts, there’s an increased risk that company or client data could be compromised.

“In addition to the rising number of security threats… the danger of more sophisticated cybersecurity threats that make it easier for online criminals to replicate these crimes on a grander scale,” Andrew Blair, Content Analyst for GetApp explained. 

“Alarmingly, 48% of respondents who have received a phishing email said the phishing attempt was impersonating a company. This type of phishing attempt can be a major concern for businesses that outsource to external companies, where employees may be unable to distinguish between an official email and a phishing attempt.”

Mr Blair said that company data leaks, loss of company data, and financial loss are some of the main impacts of a successful phishing attack.

“Company data breaches that are officially reported can have a detrimental effect on a company’s reputation. Password managers are an effective front-line defence to store and build strong passwords that companies can mandate in their password management policy,” he added.

Cyber safety education is essential 

With only one-quarter of respondents stating they received IT security training, it’s essential for employers to ensure staff understand their responsibilities with password management and phishing attempts. Simply ignoring phishing emails could be more harmful than not as management can only provide increased security if they know what they have to defend against.

“Training staff to understand cyber security is one of many ways businesses can effectively layer up defences against a cyberattack. 15% of remote and hybrid employees cited that they have not received some form of cyber security training,” Mr Blair said.

“However, of those respondents who have received training, only 22% of respondents said they completed a certified course on cyber security. Effectively, companies should focus on continuous training as cyber threats continue to evolve.”

As part of your cyber safety education and protection, create an effective password policy to provide structured guidelines for employees. This is a handy way to promote the importance of security amongst employees who may not consider the risk of using personal passwords in work-related situations.

Key points to cover in a password policy:

• Two-factor/multi-factor authentication (2FA/MFA): Authentification tools offer additional security for work-related accounts and websites, including emails, payroll or client/customer databases. 2FA tools will ask users to verify their login credentials with an additional security code that can be accessed via a third-party application.
• Appropriate passphrases: The best passwords are lengthy and complex. While some websites will have specific password requirements, staff should opt for passwords between 8-16 characters with a combination of upper and lower case letters, numbers and symbols. A passphrase, which is a sentence, is better than one word.
• Virtual private network (VPN): Although it’s not essential, VPN software allows staff to access your network through a secure encrypted connection.
• Password change frequency: We often think of passwords as a set and forget, however, regularly changing passwords will keep data safer for longer. Some websites automatically ask users to change passwords at set dates, but a workplace policy to change passwords every 6-12 months could also provide additional security.