Half (49%) of U.S. WFH employees say they continue to use their personal laptop or computer as they work remotely, according to Morphisec’s 2021 WFH Employee Cybersecurity Threat Index. The second annual study found enterprise employees remain worryingly reliant on non-hardened personal devices for work activities 16 months after the pandemic forced them to go remote.

The study, which included polling of more than 1,000 U.S. employees forced to work remotely during the pandemic, found that the number of WFH employees who upgraded to hardened company devices increased just 8% since last June. The finding is worrying given the extraordinary increase in cyberattacks targeting distributed organizations through vulnerabilities associated with the crumbling of perimeter-based security.

Morphisec also uncovered U.S. workers’ plans to remain remote in at least some capacity post-pandemic. 35% of traditionally office-based employees say they will continue working from home two to three days per week, 12% note they’ll remain remote full-time, and 11% plan to work primarily from home long-term. In the current threat-filled cybersecurity landscape that has taken a historic number of organizations as victims, the above highlights just how vulnerable enterprises remain in 2021. In fact, companies that transitioned to work-from-home at the onset of COVID-19 have been significant targets for cybercriminals, with 27% of these organizations reporting a cyberattack during the pandemic.

Despite the threat, remote workers’ security protocols and software remain troublingly lax, with 42% of employees admitting they don’t have antivirus protection installed on the device they use most while working from home and just 22% saying they use enterprise-grade passwords. Furthermore, only 12% of WFH employees say they disable remote access when they’re not using their computer for work. This is a discouraging statistic considering how cybercriminals gained remote control of a U.S. water treatment facility’s network earlier this year using old remote login credentials.

Meanwhile, employees whose companies were victims of cyberattacks since shifting to remote work reported spear-phishing (31%) and supply chain attacks (24%) were the most common breach methods. Spear phishing, or targeting phishing, has been rising exponentially over the past year and is growing increasingly sophisticated, meaning bad actors enjoy a tremendous amount of success when they deploy this tactic. Similarly, supply chain attacks like the devastating SolarWinds attack and the more recent Kaseya attack have quickly become some of the most damaging attacks in history.

“With the Covid-19 crisis creating a permanent shift towards remote and hybrid workforces, there’s an urgent need for enterprises to update their security operations to account for their employees’ new ways of working outside of the traditional security perimeter,” said Ronen Yehoshua, CEO at Morphisec. “Our second annual report on the future of securing a distributed workforce highlights that the long-term train to hybrid work has left the station. As today’s workers alternate between work and home, it’s time for security teams to abandon perimeter security and treat the endpoint as the last true perimeter with automatic protection that stops ransomware, infostealers and other advanced attacks before the breach."

Download the full Morphisec 2021 WFH Employee Cybersecurity Threat Index here.