Remote Work and Passwords: The Challenge Is Real

Will there ever be consensus over RTO? When corporations like Amazon, Dell, and AT&T announced five-day RTO policies in Q4 2024 and Q1 2025, the response was largely negative.  

According to Pittsburg University researchers, about 80% of employers said they lost talent due to the mandates. As a result, many employers quietly shifted to hybrid models, with 79% setting minimum weekly office hours to give their teams some control over when they came in. This new rise in hybrid environments once again brings attention to the topic of remote work security. 

As we navigate the complex landscape of work in 2025 and beyond, the elephant in the room is clear: remote work is here to stay—and so are its associated risks. This includes the mismanagement of passwords and its implications for business continuity. 

Five (5) types of shadow IT you must identify before implementing remote work security measures

Proper asset identification is critical in deciding the level of control and security your business needs. By knowing who is using which devices and tools, you can better enforce policies related to acceptable use and data handling. 

Here are five (5) shadow IT types your employees may be using: 

Personal devices	Laptops, smartphones, and tablets
Productivity apps	Trello, Notion, Airtable, and Asana
Commnication apps	Zoom, Skype, Signal, and WhatsApp
File-sharing apps	Dropbox, Google Drive, and iCloud
Design tools	Canva and Adobe Creative Cloud

 

Next, we’ll talk about the three (3) biggest remote work security risks and how they can affect your business. 

The three (3) biggest remote work security risks most employers ignore 

Weak password security 

With new research showing 66% of employees experiencing varying levels of burnout, it’s clear why many are ignoring NIST-recommended rules for creating strong passwords. Three types of cognitive bias explain why: 

• Confirmation bias: Many employees think their passwords are good enough because they’ve never experienced a breach. They mistakenly think ChatGPT-generated passwords will protect their accounts from being hacked. 

• Hyperbolic discounting: Employees opt for easy-to-remember or reused passwords due to a sense of overwhelm. In hyperbolic discounting, present comfort is prioritized, despite risks to long-term security.  

• Loss aversion: Employees are resistant to using password managers because they fear the initial setup and learning curve would result in a loss of time and productivity.

Why you should care about password security: 80% of all data breaches involve passwords. So far in 2025, we’ve seen the theft of 244 million passwords from a crime forum, the theft of 3.9 million passwords by infostealers, and the use of 85 million stolen passwords to perpetrate RDP (remote desktop protocol) port attacks. 

Shadow IT and AI 

The shift to remote work has dramatically increased the use of shadow IT and AI: 

• 80% of employees admit to using shadow AI without the necessary permissions or IT oversight. 

• Shadow IT usage has exploded by 59% and is largely driven by the remote work model. 

• The average company has 975 unknown cloud services. 

Two key factors are fueling the use of shadow IT and AI: 

• Pressure to prioritize immediate productivity gains over security: 91% of employees adopt shadow IT to get tangible work results quickly. 

• Red tape and slow internal processes: 38% of employees are frustrated over slow IT response times and the effect on their work performance.

Why you should care about Shadow IT and AI:

• Breaches involving shadow data in Gen AI environments take 26.2% longer to identify and 20.2% longer to contain, averaging 291 days. They also result in higher breach costs, averaging USD $5.27 million.  

• Attacks involving shadow IT are costly and time-consuming to remediate (averaging $4.24 million per data breach). 

• The rise of shadow AI has led to a 26.5% rise in IP theft and an average cost of USD $1.47 million in lost business and reputation damage. 

Poorly defined BYOD (bring-your-own-device) policies 

Let’s face it: BYOD is here to stay.  

Studies show employees are 34% more productive when they’re allowed to use their personal cell phones for work. And their organizations benefit as well, saving roughly $250 per employee per two-year contract. 

BYOD is so popular that the market is expected to grow from $132.22 billion in 2025 to USD $276.39 billion by 2030. 

So, what’s not to like? 

Here’s why you should care about BYOD: Weak BYOD policies can severely undermine remote work security in several ways. 

• The tension between employee privacy and legitimate business interests may increase litigation against your business. In December 2024, Apple employee Amar Bhakta sued the tech giant, maintaining that Apple’s BYOD policies allowed it to access personal data on employee devices, including emails, photos, videos and location data. The case could set a precedent for how employers approach workplace surveillance and BYOD policies.  

• Lack of visibility into SaaS usage leads to redundant tools and inflated IT budgets. About 60% of IT leaders report being unaware of the apps their employees use, which means a high portion of IT spending occurs without oversight. 

• Weak shadow IT credentials and their insecure storage increase the likelihood of data breaches for your business. Phishing and ransomware attacks often target shadow IT resources due to their use of default credentials and their lack of robust identity verification measures like MFA. In addition, employees often store login credentials insecurely (in browsers or personal text files), making them easy to steal. 

• Inconsistent security standards may lead to compliance issues. Poorly defined BYOD policies can lead to regulatory non-compliance. In Aug 2024, the SEC fined 26 Wall Street firms $393 million for failure to document client communications over personal devices. Essentially, this failure violates record-keeping provisions in federal security laws. 

Three (3) simple yet powerful security measures you can implement right away for remote work security 

#1 Provide employees with a password manager to reduce the risk of weak passwords and insecure credential storage 

A password manager gives you clear benefits from Day One: 

• Strong password generation. A password manager automatically generates strong, unique passwords for each account, eliminating the use of weak or reused passwords. 

• Encrypted storage: A password manager protects all credentials in an encrypted vault, reducing the risk of unauthorized access. This means your employees won’t need to resort to insecure storage methods like browsers or sticky notes. 

• Autofill functionality. A password manager securely autofills credentials on legitimate sites only, preventing your employees from being victimized by phishing attacks. 

• Dark Web monitoring. A password manager alerts your employees if any of their credentials have been compromised, allowing for prompt action on their part.  

#2 Implement phishing-resistant FIDO2-based MFA to strengthen authentication measures and prevent unauthorized access 

Around the world, 56% of IT professionals say their company supports SMS-based MFA. Although widely used, this type of MFA is also the least secure. In fact, the proliferation of new MFA bypass techniques has prompted CISA to issue strong recommendations against SMS-based MFA altogether. 

In 2023, Coinbase revealed that 95.65% of account takeovers on their platform were due to 95% of customers using SMS-based MFA. 

According to CISA, FIDO2-based MFA is a “foundational capability in building Zero Trust maturity.” CISA’s Zero Trust Maturity Model specifically calls for phishing-resistant MFA, which FIDO2-based MFA provides. Essentially, this type of MFA supports the “never trust, always verify” principle of Zero Trust data security, a strategy designed to accommodate the complexities of a modern, mobile workforce. 

#3 Choose an identity solution with Zero Knowledge architecture to ensure both secure access and employee privacy 

A Secure by Design password manager with Zero Knowledge architecture protects employee privacy in two important ways: 

• All data stored in password vaults is encrypted locally on the user’s device, ensuring that only the authorized user can access it. 

• The service provider has no access to master passwords, login credentials, or any data stored in vaults. 

You can have your cake and eat it too: Balancing security and productivity with LastPass 

In 2025, password management is no longer solely about having weak or reused passwords. With the growth in hybrid and remote workforces, there’s a need to ensure secure access to corporate assets without negatively impacting employee productivity and privacy. 

With LastPass, you get: 

• Convenience and ease of use. Intuitive features like auto-generate, auto-save, one-click autofill, and passwordless logins increase employee morale and productivity. 

• Improved collaboration. Advantage flows to the organization that’s resilient, efficient, and operates at peak performance. With LastPass, you get secure, effortless data sharing, streamlined user management, and native SSO integrations with the world’s most popular SaaS apps. 

• Comprehensive security. With LastPass, your employees can quickly and easily generate strong and unique passwords that are stored in an encrypted vault. This battle-tested solution helps protect against unauthorized access, account takeovers, and data breaches. 

• Compliance and insurability. Being proactive about security measures can improve cyber insurability (i.e., qualifying for coverage) and contribute to lower premiums. And that’s not all: With LastPass, you can instantly boost your credibility by generating reports that demonstrate your commitment to complying with the world’s most important data privacy laws. 

If you’re ready to experience the peace of mind enjoyed by millions of businesses worldwide, sign up for a free LastPass Business trial today (no credit card and no commitment required).  

And because we want you to be confident in your investment, we created a special tool to help you discover the ROI of LastPass Business. Our password management ROI calculator is easy to use and can serve as a starting point to guide conversations with stakeholders at your company.