The security consequences of massive change in how we work

Organizations underwent an unprecedented IT change this year amid a massive shift to remote work, accelerating adoption of cloud technology, Duo Security reveals.

security consequences work

The security implications of this transition will reverberate for years to come, as the hybrid workplace demands the workforce to be secure, connected and productive from anywhere.

The report details how organizations, with a mandate to rapidly transition their entire workforce to remote, turned to remote access technologies such as VPN and RDP, among numerous other efforts.

As a result, authentication activity to these technologies swelled 60%. A complementary survey recently found that 96% of organizations made cybersecurity policy changes during the COVID-19, with more than half implementing MFA.

Cloud adoption also accelerated

Daily authentications to cloud applications surged 40% during the first few months of the pandemic, the bulk of which came from enterprise and mid-sized organizations looking to ensure secure access to various cloud services.

As organizations scrambled to acquire the requisite equipment to support remote work, employees relied on personal or unmanaged devices in the interim. Consequently, blocked access attempts due to out-of-date devices skyrocketed 90% in March. That figure fell precipitously in April, indicating healthier devices and decreased risk of breach due to malware.

“As the pandemic began, the priority for many organizations was keeping the lights on and accepting risk in order to accomplish this end,” said Dave Lewis, Global Advisory CISO, Duo Security at Cisco. “Attention has now turned towards lessening risk by implementing a more mature and modern security approach that accounts for a traditional corporate perimeter that has been completely upended.”

Additional report findings

So long, SMS – The prevalence of SIM-swapping attacks has driven organizations to strengthen their authentication schemes. Year-over-year, the percentage of organizations that enforce a policy to disallow SMS authentication nearly doubled from 8.7% to 16.1%.

Biometrics booming – Biometrics are nearly ubiquitous across enterprise users, paving the way for a passwordless future. Eighty percent of mobile devices used for work have biometrics configured, up 12% the past five years.

Cloud apps on pace to pass on-premises apps – Use of cloud apps are on pace to surpass use of on-premises apps by next year, accelerated by the shift to remote work. Cloud applications make up 13.2% of total authentications, a 5.4% increase year-over-year, while on-premises applications encompass 18.5% of total authentications, down 1.5% since last year.

Apple devices 3.5 times more likely to update quickly vs. Android – Ecosystem differences have security consequences. On June 1, Apple iOS and Android both issued software updates to patch critical vulnerabilities in their respective operating systems.

iOS devices were 3.5 times more likely to be updated within 30 days of a security update or patch, compared to Android.

Windows 7 lingers in healthcare despite security risks – More than 30% of Windows devices in healthcare organizations still run Windows 7, despite end-of-life status, compared with 10% of organizations across Duo’s customer base.

Healthcare providers are often unable to update deprecated operating systems due to compliance requirements and restrictive terms and conditions of third-party software vendors.

Windows devices, Chrome browser dominate business IT – Windows continues its dominance in the enterprise, accounting for 59% of devices used to access protected applications, followed by macOS at 23%. Overall, mobile devices account for 15% of corporate access (iOS: 11.4%, Android: 3.7%).

On the browser side, Chrome is king with 44% of total browser authentications, resulting in stronger security hygiene overall for organizations.

UK and EU trail US in securing cloud – United Kingdom and European Union-based organizations trail US-based enterprises in user authentications to cloud applications, signaling less cloud use overall or a larger share of applications not protected by MFA.

The evolving role of the CTO

Since spending more time at home, my appetite for reading has increased. In fact, I recently picked up again one of my favorites – J. R. R. Tolkein’s Lord of the Rings trilogy. In the first book, The Fellowship of the Ring, a conversation between Frodo and Gandalf goes something like this:

“I wish it need not have happened in my time,” said Frodo.

“So do I,” said Gandalf, “and so do all who live to see such times. But that is not for them to decide. All we have to decide is what to do with the time that is given to us…”

CTO role

The CTO role keeps changing

Such is also the fate of the Chief Technology Officer (CTO). Many things are beyond their control. Yet, in times of crisis, CTOs are relied upon. They often peer into the future and must address dangers to the business and contend with many unknowns. The key to being a successful CTO is deciding the best things to do with what’s in front of us.

Undoubtedly, COVID-19 has placed extensive demands on CTOs who have had to redesign or redistribute technology resources in rapid order with minimal time to research, strategize and execute.

In partnership with IT managers, hybrid work environments had to be constructed and deployed to accommodate remote workers. The number one priority (in addition to equipping employees with devices) was to secure the distributed network against evolving cybersecurity threats.

Now the question is: where do we go from here? Years’ worth of digital transformation progress was made in a matter of weeks. How will we now maintain and scale these systems for years to come? How do we future proof for other disruptions? These questions are what CTOs and their staff are now grappling with.

Being a CTO is about more than just choosing technology solutions or making sure people can work from home successfully. The CTO role is changing to encompass supply chain resiliency, communications solutions and support for sales teams, preventing technological surprise and meeting broader business unit needs.

In this environment, a CTO’s unique combination of technical and institutional knowledge has only become more vital. The CTO must be much more than a technical expert. They must be knowledgeable about every aspect of the business from HR to Finance and everything in between.

Clearly communicating the evolving role of tech across sales, security and more

According to Deloitte, more than half of CEOs say that tech leaders in their companies will be key drivers of business strategy. Filling that role means wearing many hats, the specifics of which differ from enterprise to enterprise.

The CTO doesn’t necessarily even sit in the same place in every management hierarchy. For example, depending on who runs the IT department, the CIO reports to the CTO, and vice versa. The common thread: CTOs have to be versatile.

Some companies see the CTO as an interface between the firm’s customers and its knowledge, capabilities and products. This is largely a sales leadership role, where a CTO can use their technical expertise to connect services and clients. Other times, the CTO is charged with ensuring employees can interact with one another, enabling collaboration, communication and innovation.

What’s important for any organization today, whether it’s an SMB, federal agency or large enterprise, is that the role of the CTO is adaptable to manage disparate tasks: from serving as a C-suite partner advising on operational decisions to counseling customers on specific services.

Of course, CTOs must understand technology in great detail, but they also need to be able to articulate how technology works in a way that average individuals understand.

They must be able to communicate clearly with decision-makers from all departments on issues ranging from cybersecurity to sales enablement platforms to secure supply chains. This is what we call a “T” shaped individual: depth in their specific field of expertise and breath in all other business areas. The best CTOs are truly Renaissance individuals.

Meeting transformation with expansive knowledge and sharp agility

Research from McKinsey demonstrates that companies that are aware of new technologies and work to build them into their operating models tend to be more successful than those that do not. The responsibility for finding those technologies, understanding them and incorporating them into an enterprise’s strategy at the proper scale falls squarely on the CTO.

Greater digitization has only increased the number of innovative technologies CTOs need to track. The market for global digital transformation products and services is expected to expand at a compound annual growth rate of 22.5 percent from 2020 to 2027.

Greater digitization has also made CTOs more valuable because it has dramatically and substantially expanded their sphere of influence. Increased reliance on technology throughout companies offers CTOs more insights into lines of business and back-office operations.

These insights can be valuable in finding efficiencies and opportunities to innovate. What’s more, the increased reliance on technology means CTOs often have visibility into talent, operations, and partners as well.

As more potential disruptions loom, the fact that every organization looks at its technology roles differently is a good thing, because the people filling those roles also have diverse backgrounds and will bring their own unique perspectives to the job. For example, my own strong background in engineering combined with a doctorate in economics has given me a different view on technologies from some of my peers.

The circumstances surrounding the COVID pandemic have made the blend of deep institutional knowledge and a wide breadth of technical aptitude an essential combination for any agile CTO.

Most enterprises struggle with IoT security incidents

The ongoing global pandemic that has led to massive levels of remote work and an increased use of hybrid IT systems is leading to greater insecurity and risk exposure for enterprises.

IoT security incidents

According to new data released by Cybersecurity Insiders, 72% of organizations experienced an increase in endpoint and IoT security incidents in the last year, while 56% anticipate their organization will likely be compromised due to an endpoint or IoT-originated attack with the next 12 months.

The comprehensive survey of 325 IT and cybersecurity decision makers in the US, conducted in September 2020, represented a balanced cross-section of organizations from financial services, healthcare and technology to government and energy.

IoT and enpoint security challenge

Alongside headline data that the majority experienced an endpoint and IoT security incident over the last 12 months, the top 3 issues were related to malware (78%), insecure network and remote access (61%), and compromised credentials (58%).

Perhaps more concerning was that 43% of respondents expressed “moderate to unlikely means to discover, identify, and respond to unknown, unmanaged, or insecure devices accessing network and cloud resources.”

“It is clear from this new research that the challenge of securing IoT and endpoints has escalated considerably as employees have been forced to work remotely while organizations try to rapidly adapt to the situation,” said Scott Gordon, CMO at Pulse Secure.

“The threat is real and growing. Yet, on a positive note, the survey shows that organizations are investing in key initiatives and adopting zero trust elements such as remote access device posture checking and Network Access Control (NAC) to address some of these issues.“

The negative impact of an endpoint or IoT security issue

The research found that 41% will implement or advance on-premise device security enforcement, 35% will advance their remote access devices posture checking, and 22% will advance their IoT device identification and monitoring capabilities.

For those that have been victim of an endpoint or IoT security issue, the most significant negative impact was a reported loss of user (55%) and IT (45%) productivity, followed by system downtime (42%).

Holger Schulze, CEO at Cybersecurity Insiders added, “The diversity of users, devices, networks, and threats continue to grow as enterprises take advantage of greater workforce mobility, workplace flexibility, and cloud computing opportunities.

“Not only do organizations need to ensure endpoints are secure and adhering to usage policy, but they must also manage appropriate IoT device access. New zero trust security controls can fortify dynamic device discovery, verification, tracking, remediation, and access enforcement.”

IoT security incidents

Additional key findings

  • Respondents rated the biggest endpoint and IoT security challenges as #1 insufficient protection against the latest threats (49%), #2 high complexity of deployment and operations (47%), and #3 inability to enforce endpoint and IoT device access/usage policy (40%).
  • Respondents rated the most critical capabilities required to mitigate endpoint and IoT security as #1 monitoring endpoint or IoT devices for malicious or anomalous activity (54%), #2 blocking or isolating unknown or at-risk endpoint and IoT devices’ network access (51%), and #3 blocking at-risk devices’ access to network or cloud resources (46%).
  • When asked about anticipated investments to secure remote worker access and endpoint security technology, most organizations (61%) anticipate an increase, or significant increase, while few expect a decrease (6%).

Bad habits and risky behaviors put corporate data at risk

IT and application development professionals tend to exhibit risky behaviors when organizations impose strict IT policies, according to SSH.

risky behaviors

Polling 625 IT and application development professionals across the United States, United Kingdom, France, and Germany, the survey verified that hybrid IT is on the rise and shows no signs of slowing down.

Fifty-six percent of respondents described their IT environment as hybrid cloud, an increase from 41 percent a year ago. On average, companies are actively using two cloud service vendors at a time.

While hybrid cloud offers a range of strategic benefits related to cost, performance, security, and productivity, it also introduces the challenge of managing more cloud access.

Cloud access solutions slowing down work

The survey found that cloud access solutions, including privileged access management software, slow down daily work for 71 percent of respondents. The biggest speed bumps were cited as configuring access (34 percent), repeatedly logging in and out (30 percent), and granting access to other users (29 percent).

These hurdles often drive users to seek risky workarounds, with 52 percent of respondents claiming they would “definitely” or at least “consider” bypassing secure access controls if they were under pressure to meet a deadline.

85 percent of respondents also share account credentials with others out of convenience, even though 70 percent understand the risks of doing so. These risks are further exacerbated when considering that 60 percent of respondents use unsecure methods to store their credentials and passwords, including in email, in non-encrypted files or folders, and on paper.

“As businesses grow their cloud environments, secure access to the cloud will continue be paramount. But when access controls lead to a productivity trade-off, as this research has shown, IT admins and developers are likely to bypass security entirely, opening the organization up to even greater cyber risk,” said Jussi Mononen, chief commercial officer at SSH.

“For privileged access management to be effective, it needs to be fast and convenient, without adding operational obstacles. It needs to be effortless.”

Orgs using public internet networks

In addition to exposing the risky behaviors of many IT and application development professionals when accessing the cloud, the survey also revealed some unwitting security gaps in organizations’ access management policies. For example, more than 40 percent of respondents use public internet networks – inherently less secure than private networks – to access internal IT resources.

Third-party access was also found to be a risk point, with 29 percent of respondents stating that outside contractors are given permanent access credentials to the business’ IT environment.

risky behaviors

Permanent credentials are fundamentally risky as they provide widespread access beyond the task at hand, and can be forgotten, stolen, mismanaged, misconfigured, or lost.

Mononen continued, “When it comes to access management, simpler is safer. Methods like single sign-on can streamline the user experience significantly, by creating fewer logins and fewer entry points that reduce the forming of bad IT habits.

“There is also power in eliminating permanent access credentials entirely, using ephemeral certificates that unlock temporary ‘just-in-time’ access to IT resources, only for time needed before access automatically expires. Ultimately, reducing the capacity for human error comes down to designing security solutions that put the user first and cut out unnecessary complexity.”