Your employees are using sensitive corporate devices for personal browsing

Employees in the US are opening themselves and their organizations to a range of cyberattacks as a vast majority is found to be using corporate devices, with sensitive access to corporate resources, for personal browsing, according to a CyberArk study.

The study, which asked browsing-related questions to more than 4000 office workers in the US, found that more than 97% of them used the same devices, including phones, laptops, tablets, and desktops, for both work and personal activities.

“We are often blind to what is going on within a web browser and we assume the best, but security-by-assumption is a risky proportion,” said Michael Sampson, an analyst at Osterman Research. “With so many activities in the enterprise being undertaken from a browser – rather than a rich client – it’s a treasure chest for cyberthreat actors if they can figure out ways to compromise sensitive information.”

Cyberark has also launched an identity-centric secure browser to help employees adopt safe browsing with an enterprise-grade, custom-built browser.

Employees need secure browsing regimes

The study revealed that 17% of employees are always using the same device for workplace as well as personal browsing, while 78% of them have done so at least once.

When asked what could be leading to such oversight by workers, Archit Lohokare, GM for Workforce Solutions at CyberArk, provided two possible explanations.

“Firstly, people may have both personal devices and work devices but device management or policy from the IT team might mean each device is equally able to access corporate resources, or there is no such policy, so employees would just use whichever is most convenient,” Lohokare said. “The second big reason would be the continued Bring Your Own Device phenomenon exacerbated by the move to hybrid working, where desktop computers in use when employees are in the workplace are supplemented or replaced by portable devices used by employees that are far more mobile in terms of how and where they perform their role.”

More than two-thirds (68%) of respondents admitted to using the same password for both workplace and personal applications. Another 59% save workplace logins and passwords in the web browser used to perform their job.

“Unless firms are providing another way of doing this (e.g., password management, SSO), it’s too easy for an employee to click to save that information,” Sampson reasoned for 59% saving the login credentials in the browser.

Additionally, despite 92% of respondents having MFA or other safe browsing policies implemented in their respective administrations, 68% said they needed to violate such policies to get their job done.

“Many insecure workarounds that users adopt stem from a greater need for efficiency and convenience,” Lohokare added. “Workers may take shortcuts that allow them to be more productive because they feel that they cannot accomplish their tasks without doing so.”

Cyberark’s new secure browser

Cyberark has made a new identity-centric secure browser publicly available through its CyberArk Identity Security Platform, to tackle browser-related security risks.

The enterprise-grade browser is designed to safeguard an organization’s valuable resources by enabling a passwordless experience, and easy access to privileged information and assets, and help prevent breaches resulting from cookie theft and session takeover attacks.

“The CyberArk Secure Browser was purposely built for the enterprise and its unique security needs,” Lohokare said. “It provides enhanced security, privacy, and productivity for organizations while delivering the familiar Chromium browsing experience that users know and expect.”

The benefits promised by CyberArk’s new browser include access segmentation privilege and integration into an organization’s IAM and security architecture, securing corporate access from personal or unmanaged devices, separating personal and work applications and domains, and compliance with regulatory and audit requirements. 

“With data breaches, credential theft, and other cyberattacks continuing to succeed, organizations need to do as much as they can to safeguard what they have,” Sampson said. “Tackling browser-based risks head-on is an important component of a cybersecurity re-evaluation.”