CISOs say a distributed workforce has critically increased security concerns

73% of security and IT executives are concerned about new vulnerabilities and risks introduced by the distributed workforce, Skybox Security reveals.

distributed workforce security

The report also uncovered an alarming disconnect between confidence in security posture and increased cyberattacks during the global pandemic.

Digital transformation creating the perfect storm

To protect employees from COVID-19, enterprises rapidly shifted to make work from home possible and maintain business productivity. Forced to accelerate digital transformation initiatives, this created the perfect storm.

2020 will be a record-breaking year for new vulnerabilities with a 34% increase year-over-year – a leading indicator for the growth of future attacks.

As a result, security teams now have more to protect than ever before. Surveying 295 global executives, the report found that organizations are overconfident in their security posture, and new strategies are needed to secure a long-term distributed workforce.

Key observations

  • Deprioritized security tasks increase risk: Over 30% of security executives said software updates and BYOD policies were deprioritized. Further, 42% noted reporting was deprioritized since the onset of the pandemic.
  • Enterprises can’t keep up with the pace: 32% had difficulties validating if network and security configurations undermined security posture. 55% admitted that it was at least moderately difficult for them to validate network and security configurations did not increase risk.
  • Security teams are overconfident in security posture: Only 11% confirmed they could confidently maintain a holistic view of their organizations’ attack surfaces. Shockingly, 93% of security executives were still confident that changes were correctly validated.
  • The distributed workforce is here to stay: 70% of respondents projected that at least one-third of their employees will remain remote 18 months from now.

distributed workforce security

“Traditional detect-and-respond approaches are no longer enough. A radical new approach is needed – one that is rooted in the development of preventative and prescriptive vulnerability and threat management practices,” said Gidi Cohen, CEO, Skybox Security.

“To advance change, it is integral that everything, including data and talent, is working towards enriching the security program as a whole.”

Accept your IT security limits and call in the experts

For many employees, the COVID-19 pandemic brought about something they dreamed of for years: the possibility to eschew long commutes, business attire and (finally!) work from their home.

IT security limits

Companies were forced to embrace the work-from-home switch and many are now starting to like the cost savings and the possibility to hire employees from a wider, non-localized pool of applicants.

But for IT security teams, the switch meant even more work and struggling finding new ways to keep their organization and their employees secure from an increasing number and frequency of cyber threats.

The pressure to deliver security is on

A recent LogMeIn report has also revealed that the transition to remote work for the majority of businesses has impacted the day-to-day work of IT professionals.

Aside from the expected technical tasks and an increased number of web meetings, over half of them have been forced to spend more time managing IT security threats and developing new security protocols. In fact, the percentage of IT professionals who are now spending 5 to 8 hours per day on IT security rose from 35 in 2019 to 47 in 2020.

“In terms of defensive tactics, the first two months of the pandemic shifted the previous network-centric thinking to endpoint and remote access. Many firms lacking endpoint detection and response or endpoint protection (next-gen AV) sought to roll out these services across their distributed organization. They also focused on IAM and VPN or SDP services,” Mark Sangster, VP and Industry Security Strategist at eSentire, told Help Net Security.

“The other shift moved thinking from BYOD to BYOH: Bring Your Office Home. Firms were faced with the challenge of securing connections from home offices made through consumer-grade networking gear provided by employee ISPs. These systems are not as hardened as commercial-grade internet devices and were often misconfigured or left in factory settings with default administrative credentials and wide-open Wi-Fi services. This effort required IT teams to help non-technical employees harden their home routers, better understand password security and embrace the necessity for multi-factor authentication and VPNs.”

Solving the security puzzle

Companies’ tech priorities have shifted as well, with many increasing spending for security.

But the need to implement new technology, the widening attack surface, and the onslaught of ransomware-wielding gangs have forced some companies to accept the limits of what they can do with in-house IT security staff and technology, and to seek additional assistance from outside detection and response experts.

The threat of ransomware is insidious and be particularly destructive, delivering a potentially fatal blow to some (often smaller) organizations.

“Firms need to understand the risks and prepare with proactive defenses (threat hunting), hot-swappable back-ups and fail-over colocation systems. The real trick is catching unauthorized activity quickly, before criminal groups are able to plant ransomware throughout the organization, steal data and then launch a synchronized attack to cripple the organization. This means being able to monitor VPN traffic (connections) and remote administrative activities to detect unauthorized movement,” Sangster explained.

“Criminal groups steal credentials to then access the business using remote tools. This MO is detectable, but it requires proactive hunting and constant monitoring of these services. We have stopped multiple attacks of this nature. In those cases, the ransom attack was either isolated to a single device (and quickly recovered in less than an hour), or it required coordinate defenses to block remote attacks through remote admin tools like Microsoft RDP or PowerShell. In these cases, machine learning flagged suspicious activity for further investigation by security analysts. This quick response meant dwell time was only minutes and prevented the criminal gang ransomware from metastasizing throughout the organization.”

Enterprise IT security teams continue to struggle

CyberEdge conducted a web-based survey of 600 enterprise IT security professionals from seven countries and 19 industries in August 2020 in an effort to understand how the pandemic has affected IT security budgets, personnel, cyber risks, and priorities for acquiring new security technologies.

enterprise IT security teams

Impacts from the work-from-home movement

Prior to the pandemic, an average of 24% of enterprise workers had the ability to work from home on a full-time, part-time, or ad hoc basis. As of August 2020, that number more than doubled to 50%.

Many enterprises without existing BYOD policies were instantly compelled to permit employee-owned laptops, tablets, and smartphones to access company applications and data – in some instances without proper endpoint security protections.

Resulting IT security challenges

A 114% increase in remote workers coupled with a 59% increase in BYOD policy adoption has wreaked havoc among enterprise IT security teams.

The top-three challenges experienced by enterprise IT security teams have been an increased volume of threats and security incidents, insufficient remote access / VPN capacity, and increased risks due to unmanaged devices.

Furthermore, an astounding 73% of enterprises have experienced elevated third-party risks amongst their partners and suppliers. Adding fuel to the fire, 53% of these teams were already understaffed before the pandemic began.

Healthy 2020 and 2021 IT security budgets

While most enterprises searched for ways to reduce overall operating expenses in 2020, 54% of those surveyed increased their IT security operating budgets mid-year by an average of 5%.

Only 20% of enterprises reduced their overall IT security spending after the start of the pandemic. With regard to the impact of the pandemic on next year’s security budgets, 64% of organizations plan to increase their security operating budgets by an average of 7%.

Increased demand for cloud-based IT security investments

Arguably the biggest impact that the COVID-19 pandemic has had on the IT security industry is an increased appetite for cloud-based IT security solutions. This is primarily driven by the massive increase in remote workers but may also be influenced by having fewer IT security personnel available on site to install and maintain traditional on-premises security appliances.

Exactly 75% of respondents have indicated an increased preference for cloud-based security solutions. The top-three technology investments to address pandemic-fueled challenges are cloud-based secure web gateway (SWG), cloud-based next-generation firewall (NGFW), and cloud-based secure email gateway (SEG).

Reducing IT security personnel costs

Despite increased funding for cloud-based security technology investments, 67% of enterprise security teams were forced to temporarily reduce personnel expenses through hiring freezes (36%), temporary reductions in hours worked (32%), and temporary furloughs (25%). Fortunately, only 17% were forced to lay off personnel.

Training and certification make a huge difference

78% of those with IT security professional certifications feel their certification has made them better equipped to address pandemic-fueled challenges.

Next year, enterprises anticipate increasing their security training and certification budgets by an average of 6%.

Taking third-party risks seriously

The doubling of remote workforces has significantly increased third-party risks. As a result, 43% of enterprises have increased their third-party risk management (TPRM) technology investments. 77% are seeking technologies to help automate key TPRM tasks.

Securing employee-owned devices

In an effort to secure employee-owned devices connecting to company applications and data, 59% of enterprises are providing antivirus (AV) software, 52% are investing in mobile device management (MDM) products, and 48% are acquiring network access control (NAC) solutions.

Security professionals enjoy working from home

Not surprising, 81% of IT security professionals enjoy working from home. Once a COVID-19 vaccine is developed and the pandemic is over, 48% would like to continue working from home part-time while 33% would like to work from home full-time.

Top tasks IT professionals are spending more time on

LogMeIn released a report that reveals the current state of IT in the new era of remote work. The report quantifies the impact of COVID-19 on IT roles and priorities for small to medium-sized businesses.

top tasks IT professionals

The study reveals the massive shift in the day-to-day work of IT professionals, and the broader impact of the transition to remote work for the majority of businesses.

The report uncovers how the budgets, priorities, and functions of IT teams at small and medium-sized businesses continue to be shaped by ongoing global upheaval and uncertainty and provides insights into how IT professionals are adapting their roles and teams to these challenges.

Virtual tasks and security concerns demand more IT time

With the onset of COVID-19, the types of tasks that filled a typical IT team member’s day changed significantly. The research found that 67 percent of respondents said they spend more time on virtual tasks like team web meetings, remotely accessing employee devices (66 percent) and customer web meetings (52 percent).

Security also gained increased focus, with 54 percent spending more time managing IT security threats and 54 percent developing new security protocols. 47 percent of IT professionals are spending 5 to 8 hours per day on IT security, compared to 35% in 2019.

The increased complexities of BYOD and BYOA (Bring-Your-Own-Devices and Access) work environments combined with advancements in cyberattacks have increasingly monopolized the focus of IT professionals.

IT is most worried about a breach

The top IT security concerns continue to be data breaches (cloud, internal, and external), malware, employee behavior, and ransomware. With cloud technology and adoption skyrocketing over the years, fear of a cloud data security breach has increased significantly just in the past two years, with 40% of IT professionals expressing concern in 2018 and 53% citing it as a top security concern in 2020.

Another higher priority concern in 2020 compared to previous years is ‘Rapidly evolving business technology practices’ with 29 percent of IT professionals stating it’s a top security concern in 2020, compared to only 20 percent in 2019.

Lack of budget is the greatest barrier to keeping up with trends in IT

35 percent of IT professionals agree that a lack of budget is the biggest challenge their company is facing in trying to keep up with IT trends. IT training, lack of IT staff, lack of control over a remote workforce, and IT staff resistance to change are all seen as the most common reasons IT teams are struggling to adapt to changes in their field.

With limited budget, IT teams must implement solutions that enable them to do more with less and prioritize implementing tools with security, automation, and monitoring functionality.

Software facilitating remote collaboration and management proved most valuable to IT

Given that it was no longer possible to stop by an employee’s desk to address any issues, 38 percent of IT teams prioritized remote access software first during the COVID-19 pandemic.

With employees working from home, having a way to collaborate with colleagues became mission-critical, so it’s not surprising that one third of IT respondents prioritized meeting and communications software.

“Despite the impact many teams experienced from COVID-19 – from budget, to resource allocation, to project priorities – many teams are now more prepared,” said Ian Pitt, CIO at LogMeIn.

“This data shows that the pandemic has led to improved training for IT and employees, ensuring all employees have the appropriate hardware and software, and even installed multifactor authentication for improved security.”

CISOs split on how to enable remote work

CISOs are conflicted about how their companies can best reposition themselves to address the sudden and rapid shift to remote work caused by the pandemic, a Hysolate research reveals.

CISOs enable remote work

The story emerging from the data in the study is clear:

  • COVID-19 has accelerated the arrival of the remote-first era.
  • Legacy remote access solutions such as virtual desktop infrastructure (VDI), desktop-as-a-service (DaaS), and virtual private networks (VPN), among others, leave much to be desired in the eyes of CISOs and are not well suited to handle many of the new demands of the remote-first era.
  • Half of CISOs believe that security measures are impacting productivity when scaling remote-first policies.
  • Bring-your-own-PC (BYOPC) policies further complicate organizations’ approaches to secure remote access.

Remote work becoming a permanent workflow

Beyond the overwhelming consensus that work-from-home is here to stay (87 percent of respondents believe remote work has become a permanent workflow in their companies’ operations), the study reveals that there is no singular best practice or market-leading approach to enabling workers in the remote-first era.

There is no prevailing solution in place to provide secure remote access to corporate assets:

  • 24 percent of survey respondents utilize VPN, and more than half of these also employ split tunneling, a practice that allows users to access dissimilar security domains at the same time, to reduce the organization’s VPN loads and traffic backhauling. However, of those that use split tunneling, two-thirds of CISOs express concerns about the security of the split tunneling approach.
  • 36 percent deploy VDI or DaaS. However, of those CISOs that utilize VDI or DaaS, only 18 percent say their employees are happy with their company’s VDI or DaaS solution. Further, dissatisfaction with these legacy remote access solutions isn’t limited to user experience; more than three-quarters of CISOs feel that their return on investment in VDI or DaaS has been medium to low.

Remote security policies issues

CISOs are also grappling with what their remote security policies should be in the new remote-first era:

  • 26 percent of CISOs surveyed have introduced more stringent endpoint security and corporate access measures since the arrival of the pandemic.
  • 35 percent have relaxed their security policies in order to foster greater productivity among remote workers.
  • 39 percent have left their security policies the same.

More than 60 percent of companies felt that they weren’t ready for the changes that the proliferation of the pandemic forced. What is uncertain is whether the other 39 percent who have made no changes are standing pat because they are comfortable with their company’s security posture or because they don’t know what changes to make.

CISOs enable remote work

CISOs scramble to enable remote work and maintain security

“Worker productivity and enterprise endpoint security have historically been pitted as competing priorities,” said Hysolate CEO Marc Gaffan.

“But when we surveyed CISOs who were scrambling to scale their remote workforce IT operations in light of the pandemic, it became clear how important worker productivity has now become and that legacy solutions like VPN, VDI and DaaS just can’t handle the demands of the new remote-first reality.”

Web browsing restrictions and BYOPC policies further muddy the remote-first waters. Sixty-two percent of CISOs said their companies restrict access to certain websites on corporate devices, while 22 percent say their companies do not allow access to corporate networks or applications from a non-corporate device.

The confusion indicated by the mixed results of the survey report is enough to cause many CISOs a sleepless night. In fact, the varied response trend carried over to the one unconventional question asked in the study regarding pandemic indulgences: 20 percent of CISOs report drinking more wine during the COVID-19 crisis; 32 percent drink more coffee; 8 percent choose whiskey; and, perhaps in what should come as a surprise to no one, 40 percent chose “All of the Above.”

Securing mobile devices, apps, and users should be every CIO’s top priority

More than 80% of global employees do not want to return to the office full-time, despite 30% employees claiming that being isolated from their team was the biggest hindrance to productivity during lockdown, a MobileIron study reveals.

securing mobile devices apps

The COVID-19 pandemic has clearly changed the way people work and accelerated the already growing remote work trend. This has also created new security challenges for IT departments, as employees are increasingly using their own personal devices to access corporate data and services.

Adding to the challenges posed by the new “everywhere enterprise” – in which employees, IT infrastructures, and customers are everywhere – is the fact that employees are not prioritizing security. The study found that 33% of workers consider IT security to be a low priority.

Mobile devices and a new threat landscape

The current distributed remote work environment has also triggered a new threat landscape, with malicious actors increasingly targeting mobile devices with phishing attacks. These attacks range from basic to sophisticated and are likely to succeed, with many employees unaware of how to identify and avoid a phishing attack. The study revealed that 43% of global employees are not sure what a phishing attack is.

“Mobile devices are everywhere and have access to practically everything, yet most employees have inadequate mobile security measures in place, enabling hackers to have a heyday,” said Brian Foster, SVP Product Management, MobileIron.

“Hackers know that people are using their loosely secured mobile devices more than ever before to access corporate data, and increasingly targeting them with phishing attacks. Every company needs to implement a mobile-centric security strategy that prioritizes user experience and enables employees to maintain maximum productivity on any device, anywhere, without compromising personal privacy.”

The study found that four distinct employee personas have emerged in the everywhere enterprise as a result of lockdown, and mobile devices play a more critical role than ever before in ensuring productivity.

Hybrid Henry

  • Typically works in financial services, professional services or the public sector.
  • Ideally splits time equally between working at home and going into the office for face-to-face meetings; although this employee likes working from home, being isolated from teammates is the biggest hindrance to productivity.
  • Depends on a laptop and mobile device, along with secure access to email, CRM applications and video collaboration tools, to stay productive.
  • Believes that IT security ensures productivity and enhances the usability of devices. At the same time, this employee is only somewhat aware of phishing attacks.

Mobile Molly

  • Works constantly on the go using a range of mobile devices, such as tablets and phones, and often relies on public WiFi networks for work.
  • Relies on remote collaboration tools and cloud suites to get work done.
  • Views unreliable technology as the biggest hindrance to productivity as this individual is always on-the-go and heavily relies on mobile devices.
  • Views IT security as a hindrance to productivity as it slows down the ability to get tasks done. This employee also believes IT security compromises personal privacy.
  • This is the most likely persona to click on a malicious link due to a heavy reliance on mobile devices.

Desktop Dora

  • Finds being away from teammates and working from home a hindrance to productivity and can’t wait to get back to the office.
  • Prefers to work on a desktop computer from a fixed location than on mobile devices.
  • Relies heavily on productivity suites to communicate with colleagues in and out of the office.
  • Views IT security as a low priority and leaves it to the IT department to deal with. This employee is also only somewhat aware of phishing attacks.

Frontline Fred

  • Works on the frontlines in industries like healthcare, logistics or retail.
  • Works from fixed and specific locations, such as hospitals or retail shops; This employee can’t work remotely.
  • Relies on purpose-built devices and applications, such as medical or courier devices and applications, to work. This employee is not as dependent on personal mobile devices for productivity as other personas.
  • Realizes that IT security is essential to enabling productivity. This employee can’t afford to have any device or application down time, given the specialist nature of their work.

“With more employees leveraging mobile devices to stay productive and work from anywhere than ever before, organizations need adopt a zero trust security approach to ensure that only trusted devices, apps, and users can access enterprise resources,” continued Foster.

“Organizations also need to bolster their mobile threat defenses, as cybercriminals are increasingly targeting text and SMS messages, social media, productivity, and messaging apps that enable link sharing with phishing attacks.

“To prevent unauthorized access to corporate data, organizations need to provide seamless anti-phishing technical controls that go beyond corporate email, to keep users secure wherever they work, on all of the devices they use to access those resources.”

DaaS, BYOD, leasing and buying: Which is better for cybersecurity?

In the digital age, staff expect employers to provide hardware, and companies need hardware that allows employees to work efficiently and securely. There are already a number of models to choose from to purchase and manage hardware, however, with remote work policies becoming more popular, enterprises have to prioritize cybersecurity when making their selection.

Daas BYOD

The COVID-19 pandemic and online shift has brought to light the need for robust cybersecurity strategies and technology that facilitates safe practices. Since the pandemic started, the FBI has reported a 300 percent increase in cybercrime. As more businesses are forced to operate at a distance, hackers are taking advantage of weak links in their networks. At the same time, the crisis has meant many enterprises have had to cut their budgets, and so risk compromising cybersecurity when opting for more cost-effective measures.

Currently, Device-as-Service (DaaS), Bring-Your-Own-Device (BYOD) and leasing/buying are some of the most popular hardware options. To determine which is most appropriate for your business cybersecurity needs, here are the pros and cons of each:

Device-as-a-Service (DaaS)

DaaS models are when an organization distributes hardware like computers, tablets, and phones to employees with preconfigured and customized services and software. For many enterprises, DaaS is attractive because it allows them to acquire technology without having to outright buy, set up, and manage it – therefore saving time and money in the long run. Because of DaaS’s growing popularity, 65 percent of major PC manufacturers now offer DaaS capabilities, including Apple and HP.

When it comes to cybersecurity, DaaS is favorable because providers are typically experts in the field. In the configuration phase, they are responsible for ensuring that all devices have the latest security protections installed as standard, and they are also responsible for maintaining such protections. Once the hardware is in use, DaaS models allow providers to monitor the company’s entire fleet – checking that all devices adhere to security policies, including protocols around passwords, approved apps, and accessing sensitive data.

Another bonus is that DaaS can offer analytical insights about hardware, such as device location and condition. With this information, enterprises can be alerted if tech is stolen, missing or outdated and a threat to overall cybersecurity. Not to mention, a smart way to boost the level of protection given by DaaS models is to integrate it with Unified Endpoint Management (UEM). UEM helps businesses organize and control internet-enabled devices from a single interface and uses mobile threat detection to identify and thwart vulnerabilities or attacks among devices.

Nonetheless, to effectively utilize DaaS, enterprises have to determine their own relevant security principles before adopting the model. They then need to have an in-depth understanding of how these principles are applied throughout DaaS services and how the level of assurance enacts them. Assuming that DaaS completely removes enterprises from being involved in device cybersecurity would be unwise.

Bring-Your-Own-Device (BYOD)

BYOD is when employees use their own mobile, laptops, PCs, and tablets for work. In this scenario, companies have greater flexibility and can make significant cost savings, but, there are many more risks associated with personal devices compared to corporate-issued devices. Although BYOD is favorable among employees – who can use devices that they are more familiar with – enterprises essentially lose control and visibility of how data is transmitted, stored, and processed.

Personal devices are dangerous because hackers can create a sense of trust via personal apps on the hardware and more easily coerce users into sharing business details or download malicious content. Plus, with BYOD, companies are dependent on employees keeping all their personal devices updated with the most current protective services. One employee forgetting to do so could negate the cybersecurity for the overall network.

Similar to DaaS, UEM can also help companies that have adopted BYOD take a more centralized approach to manage the risk of exposing their data to malicious actors. For example, UEM can block websites or content from personal devices, as well as implement passcodes, and device and disk encryption. Alternatively, VPNs are common to enhance cybersecurity in companies that allow BYOD. In the COVID-19 pandemic, 68 percent of employees claim their company has expanded VPN usage as a direct result of the crisis. It’s worthwhile noting though, that VPNs only encrypt data accessed via the internet and cloud-based services.

When moving forward with BYOD models, enterprises must host regular training and education sessions around safe practices on devices, including recognizing threats, avoiding harmful websites, and the importance of upgrading. They also need to have documented and tested computer security incident response plans, so if any attacks do occur, they are contained as soon as possible.

Leasing / buying

Leasing hardware is when enterprises obtain equipment on a rental basis, in order to retain working capital that can be invested in other areas. In the past, as many as 80 percent of businesses chose to lease their hardware. The trend is less popular today, as SaaS products have proven to be more tailored and scalable.

Still, leasing is beneficial because rather than jeopardizing cybersecurity to purchase large volumes of hardware, enterprises can rent fully covered devices. Likewise, because the latest software typically requires the latest hardware, companies can rent the most recent tech at a fraction of the retail cost.

Comparable to DaaS providers, leasing companies are responsible for device maintenance and have to ensure that every laptop, phone, and tablet has the appropriate security software. Again, however, this does not absolve enterprises from taking an active role in cybersecurity implementation and surveillance.

Unlike leasing, where there can be uncertainty over who owns the cybersecurity strategy, buying is more straightforward. Purchasing hardware outright means companies have complete control over devices and can cherry-pick cybersecurity features to include. It also means they can be more flexible with cybersecurity partners, running trials with different solutions to evaluate which is the best fit.

That said, buying hardware has a noticeable downside where equipment becomes obsolete once new versions are released. 73 percent of senior leaders from enterprises actually agree that an abundance of outdated equipment leaves companies vulnerable to data security breaches. Considering that, on average, a product cycle takes only 12 to 24 months, and there are thousands of hardware manufacturers at work, devices can swiftly become outdated.

Additionally, because buying is a more permanent action, enterprises run the risk of being stuck with hardware that has been compromised. As opposed to software which can be relatively easily patched to fix, hardware often has to be sent off-site for repairs. This may result in enterprises with limited hardware continuing to use damaged or unprotected devices to avoid downtime in workflows.

If and when a company does decide to dispose of hardware, there are complications around guaranteeing that systems are totally blocked and databases or networks cannot be accessed afterwards. In contrast, providers from DaaS and leasing models expertly wipe devices at the end of contracts or when disposing of them, so enterprises don’t have to be concerned about unauthorized access.

Putting cybersecurity front-and-center

DaaS, BYOD, and leasing/buying all have their own unique benefits when it comes to cybersecurity. Despite all the perks, it has to be acknowledged that BYOD and leasing pose the biggest obstacles for enterprises because they take cybersecurity monitoring and control out of companies’ hands. Nevertheless, for all the options mentioned, UEM is a valuable way to bridge gaps and empower businesses to be in control of cybersecurity, while still being agile.

Ultimately, the most impactful cybersecurity measures are the ones that enterprises are firmly vested in, whatever hardware model they adopt. Businesses should never underestimate the power of a transparent, well-researched, and constantly evolving security framework – one which a hardware model complements, not solely creates.

Developing a plan for remote work security? Here are 6 key considerations

With so many organizations switching to a work-from-home model, many are finding security to be increasingly more difficult to administer and maintain. There is an influx of vulnerable points distributed across more locations than ever before, as remote workers strive to maintain their productivity. The result? Security teams everywhere are being stretched.

plan remote work security

The Third Global Threat Report from VMware Carbon Black also found little confidence among respondents that the rollout to remote working had been done securely. The study took a deep dive into the effects COVID-19 had on the security of remote working, with 91% of executives stating that working from home has led to a rise in attacks.

Are you making sure your security professionals are up to the task of remote working while security threats are on the rise?

1. Maintain consistency

One way to help mitigate risk is to have your developers and security professionals train at a consistent level so they are all on the same page. Knowing that there is some sort of security architecture at play in your organization and understanding the logistics of how to stress test aspects of that structure will make it easier to prepare for and block attacks.

2. Don’t overlook the details

Training needs to address all aspects of your structure, specifically: information security, data security, cybersecurity, computer security, physical security, IoT security, cloud security, and individual security. Each area of an architecture needs to be tested and hardened regularly for your organization to truly be shielded from security breaches. Be specific about your program: train your staff on how to defend your information around your HR records (SSNs, PII, etc.) and data that could be exposed (shopping cart, customer card numbers), as well as in cyber defense to provide tools against nefarious actors, breaches and threats.

3. Think about the individual

Staff must be trained to know how to lock down computers, so individual machines and network servers are safe. This training should also encompass how to ensure physical security, to protect your storage or physical assets. This comes into play more as the IoT plays a larger role in connecting our devices and BYOD policies allow for more connections to be made between personal and corporate assets. Individual security: each employee is entitled to be secure in their work for a company, and that includes privacy concerns and compliance issues.

4. Keep your head in the cloud

Today, most companies have some sort of cloud presence and security professionals will need to be trained to constantly check the interfaces to cloud and any hybrid on-prem and off-prem instances you have.

5. Invest in learning

With constantly changing layers of architecture and amplified room for breaches as a result of remote working, it’s hard to imagine how security professionals stay ahead of all the changes. One thing that keeps teams on top of their game is professional online learning.

During the COVID-19 shelter-in-place mandate, leading eLearning companies have witnessed a massive increase in hours of security content consumed. For some, security is one of the fastest-growing topic areas which suggests that this year, security is more important. This is likely because of the number of workers who have gone remote and challenges that brings to an organization, particularly in the security department.

6. Consider role-based training

While it’s important to equip teams with skills that apply across function, there is a case to be made for investing in experts. Cybersecurity is not a field where there is a linear path of growth. There are different journeys individuals can take to venture into paths to transition from a vulnerability analyst to a security architect. By looking at individuals within the organization to seek ways to upskill and take on new roles and responsibilities, you have the unique benefit of being able to help them curate roles that fit the needs of the organizations.

It’s not often that a business has a dedicated Remote Team Security Lead, because there was rarely a need for one. Considering the quick transition to remote work and possibility that this is the new normal, organizations can benefit by investing in specific training curated to meet the security needs of remote teams. If this role is cultivated within the organization, there is the added benefit of knowing that the lessons being taught provide direct relevancy to specific needs and increase the attractiveness of investing time and effort into skills training.

Training can be the key to preparing security professionals for the unexpected. But there is no one-size-fits-all lesson that can be delivered or an evergreen degree that can keep up with an industry that changes every day. Training needs to be always on the agenda and it needs to be developed in a way that offers different modalities of learning.

Regardless of how the individual best learns, criterion-based assessments can measure knowledge/skills and act as a guide to true, lasting learning. Developing a culture committed to agility and learning is the key to embracing change.

Why data is the missing link in your cybersecurity strategy

Everyone’s aware of how challenging maintaining a strong cybersecurity posture is these days. There’s no longer a perimeter to protect and with remote working becoming the norm since the advent of COVID-19 and BYOD stretching digital boundaries to their very limits, good security is significantly tougher to achieve.

data cybersecurity strategy

When evaluating cyber security risks to the organization, we’re typically looking at users, devices and IoT devices as possible ways into the infrastructure. And yet it’s not these people and things attackers are really interested in – it’s the data.

While data that’s stored in locked-down databases, such as CRM and storage systems, is ordered, structured and easy to secure, 92% of the world’s data is unstructured, or dark data.

Our own research suggests that a typical organization’s unstructured information contains:

  • 42% confidential information
  • 1% sensitive personal information
  • 9% personally identifiable information

Think about all the emails that are sent and the documents that teams create every day, which aren’t maintained in organized databases? And the file-shares such as SharePoint and OneDrive, the company intranet and personal folders?

Keeping on top of this unstructured data is a huge challenge. Our research revealed that 95% of IT professionals say it’s a challenge to get visibility across their organizations’ data estate, yet only 39% of organizations are taking active steps to gain visibility of their data.

But fail to do so and over time dark data becomes forgotten and vulnerable to insider threats and external breaches. In fact, our research also showed that data breaches by employees are seen as the biggest risk to an organization – with 40% of respondents naming internal breaches as the biggest threat in the coming year.

So how can you enhance information security?

Change the focus

It’s a fine balancing act. On one side, organizations must lock data down to secure it and protect it from harm. On the other, they need to open up the business to provide greater access to the information people need to do their jobs. The answer lies in the data.

The fact is, no business can protect itself from an insider threat or external data breach until they have all of their data – both structured and unstructured – under control. The first step has to be to discover what’s there, where it’s stored and whether there’s sensitive data within it.

These insights allow the organization to determine how that data can be protected. Maybe nothing has to be done, because appropriate controls are already in place. Or maybe the data has to be moved or deleted.

By gaining visibility, a business can prioritize its risks, take action to protect the data at the source and, perhaps, even reveal hidden value in it.

Wrap the right methodology, technology, and processes around the data

By employing the right methodology, technology and processes, an organization can secure its data while enabling its workforce to continue to operate without having to follow undue procedure to access it when they need it to do their jobs.

The journey towards effective information security puts data at the heart of the strategy, and follows five key steps:

1. Documented data policies and processes: Set out the intentions for how the organization will deal with its data to lay the bedrock for successful data security and governance.

2. Employee awareness, training and culture: Data security and governance should be so ingrained into people’s thinking that it sits front and center in their minds every day.

3. Information discovery and classification: Identify what data lies within the estate so appropriate actions can be taken to secure it, extract value from it and manage its complexity.

4. Adding enforcement technologies: Document encryption, data loss prevention, access control, data remediation, content management – taking a blended approach to enforcement means opening up APIs and integrating systems.

5. Operational process and record keeping: KPIs enable the business to monitor and better understand its data to identify areas for continuous improvement.

Conclusion

Data is a business’s most valuable and most risky asset, but to secure it you must know what you’ve got, so it’s imperative to be able to find and reveal both structured and unstructured data across the company’s assets.

Once a business knows its data, it can protect and power the organization and the people it serves by both mitigating the risks in the data and using it in positive and proactive ways to drive the business forward.

The cost of an insider attack is as much as $2 million

Employees, whether careless or malicious, can pose a great risk to organizations, a Bitglass survey reveals. 61% of survey respondents reported at least one insider attack over the last 12 months (22% reported at least six separate attacks).

cost insider attack

Insider threats becoming increasingly challenging

Businesses are currently undergoing seismic shifts, including rapid migrations to the cloud and widespread adoptions of remote work and BYOD (bring your own device) policies. Along with these trends, securing against insider threats has become increasingly challenging.

Most organizations cannot guarantee that they can detect insider threats stemming from personal devices (82%) or the cloud (50%), while 81% find it difficult to assess the impact of insider attacks.

Despite these concerns, few respondents have a single platform that delivers complete, unified visibility and control for any interaction.

When dealing with multiple disjointed tools that provide disparate levels of protection, security professionals spend an inordinate amount of time managing each of the solutions individually. As such, 49% of respondents stated that at least one week typically goes by before insider attacks are detected; additionally, 44% said that another week usually passes before the organization recovers from the attacks.

cost insider attack

Security budgets are decreasing

While organizations were already working with constrained security budgets before the pandemic, security teams are now being asked to do even more with less. 73% of companies’ security budgets are decreasing or staying flat over the next year.

“Enterprises report that loss of critical data and disruption to business operations are the biggest repercussions of insider attacks,” said Anurag Kahol, CTO of Bitglass.

“Along with brand damage, remediation costs, legal liabilities, and loss of revenue, these are serious ramifications that must be prevented. Enterprises need a multi-faceted security platform that is designed to monitor user behavior, secure personal devices, deliver maximum uptime and cost savings, and prevent leakage on any interaction. Only then can they defend against insider threats.”

Bring your own PC and SASE security to transform global businesses

Bring your own PC (BYOPC) security will reach mainstream adoption in the next two to five years, while it will take five to 10 years for mainstream adoption of secure access service edge (SASE) to take place, according to Gartner. Hype cycle for endpoint security, 2020 “Prior to the COVID-19 pandemic, there was little interest in BYOPC,” said Rob Smith, senior research director at Gartner. “At the start of the pandemic, organizations simply had no … More

The post Bring your own PC and SASE security to transform global businesses appeared first on Help Net Security.

A Silicon Valley business exec’s tips for maintaining organizational security

Remote working is here to stay. While working from home wasn’t a new concept when COVID-19 hit, the shift to a nearly universal remote workforce is unprecedented. Organizational security has always been a priority for business leaders and managers, and now, as some offices start reopening and employees have the option to work remotely or from the office, maintaining security has never been more complex.

maintaining organizational security

With black hat hackers becoming more sophisticated and leveraging the increase in remote working for malicious purposes, new strategies and an increased focus on security best practices is key to keeping a business secure. How can business leaders ensure security is prioritized across their organization?

Add layers of security for data protection

Security is a shared responsibility. Business and IT leaders must provide employees with effective training and education to detect (and avoid) phishing attempts and other suspicious and malicious activity. Beyond employee training, incorporating additional layers of security – such as end-to-end encryption, a VPN, a password manager, and multi-factor authentication – is important to defend against compromised accounts or passwords and avoiding data breaches and ransomware attacks.

Maintaining organizational security

On top of implementing additional layers of security, consider taking this a step further and incorporating security software solutions to help monitor and manage security.

Adopt security tools: An IT team will benefit from implementing security tools and solutions, such as a security information and event management (SIEM) tool that identifies anomalous behavior, flags issues in real-time and can help mitigate and protect against potentially devastating incidents. Added support from security software can equip your IT team with the tools necessary to maintain security in this increasingly complex business and security environment.

Consider outsourcing: Depending on your organizational needs and available resources, outsourcing might be a strategic option. For example, companies without an IT department or dedicated security team may benefit from working with a trusted partner company. Outsourcing security to a company that keeps servers up-to-date, uses an encrypted network, and constantly monitors for security breaches and problems is key to ensuring data is protected and overall security is upheld.

Develop a robust crisis management plan

Having a business continuity and disaster management plan in place before a crisis hits is key. When security is addressed on a reactive versus proactive basis, the negative impact of the crisis is much more significant. Proactive security measures should be a businesses’ top priority. Establishing a strategic disaster recovery plan requires considering the challenges business leaders face and the resources at their fingertips, and ultimately creates a template for recovery and future success.

Any strategic cybersecurity plan must include employee communication and training. Without the education and training necessary to identify and avoid attacks, employees can pose the greatest risk to their organization. Best practices for remote working and BYOD are more important than ever. For example, without education and proper security measures in place, employees connecting to a home Wi-Fi network with a work computer or phone can jeopardize an organization’s overall security. Without end-user education, employees will not know that devices on their home network – such as family laptops, tablets, gaming systems, or other “smart” appliances – are never tested or patched and can enable hackers and malware to identify and exploit gaps.

Employees without roles on the security team are probably unaware that their actions while working from home impact network security. It is therefore the responsibility of security and business leaders to ensure employees are educated on security risks, their responsibilities in avoiding attacks, and the potential consequences of not prioritizing security.

Leverage the cloud

Since the pandemic hit, cloud platforms have become essential in enabling businesses to keep running as usual (or at least as usual as possible during this challenging time). For example, file-sharing via a cloud platform and storing company data streamlines work and business operations, helping security teams to more efficiently enable secure remote access.

A public or private cloud platform can also be used as part of the 3-2-1 data backup strategy. This strategy includes having three copies of data (production data and two backup copies) on two different media with one copy offsite for disaster recovery. This is also a key component of an effective crisis management plan: ensuring your data is protected and backed up to avoid cybersecurity issues like ransomware attacks, which are unfortunately becoming more frequent and increasingly destructive.

Promoting security in the new working world

Patrolling the cybersecurity perimeter and establishing a secure remote workforce for successful long-term working outside the four walls of an organization is a tall order. Following a few key best practices can significantly increase business and IT leaders’ ability to promote security across their organization.

As the first line of defense against many cybersecurity issues, business leaders must train employees on best practices for good cyber hygiene. Implementing additional layers of security and working with a trusted partner company can make an organization more secure at its very core. Additionally, moving workstreams and file-sharing over to cloud platforms can not only streamline remote working, but also more efficiently enable secure remote access.

It’s unlikely that the physical four walls of a business will ever house all of the organization’s employees ever again, so now is the time to set up the tools and processes necessary to develop a secure remote work infrastructure.

UCaaS market to reach $24.3 billion by 2026

The global Unified Communications as a Service (UCaaS) market size was valued at $13.8 billion in 2019 and is anticipated to reach $24.3 billion at a CAGR of 8.4% from 2020 to 2026, according to Valuates Reports.

UCaaS market

Many businesses use UCaaS as it streamlines communication to enhance business processes and thereby improves revenue. The rising demand for UCaaS and its increasing adoption in small and medium-sized enterprises are factors that contribute greatly to the growth. Furthermore, the cost-efficiency of UCaaS and its pay-per-use characteristics drive the demand as well.

Trends influencing UCaaS market size

The key factors driving the growth of the UCaaS market size include increasing UCaaS demand from large and medium-sized enterprises and the trends towards mobility and BYOD.

Factors such as developments in artificial intelligence, machine learning, and other emerging technologies will generate ample opportunities for the growth of UCaaS market size. AI-powered technologies have allowed organizations to record calls intuitively, encourage effortless transcriptions and intelligently monitor speakers to recognize user needs, and provide relevant services. In addition, service providers have begun providing conversational-AI powered solutions for better machine guidance, data interpretation, and faster processing of information.

Nowadays, several businesses are planning to put forward their own devices (BYOD) services for their employees. This initiative by organizations is expected to, in turn, increase the UCaaS market size.

Rising adoption of the private cloud model to safeguard confidential information by the BFSI sector is expected to increase the UCaaS maker size during the forecast period. In addition, unified communication as a service enables financial firms to exercise scalability that is essential for large-scale implementation, such as account monitoring integration, telephone assistance, chatbot-enabled messaging, and mobile transactions. The introduction of cloud technologies also promotes versatility and reduces total expense and time while improving customer experience.

Increasing tablet and smartphone adoption, combined with the ongoing implementation of 5G technology, is expected to fuel the growth of UCaaS market size during the forecast period. COVID-19 has positively impacted the UCaaS market.

UCaaS market share analysis

Component-based, telephony, and conference segments are expected to hold the largest UCaaS market share during the forecast period. Because of the growing demand from SMEs, vendors around the globe offer telephony and conferencing as the main commodity, as these solutions help them streamline their business communication and improve productivity.

Based on organization types, the large enterprise segment is expected to dominate the UCaaS market size during the forecast period. Major companies around the world are adopting BYOD patterns, and therefore a growing number of mobile employees are being hired, leading to increased demand for UCaaS solutions.

Based on the region, North America is projected to hold the largest UCaaS market share. This dominance is attributed to the growing adoption of technology by North American businesses to increase productivity and the presence of a large number of UCaaS vendors.

The Asia Pacific, on the other hand, is projected to exhibit the fastest CAGR. This is due to increasing smartphone penetration and a large user population. Emerging economies, namely Japan, China, and India, will contribute to market development in this region. But development in this area may be hindered by growing security and data privacy issues.

BYOD adoption is growing rapidly, but security is lagging

As the shift to remote work has increased, most businesses are embracing BYOD in the workplace.

BYOD adoption

In a survey by Bitglass, 69% of respondents said that employees at their companies are allowed to use personal devices to perform their work, while some enable BYOD for contractors, partners, customers, and suppliers.

While the use of personal devices in the work environment is growing rapidly, many are unprepared to balance security with productivity. When asked for their main BYOD security concerns, 63% of respondents said data leakage, 53% said unauthorized access to data and systems, and 52% said malware infections.

Lack of proper steps to protect corporate data

Despite the concerns, the research shows that organizations are allowing BYOD without taking the proper steps to protect corporate data. 51% of the surveyed organizations lack any visibility into file sharing apps, 30% have no visibility or control over mobile enterprise messaging tools, and only 9% have cloud-based anti-malware solutions in place.

Compounding these problems are results that demonstrated that organizations need physical access to devices and even device PINs to secure them. This may be acceptable for managed endpoints, but it is a clear invasion of privacy where BYOD is enabled.

BYOD adoption

“The top two reasons enterprises hesitate to enable BYOD relate to company security and employee privacy,” said Anurag Kahol, CTO of Bitglass.

“However, the reality is that today’s work environment requires the flexibility and remote access that the use of personal devices enables. To remedy this standoff, companies need comprehensive cloud security platforms that are designed to secure any interaction between users, devices, apps, or web destinations.”

Remote employees encounter 59 risky URLs per week

Working remotely from home has become a reality for millions of people around the world, putting pressure on IT and security teams to ensure that remote employees not only remain as productive as possible, but also that they keep themselves and corporate data as secure as possible.

remote employees secure

Achieving a balance between productivity and security is even harder, given that most organizations do not have adequate visibility or control over what their employees are doing on corporate owned smartphones and laptops while outside the office. Even less so in the case of BYOD.

Remote workers attempting to access risky content

NetMotion recently aggregated a sample of anonymized network traffic data, searching specifically for evidence of users attempting to access flagged (or blocked) URLs, otherwise known as risky content. The analysis, which is derived from data gathered between May 30th – June 24th, 2020, revealed that employees clicked on 76,440 links that took them to potentially dangerous websites.

All of these sites were visited on work-assigned devices while using either home or public Wi-Fi or a cellular network connection. The data also revealed several primary risk categories, which were identified using machine learning and based on the reputation scores of over 750 million known domains, more than 4 billion IP addresses and in excess of 32 billion URLs.

The assumption is that a large number of employees connected to protected internal (non-public) networks would have been prevented from accessing this risky content.

Key findings

  • Employees, on average, encounter 8.5 risky URLs per day, or 59 per week
  • Remote workers also access around 31 malware sites per month, and 10 phishing domains. That equates to one malware site every day, and one phishing domain every 3 days
  • The most common types of high-risk URLs encountered, in order of prevalence, were botnets, malware sites, spam and adware, and phishing and fraud sites
  • Over a quarter of the high risk URLs visited by employees were related to botnets
  • Almost 1 in 5 risky links led to sites containing spam, adware or malware
  • Phishing and fraud, which garner an outsized proportion of news, account for only 4% of the URLs visited
  • The ‘other’ category, representing 51% of the data in the chart above, is made up of ‘low-severity’ risky content, such as websites that use proxies, translations and other methods that circumvent URL filtering or monitoring.

2020, a wake-up call for the enterprise and the IT and security teams

IT and security organizations invest heavily to protect their perimeter. Workers located behind desks that are connected to corporate networks are generally safe, secure and productive. They are often unaware that several layers of technology, such as firewalls, are in place to protect them.

With the world continuing to shift to a more mobile and remote environment, 2020 has been a wake-up call for the enterprise and the IT and security teams that support it.

“As this research highlights, remote workers are frequently accessing risky content that would normally be blocked by firewalls and other security tools that monitor internal network traffic. Naturally, this poses an enormous threat to the enterprise,” said Achi Lewis, EMEA Director, NetMotion Software.

“Added to this, many organizations have no visibility into the activity taking place on external networks, let alone any means to prevent it. With such a rapid shift to remote work, enterprise security teams have been left flat-footed, unable to adequately protect users in the face of increasingly sophisticated cyberattacks.”

As a result, security leaders need to look to SDP and other edge-to-edge security technologies that can provide web filtering on any network as they seek to evolve outdated network security strategies.

With remote working on the rise, infosec strategies need to evolve

The recent pandemic created a new normal that redefines the way business operates by eliminating security and physical work borders. An Avertium study found that having employees work from home during the pandemic saved U.S. employers more than $30 billion per day.

remote working infosec strategies

The study also predicts that 25-30% of the workforce will be working from home for multiple days per week by the end of 2021. For IT Security teams, this poses many new challenges.

“As we move forward with increasingly complex and fragmented business models, it’s crucial to fully assess and protect business assets from new and emerging cybercrimes,” says Paul Caiazzo, senior vice president, security and compliance at Avertium.

“The goal is to prevent a wide array of online threats and attacks, including data breaches, ransomware attacks, identity theft, hacking at home, business, cloud and hybrid cloud locations and online predators. Work with cybersecurity professionals who understand the increased threats in our new, post-COVID world, and can increase security to mitigate risk.”

Organizations losing visibility into their business network traffic

Many organizations’ security monitoring infrastructure is based upon the assumption that most employees are connected directly to the corporate LAN. By collecting data from Active Directory domain controllers, the perimeter firewall, server and workstation event logs, endpoint protection logs and other key on-premises based data sources an organization can maintain a high level of visibility into activity within their network.

But since many employees have moved outside of the network perimeter, whether by using mobile devices or working from a home or remote environment organizations have lost visibility into a large percentage of their business network traffic.

Cybercriminals have pounced on the chance to leverage the resulting distraction for their own gain by turning up the volume of their efforts. Bad actors have recently made news by stealing personal data from unemployment benefit applicants in several states, waging ongoing COVID-19-themed phishing campaigns, and creating a 238% surge in cyberattacks against banks.

With so much at stake, it’s important to establish ways of monitoring telework security in a world with disappearing network perimeters.

Telework redefines the network perimeter

With a fully remote workforce, many organizations have been forced to make choices between usability and security. Existing VPN infrastructure was not designed to support a fully remote workforce.

Adoption of split-tunnel VPNs has been widely recommended as a solution to the VPN scalability problem. However, while allowing Internet-bound traffic to flow directly to its destination, instead of over the corporate VPN, increases usability, it does so at the cost of security and network visibility.

Cybercriminals are capitalizing on this opportunity. The United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) recently issued a joint alert noting an increase in cyberattacks exploiting VPN vulnerabilities.

With unmonitored connections to the public Internet, a remote workforce’s laptops can become compromised by malware or a cybercriminal without detection. These devices can then be used as a stepping stone to access the corporate environment via their VPN connection. For a remote workforce, employee devices and home networks are the new corporate network edge.

Securing the endpoint from the cloud

With the network perimeter shifted to teleworkers’ devices, securing the enterprise requires shifting security to these devices as well. Organizations require at least the same level of visibility into activity as they have on the corporate network.

By deploying agents onto the corporate-owned devices used by teleworkers, an organization can implement endpoint detection and response beyond the confines of the corporate network. This includes the ability to prevent and detect malware, viruses, ransomware, and other threats based upon signature analysis and behavioral analysis of potentially malicious processes.

However, an organization also requires centralized visibility into the devices of their remote workforce. For this purpose, a centrally-managed cloud-based solution is the ideal choice.

By moving security to the cloud, an enterprise reduces load on the corporate network and VPN infrastructure, especially in a split-tunnel connectivity architecture. Cloud-based monitoring and threat management also can achieve a higher level of scalability and performance than an on-premises solution.

A cloud-based zero trust platform can also act as an access broker to resources both on the public internet and the corporate private network.

Zero trust agents installed on telecommuters’ devices can securely and dynamically route all traffic to a cloud-based gateway and then on to the target resource in a way that provides the same or better control and visibility than even a well-configured traditional full tunnel VPN solution. By uniquely identifying the use, device and context, zero trust provides fine-grained precision on access control for the enterprise.

Data from the cloud-based ZTN gateway can additionally be used to perform behavioral analytics within a cloud-based SIEM platform, enhancing security visibility above and beyond traditional networking approaches.

Ensuring employee privacy while monitoring telework security

Monitoring telework security can be a thorny issue for an organization from a privacy and security perspective. On the one side, an organization requires the ability to secure the sensitive data used by employees for daily work in order to meet regulatory requirements. However, deploying network monitoring solutions at employees’ homes presents significant privacy issues.

An agent-based solution, supported by cloud-based infrastructure, provides a workable solution to both issues. For corporate-owned devices, company policy should have an explicit consent to monitor clause, which enables the organization to monitor activity on company devices.

Agents installed on these devices enable an organization to exercise these rights without inappropriately monitoring employee network activity on personal devices connected to the same home network.

Monitoring BYOD security

For personal devices used for remote work under a BYOD policy, the line between privacy and security becomes blurrier. Since devices are owned by the employee, it may seem more difficult to enforce installation of the software agent, and these dual-use devices may cause inadvertent corporate monitoring of personal traffic.

All organizations employing a BYOD model should document in policy the requirements for usage of personally owned devices, including cloud-based anti-malware and endpoint detection and response tools as described earlier.

The most secure way to enable BYOD is a combination of corporately managed cloud-based anti-malware/EDR, supplemented by a ZTN architecture. In such a model, traffic bound for public internet resources can be passed along to the destination without interference, but malicious activity can still be detected and prevented.

Work from home, work from anywhere: Are you secure everywhere?

As millions of employees continue to work from home for the foreseeable future and in some cases perhaps indefinitely, balancing the ongoing demands of employee productivity and information security will be paramount.

work from home security

The historical “castle and moat” model of protecting IT infrastructure is outdated and will be further challenged by the emergence of a new hybrid workforce that is sometimes remote, sometimes on-premise.

When the pandemic first hit, IT departments responded quickly with what one IT analyst called the “Remote Lite” approach—just get staff the basic equipment they need to work from home as efficiently as possible. Now, however, “Remote Lite” needs to quickly morph into a more “Remote Right” approach which takes into account the requirements of permanently managing remote employees’ security, connectivity and productivity.

As many security experts agree, remote work is rapidly expanding the potential attack surface for hackers as the number of endpoint devices given access to a corporation’s network increases. Pharmaceutical companies, particularly those working on Covid-19 vaccines, are just one example of a vertical industry that is experiencing a significant increase in cyberattacks.

A recent survey conducted by Barracuda Networks found that “almost half (46%) of global businesses have encountered at least one cybersecurity scare since shifting to a remote working model during the COVID-19 lockdown.” Cyberattacks that result in the theft of sensitive financial and customer data or intellectual property are just a few of the threats remote workers’ unsecured home networks, poorly managed devices or compromised VPN connections can expose.

It is inevitable that organizations will need embrace more adaptive and people-centric security models to support a permanently distributed, work-from-anywhere workforce. The challenge for CIOs will be enabling a first-class user experience similar to being in the office while maintaining an equally as strong security posture.

Home security hygiene

CIOs will undoubtedly make technology investments to address these increasing threat vectors exposed by a hybrid workforce. Additional safeguards such as biometric identification, multi-factor authentication (MFA), expanded virtual desktop infrastructure (VDI) and enhanced VPN solutions are just some of the IT investments they should consider.

At the same time, non-technology investments will remain critical. 90% of cybersecurity breaches today occur from phishing attacks, therefore increasing employee training, ongoing phishing testing and increased security monitoring will remain table stakes.

Remote device choice

The modern millennial workforce puts a premium on information access anytime, anywhere and on any device. Yet, their experiences vary on multiple dimensions in terms of access, performance and permissions. As security solutions optimized for specific devices in known locations evolve to meet the needs of the hybrid workforce, using approaches like VDI, users will likely benefit from greater device choice and expanded BYOD options.

Additionally, the concept of “work-from-home kits” may expand. Bundling devices pre-configured to run on secure networks overlaid on consumer internet connectivity with perhaps ergonomically sensitive set-ups will support employee well-being, while also enabling corporately managed network connectivity. While it might be inconvenient for users to have an extra device, in regulated industries such as healthcare, financial services and utilities, it may be essential to respond effectively in today’s threat environment.

Securing unstructured data

For many, passwords have been the tool of choice to restrict access to documents and presentations. Services like Microsoft 365 offer more comprehensive safeguards limiting the distribution of information and restricting document privileges to authenticated users, though many organizations have not widely deployed these features.

Furthermore, as unstructured data moves outside enterprise firewalls, the ability to manage documents is greatly reduced. Therefore, implementing more robust security measures to manage the lifecycle of unstructured data will shift from a nice to have feature, into a must-have control for many organizations.

Planning for a digital-first future

Rahm Emanuel, the former Mayor of Chicago, once said that “we should never let a serious crisis go to waste”, it’s an opportunity to do things you think you could not do before.” Taking this into account, if organizations were not prioritizing security investments and digital transformation before, now is the time.

Protecting hospitals to ensure patient safety, data confidentiality and business continuity

In this Help Net Security podcast, we’re joined by Leon Lerman, CEO of Cynerio, and Dr. John Halamka, emergency medicine physician and President of the Mayo Clinic Platform. They illustrate how insecure devices increase the cyber attack surface and pose a significant risk to the operational continuity of hospitals and patient safety.

protecting hospitals

Here’s a transcript of the podcast for your convenience.

Leon Lerman: So John, thank you very much for joining. It’s great hosting you today on the podcast.

Dr. John Halamka: Well, I’m happy to be here and talk about this experience of COVID and everything that has meant for healthcare.

Leon Lerman: Yes, it’s been really crazy times. What we’ve been seeing is really that, since the start of the COVID pandemic, there was a huge increase of about 300% in targeted cyber-attacks. Obviously, in your role, you’re kind of like at the heart of this crisis and the madness. What are you with the saying in terms of shift of priorities in hospitals and in cybersecurity specifically?

Dr. John Halamka: This is of course a very complex question. I’ve always described COVID as five stages. There’s the isolation stage: we all are retreating to flatten the curve. And then there’s the testing stage, and then there’s the pre-vaccine return to work, post-vaccine return to work, and the new normal.

Along all five of those phases, you’re going to see much more Internet of Things activity. So, think about it – even as we move from isolation to testing phase, we’re going to have such things as contact tracing, Bluetooth low energy devices that are looking at proximity and it’s going to require us to give more permissions for more Bluetooth interaction. We’ll see more and more virtual visits.

Just looking at Mayo Clinic and others, they’ve seen their virtual visits go up over a thousand percent in the last eight weeks. So, that means many more remote patient monitoring activities than ever before. As of course we head into that new normal, you’re going to imagine that people are going to now want care at a distance in all kinds of settings. Everything from advanced care in the home, like “why do I need to go to a hospital where I could get COVID?” to eICU.

So, what does all this mean? Remember IoT stands for Internet of Targets. So, if we’re saying thousand percent gains and our virtual connectivity to healthcare, what that means is the attack surface area is bigger than ever before. And even worse, it’s going to be this interesting combination of, sure, devices provided by an enterprise, but a vast explosion in the use of consumer devices. And of course, again, that’s everything from apps on your phone to the thing you bought on Amazon that measures your blood pressure or pulse.

What we’re seeing of course is a huge increase in fraud, a huge increase in cyberattacks. And so, I think our challenge over this next couple of years, and I say years, will be moving to the new normal of increasingly virtualizied healthcare delivery, while at the same time dealing with that expanded attack surface.

Leon Lerman: For sure. And one of the concerning things that we’ve been seeing as well is that the sophistication that is required by attackers, because the healthcare industry is so much underserved from a security perspective, the sophistication level is very low. It’s easy to attack hospitals, especially now we’re having more and more vulnerable devices, as you mentioned. And it doesn’t have to be this super sophisticated nation sponsored attack and that’s really worrying indeed.

You talk a lot in your lectures about adopting machine learning and AI in dealing with a lot of those situations, especially cybersecurity, remote patient monitoring, do you think it will be even more adopted and more common right now in healthcare?

Dr. John Halamka: So here’s a challenge again, as we’ve shifted in literally eight weeks to this highly virtualized care system. What are the rules by which an intrusion can be detected? That’s pretty hard to say, right? I mean, if you’re dealing with thousands of different kinds of devices with all kinds of different signatures and provenance, writing a discrete set of rules and keeping that set of rules updated, I would argue is nearly impossible. You have to look at it as variation. “Oh, we’ve never seen before a phone that has a GPS in San Francisco with an IP address in China!”

It’s looking for the patterns that have to be multifactorial, and I could even argue, are probably beyond the human mind to even detect and comprehend because there’s such subtle variations. I think of machine learning as a statistical technique that enables a computer to do what a computer does best, and that is churn through massive numbers of possibilities and identify variation. And that’s a kind of technique we’re not only going to be using for healthcare delivery, but in cybersecurity.

Leon Lerman: Yeah, for sure. And this aspect of also automating a lot of things, especially where people are, their time span is limited, and they have to focus on so many things. I think that’s a huge benefit for healthcare as well. So, say, in terms of regulations post-COVID, are you seeing any government movement in that direction? Making sure hospitals are better prepared for the day after COVID? Do you see hospitals actually better prepared for the next pandemic following this crisis?

Dr. John Halamka: Here’s the fascinating issue. We have HIPAA, GDPR, CCPA, all the rest of these. I would argue that more potent than all those regulations, is reputation. Recently a very large healthcare system, and I won’t mention which one, said “oh, we’re going to partner with a very large tech company and we’re going to do large transfers of data, and don’t worry, it’s all HIPAA compliant”. And of course, the public responded “wait a minute, I don’t really care about the esoteric of HIPAA. Did you really send patient identified data from a hospital to a tech company?”

You’re going to see all these waivers and rollbacks of regulatory constraints, but at the same time, you’re going to see culture demand privacy and security. So, I would say that CIOs, CTOs, CSOs should look at more reputational loss than necessarily the regulatory variants at the moment.

Leon Lerman: That makes a lot of sense. I guess that with all those, with that impact of COVID people will be terrified of what will happen the next time. You mentioned these virtual hospitals going more virtually and telemedicine obviously being on the rise and being more used. Do you see hospitals staying this way long-term? Do you really see people not going into the hospitals in the next few years? Not coming in?

Dr. John Halamka: Well, let’s say it’ll be mixed, of course, but the American Telemedicine Association, hashtag of the day is “don’t roll back”. Because the assumption is if, you heard me say this before, that we have issues of technology, policy and psychiatry, of which the psychiatry is the hardest one. You could argue that COVID completely changed hospital executives’ perception of care at a distance.

People are now saying “well, gee, I didn’t have to drive and park and all that time loss and expense. I really liked this virtual care stuff. In fact, what I need is not just virtual visits or placing, what was it in person visit with video. I now need in-home diagnostics, in-home remote patient monitoring”.

The patient is going to be pretty frustrated if you say “we can do a virtual visit. Oh, now you need to come into the hospital to get this monitor or this test or whatever”. They’re going to demand more and more care at a distance, and hospitals that are going to survive and thrive are going to need to provide that. Sure, some on-prem stuff will happen again, but the notion of us moving to a very virtual capable hospital is forever.

Leon Lerman: Yeah. That would be almost unthinkable of thinking that a hospital has always been considered such a place you’d go to where you feel bad and it’s a place in the minds of the people. That will be a very interesting change.

What would you say would be your advice for startups who are focused, obviously on innovation of new solutions and digital health? What should they focus on right now and how should they approach hospitals and CIOs in being relevant to them during this time?

Dr. John Halamka: It needs to be a total package. What I mean by that is just saying “I’m going to take what was an on prem visit and now make it video”. That’s a tiny part of the whole experience. So, sort of ask yourself end to end, what are the suite of services, some of which will be for very complex patients.

Mayo has termed one of its offerings “advanced care in the home”. Cause it’s more than the virtual visit. It’s the telemetry, it’s the diagnostic testing, it’s the supply chain. In fact, what we’ve had to do is partner with a large national firm that is capable of putting all these IoT devices into your home. In fact, we can’t even rely on your home having reasonable wireless. So, they’re even having to put in LTE, 4G, 5G connections in the home. If you start thinking about that, if you’re offering the whole package, then you better wrap that with security capabilities as well. Because this nature of the boundaries of your hospital were the four walls of your address, are gone forever.

Leon Lerman: Fascinating. I think it will be also very interesting to understand from a security standpoint, once we’re getting out of the boundaries of the hospital, then you have all this third-party apps that they’re developing, different software you have, you mentioned all those devices, bring your own devices. Those device vendors will also have to take part in the security of that. So, I guess it will be a shared responsibility of the various parties to really make sure that all this new ecosystem is secure. That will be a main challenge.

Dr. John Halamka: Well, so here’s an example, as you are starting to see work, not just healthcare delivery about work, go more virtual, are we going to see employers getting employer issued highly constrained devices to every single employee in every single setting? Or better, should they be able to outfit their home workspace in a way that works for them ergonomically and productively, but then be able to create a wrapper around that?

So, you can say “even though today I’m talking to you on a Google Pixelbook Go, and it works for me. I like the keyboard”. If I was told “Oh no, no, no, you can’t run a Google Pixelbook Go, you have to go run this Windows-based device or whatever”. Could I? Sure. Do I really want the employer to buy something that I don’t really like? Not really. I would rather be able to say “here are the security constraints and monitors around the device that you’ve brought”. And am I willing to give or see to the organization the security monitoring of my environment? Sure. That’s okay. But I still am going to have a diversity of devices of my choosing within my work environment

Leon Lerman: For sure. I think another challenge around that would be, we’ve seen a lot of, obviously as you mentioned, companies like Twitter who just basically said some of the employees, but it’s a big portion, are now allowed to work from home forever. Other companies allowing employees to work, until the end of the year, to work from home.
Do you think that hospitals, especially IT teams, will they be joining this trend as well? From an employee perspective? And do you think they can do that today from a technology standpoint?

Dr. John Halamka: Let me answer this in a couple of ways. First, I think, and I’ve worked in many, many hospitals across the U.S. and of course visited hospitals throughout the world, and do you know that every one of them has a problem with real estate? They have ORs and ICUs and ambulatory clinics. Great! But then as soon as you start saying “I want to have a thousand administrative staff”, those people are now competing for that valuable healthcare delivery real estate. So, this idea that you could decant the hospital and move all these not direct patient care people somewhere else is a huge win. Do I believe that you’re going to see the administrative components of hospitals stay virtual long-term? Absolutely.

Leon Lerman: Interesting. Last question to you, John, and then a personal one in that sense. You published your predictions for 2020 around changes, and digital health, and where the healthcare industry is going. That was before COVID happened. How did your predictions change following what you’ve witnessed in the last couple of months, if at all?

Dr. John Halamka: What a fascinating question! I have been writing in my new role at Mayo all of these strategic and operating plans and it was a 2030. That was the goal. What is the world going to look like in 2030? Do you know what the world is going to look like in 2030? 2021, right? Because COVID has so rapidly moved the healthcare system from a technology and policy and psychiatry perspective into a virtual care delivery. We’re using AI and ML, and remote patient monitoring, and all these new technologies far faster than anyone could have ever predicted. So literally, I did take my 2030 plan and recast it as six quarters.

Leon Lerman: That’s amazing! How a timeline can be accelerated by a virus! That’s unbelievable! John, thank you very much. It’s been a pleasure talking to you. Thank you very much for your time and insights. Hope we can all look at a more optimistic future in the next couple of months, but at least for the economy to start reopening and obviously so all of us can stay healthy and well. Thank you very much.

Dr. John Halamka: Well, thank you. And I would just close by saying what I hope is we use this as an opportunity. As we’ve moved forward to adopt technology faster than ever, thought about security, talk about the patient, that I think we have an opportunity to create a new normal in economies throughout the world that is actually far better than our legacy. So, I’m optimistic!

Leon Lerman: We all are, for sure. Thank you very much John.

41% of organizations have not taken any steps to expand secure access for the remote workforce

Currently, organizations are struggling to adjust to the new normal amidst the COVID-19 pandemic, a Bitglass survey reveals. 41% have not taken any steps to expand secure access for the remote workforce, and 50% are citing proper equipment as the biggest impediment to doing so. Consequently, 65% of organizations now enable personal devices to access managed applications. Remote work and secure access concerns When asked what their organizations are primarily concerned with securing while employees … More

The post 41% of organizations have not taken any steps to expand secure access for the remote workforce appeared first on Help Net Security.

Solving the security challenges of remote working

Unprecedented times call for unprecedented actions and the ongoing COVID-19 pandemic has caused what is likely to be the biggest shift towards remote working that the world has ever seen. But, while the technology has been around for quite some time, recent events demonstrate just how few businesses are capable of switching from an office-based setup to a remote one in a fast, secure, and non-disruptive manner.

security challenges remote working

There’s a significant number of reasons why it is prudent to have a remote working infrastructure in place. Truth be told, “in the event of a global pandemic” probably wasn’t very high up most people’s list before 2020. In normal circumstances, common occurrences like adverse weather, transportation issues, and power outages can also severely affect the productivity of business if employees can’t access what they need outside the office.

That being said, proper implementation of any remote working program is key. In particular, the right security tools must be in place, otherwise businesses risk exposing themselves to a wide range of cyber threats.

This article examines some of the major considerations for any business looking to tackle the security challenges of remote working and implement a program that will enable employees to work both effectively and securely from anywhere.

Security challenges of remote working: Finding the right approach

Historically, office-based businesses have managed off-site workers through the use of virtual private networks (VPNs) and managed devices with installed software agents – also known as the mobile device management (MDM) approach. While still a relatively popular strategy today, it raises an increasing number of privacy concerns, mainly because it gives businesses the ability to monitor everything employees do on their device. VPN technology is also widely considered to be outdated and its complexity means skilled IT professionals are required to manage/maintain it properly.

For businesses without legacy technology to consider, a bring your own device (BYOD) approach is often preferable. Not only does it significantly reduce IT costs, but employees will always be able to work on their device in the event of unforeseen circumstances that prevent them from traveling to the office.

Unlike a managed device approach, employees using their own personal devices have more freedom over what and where they can view or download sensitive data, making robust security even more critical. Below are three security technologies that can be used to complement the flexibility a BYOD program provides:

1. Data loss prevention technology keeps businesses in control

One of the biggest issues with a BYOD approach is how to prevent sensitive data loss or theft from unmanaged devices. The use of data loss prevention (DLP) technology can significantly mitigate this, giving businesses much more control over their data than they would otherwise have. With DLP in place, any unauthorized attempts to access, copy or share sensitive information – whether intentional or not – will be prevented, keeping it out of the wrong hands and helping to prevent security breaches.

2. Behavioral analytics quickly detects suspicious user activity

Implementation of user and entity behavior analytics (UEBA) is a great way to quickly detect anomalous behavior that might indicate a potential security breach amongst your remote workforce. UEBA works by learning and establishing benchmarks for normal user behavior and then alerting security teams to any activity that deviates from that established norm. For instance, if a remote worker typically logs in from London but is suddenly seen to be logging in from Paris, particularly under the current circumstances, this would raise an immediate alert that something is amiss.

3. Agentless technology delivers robust security without breaching privacy

Employees using personal devices as part of a BYOD program can often be resistant to agent-based security tools being installed on them. Not only are some – like MDM – considered an invasion of privacy, but they can also impact device performance and functionality. Conversely, agentless security tools utilize cloud technology, meaning they require no installation but still give security teams the control they need to monitor, track and even wipe sensitive data if/when necessary.

Furthermore, because agentless security tools only monitor company data on the device, employees can be confident that their personal data and activity remain completely private. Leading agentless security solutions even include cloud based DLP as part of their offering, meaning businesses can cover multiple bases in one go.

Over the last few months, the pandemic has forced many businesses to fundamentally change the way they operate. For some, this switch to remote working has been quick and painless, but for many others, a lack of foresight or advanced planning has made it a significant challenge.

Of course, hindsight is a wonderful thing, but even in the midst of this pandemic, it’s not too late to change tack. By combining BYOD with powerful cloud security and analytics technology, businesses of all shapes and sizes can quickly establish an effective, secure remote working program, keeping the wheels of business turning when even the most unexpected things happen.

Organizations struggle with patching endpoints against critical vulnerabilities

Less than 50 percent of organizations can patch vulnerable systems swiftly enough to protect against critical threats and zero-day attacks, and 81 percent have suffered at least one data breach in the last two years, according to Automox.

patching endpoints

The research surveyed 560 IT operations and security professionals at enterprises with between 500 and 25,000 employees, across more than 15 industries to benchmark the state of endpoint patching and hardening.

While most enterprises want to prioritize patching and endpoint hardening, they are inhibited by the pace of digital transformation and modern workforce evolution, citing difficulty in patching systems belonging to mobile employees and remote offices, inefficient patch testing, lack of visibility into endpoints, and insufficient staffing in SecOps and IT operations to successfully do so.

Missing patches and configurations are at the center of data breaches

The report confirmed that four out of five organizations have suffered at least one data breach in the last two years. When asked about the root causes, respondents placed phishing attacks (36%) at the top of the list, followed by:

  • Missing operating systems patches (30%)
  • Missing application patches (28%)
  • Operating system misconfigurations (27%)

With missing patches and configurations cited more frequently than such high-profile issues as insider threats (26%), credential theft (22%), and brute force attacks (17%), three of the four most common issues can be addressed simply with better cyber hygiene.

Enterprises should patch within 24 hours

When critical vulnerabilities are discovered, cybercriminals can typically weaponize them within seven days. To ensure protection from the attacks that inevitably follow, security experts recommend that enterprises patch and harden all vulnerable systems within 72 hours.

Zero-day attacks, which emerge with no warning, pose an even greater challenge, and enterprises should aim to patch and harden vulnerable systems within 24 hours. Currently:

  • Less than 50% of enterprises can meet the 72-hour standard and only about 20% can match the 24-hour threshold for zero-days.
  • 59 percent agree that zero-day threats are a major issue for their organization because their processes and tools do not enable them to respond quickly enough.
  • Only 39% strongly agree that their organizations can respond fast enough to critical and high severity vulnerabilities to remediate successfully.
  • 15 percent of systems remained unpatched after 30 days.
  • Almost 60% harden desktops, laptops and servers only monthly or annually, which is an invitation to adversaries.

With cyber hygiene, endpoints need to be scanned and assessed on a regular basis, and if problems are found, promptly patched or reconfigured. Automation dramatically speeds up cyber hygiene processes by enabling IT operations and SecOps staff to patch and harden more systems with less effort, while reducing the amount of system and application downtime needed for patching and hardening. Organizations that have fully automated endpoint patching and hardening are outperforming others in basic cyber hygiene tasks.

patching endpoints

The modern workforce presents a cyber hygiene dilemma

Survey respondents are more confident in their ability to maintain cyber hygiene for on- premises computers and servers compared with remote and mobile systems such as servers on infrastructure as a Service (IaaS) cloud platforms, mobile devices (smartphones and tablets), and computers at remote locations. In fact, they rated their ability to maintain cyber hygiene for Bring Your Own Device (BYOD) lowest among all other IT components.

These patterns can be explained by the fact that most existing patch management tools don’t work well with cloud-based endpoints, and that virtual systems are very dynamic and therefore harder to monitor and protect than physical ones.

“Phishing has and will continue to be an issue for many organizations. As the Automox Cyber Hygiene Index highlights, 36% of data breaches involved phishing as the initial access technique used by attackers. Detecting phishing is extremely difficult, but giving your users the ability to report suspicious messages along with proper training goes a long way. You want your users to be part of your security team, and enabling them to report suspicious messages is one step towards this goal,” Josh Rickard, Swimlane Research Engineer, told Help Net Security.

“The combination of robust filtering and user enablement can drastically help with the detection of phishing attacks, but once they have been reported, you need automation to process and respond to them. More importantly, you need a platform that can automate and orchestrate across multiple tools and services. Using security, orchestration, automation and response (SOAR) for phishing alerts enables security teams to automatically process reported messages, make a determination based on multiple intelligence services/tools, respond by removing a message from a (or all) users mailboxes, and even search for additional messages with similar attributes throughout the organization. Having the ability to automate and orchestrate this response is critical for security teams and enables them to put their focus on other higher-value security-related issues,” Rickard concluded.