As we near 2021, it seems that the changes to our working life that came about in 2020 are set to remain. Businesses are transforming as companies continue to embrace remote working practices to adhere to government guidelines. What does the next year hold for organizations as they continue to adapt in the age of the Everywhere Enterprise?
We will see the rush to the cloud continue
The pandemic saw more companies than ever move to the cloud as they sought collaboration and productivity tools for employee bases working from home. We expect that surge to continue as more companies realize the importance of the cloud in 2021. Businesses are prepared to preserve these new working models in the long term, some perhaps permanently: Google urged employees to continue working from home until at least next July and Twitter stated employees can work from home forever if they prefer.
Workforces around the world need to continue using alternatives to physical face-to-face meetings and remote collaboration tools will help. Cloud-based tools are perfect for that kind of functionality, which is partly why many customers that are not in the cloud, want to be. The customers who already started the cloud migration journey are also moving more resources to public cloud infrastructure.
People will be the new perimeter
While people will eventually return to the office, they won’t do so full-time, and they won’t return in droves. This shift will close the circle on a long trend that has been building since the mid-2000s: the dissolution of the network perimeter. The network and the devices that defined its perimeter will become even less special from a cybersecurity standpoint.
Instead, people will become the new perimeter. Their identity will define what they’re allowed to access, both inside and outside the corporate network. Even when they are logged into the network, they will have minimal access to resources until they and the device they are using have been authenticated and authorized. This approach, known as zero trust networking, will pervade everything, covering not just employees, but customers, contractors, and other business partners.
User experience will be increasingly important in remote working
Happy, productive workers are even more important during a pandemic. Especially as on average, employees are working three hours longer since the pandemic started, disrupting the work-life balance. It’s up to employers to focus on the user experience and make workers’ lives as easy as possible.
When the COVID-19 lockdown began, companies coped by expanding their remote VPN usage. That got them through the immediate crisis, but it was far from ideal. On-premises VPN appliances suffered a capacity crunch as they struggled to scale, creating performance issues, and users found themselves dealing with cumbersome VPN clients and log-ins. It worked for a few months, but as employees settle in to continue working from home in 2021, IT departments must concentrate on building a better remote user experience.
Old-school remote access mechanisms will fade away
This focus on the user experience will change the way that people access computing resources. In the old model, companies used a full VPN to tunnel all traffic via the enterprise network. This introduced latency issues, especially when accessing applications in the cloud because it meant routing all traffic back through the enterprise data center.
It’s time to stop routing cloud sessions through the enterprise network. Instead, companies should allow remote workers to access them directly. That means either sanitizing traffic on the device itself or in the cloud.
User authentication improvements
Part of that new approach to authentication involves better user verification. That will come in two parts. First, it’s time to ditch the password. The cybersecurity community has advocated this for a long time, but the work-from-home trend will accelerate it. Employees accessing from mobile devices are increasingly using biometric authentication, which is more secure and convenient.
The second improvement to user verification will see people logging into applications less often. Sessions will persist for longer, based on deep agent-based device knowledge that will form a big part of the remote access experience.
Changing customer interactions will require better mobile security
It isn’t just employees who will need better mobile security. Businesses will change the way that they interact with customers too. We can expect fewer person-to-person interactions in retail as social distancing rules continue. Instead, contact-free transactions will become more important and businesses will move to self-checkout options. Retailers must focus more on mobile devices for everything from browsing products, to ordering and payment.
The increase in QR codes presents a great threat
Retailers and other companies are already starting and will continue to use QR codes more and more to bridge contact with things like menus and payment systems, as well as comply with social distance rules. Users can scan them from two meters away, making them perfect for payments and product information.
The problem is that they were never designed for these applications or digital authentication and can easily be replaced with malicious codes that manipulate smartphones in unexpected and damaging ways. We can expect to see QR code fraud problems increase as the usage of these codes expands in 2021.
The age of the Everywhere Enterprise
One overarching message came through clearly in our conversations with customers: the enterprise changed for the longer term in 2020, and this will have profound effects in 2021. What began as a rushed reaction during a crisis this year will evolve during the next as the IT department joins HR in rethinking employee relationships in the age of the everywhere enterprise.
If 2020 was the year that businesses fell back on the ropes, 2021 will be the one where they bounce forward, moving from a rushed reaction into a thoughtful, measured response.
The US Cybersecurity and Infrastructure Security Agency (CISA) has released a list of 25 vulnerabilities Chinese state-sponsored hackers have been recently scanning for or have exploited in attacks.
“Most of the vulnerabilities […] can be exploited to gain initial access to victim networks using products that are directly accessible from the Internet and act as gateways to internal networks. The majority of the products are either for remote access or for external web services, and should be prioritized for immediate patching,” the agency noted.
The list of vulnerabilities exploited by Chinese hackers
The list is as follows:
The vulnerability list they shared is likely not complete, as Chinese-sponsored actors may use other known and unknown vulnerabilities. All network defenders – but especially those working on securing critical systems in organizations on which US national security and defense are depending on – should consider patching these as a priority.
Mitigations are also available
If patching is not possible, the risk of exploitation for most of these can be lowered by implementing mitigations provided by the vendors. CISA also advises implementing general mitigations like:
- Disabling external management capabilities and setting up an out-of-band management network
- Blocking obsolete or unused protocols at the network edge and disabling them in device configurations
- Isolating Internet-facing services in a network DMZ to reduce the exposure of the internal network
- Enabling robust logging of Internet-facing services and monitoring the logs for signs of compromise
The agency also noted that the problem of data stolen or modified before a device has been patched cannot be solved only by patching, and that password changes and reviews of accounts are a good practice.
Additional “most exploited vulnerabilities” lists
Earlier this year, CISA released a list of old and new software vulnerabilities that are routinely exploited by foreign cyber actors and cyber criminals, the NSA and the Australian Signals Directorate released a list of web application vulnerabilities that are commonly exploited to install web shell malware, and Recorded Future published a list of ten software vulnerabilities most exploited by cybercriminals in 2019.
Admins and network defenders are encouraged to peruse them and patch those flaws as well.
More than 80% of global employees do not want to return to the office full-time, despite 30% employees claiming that being isolated from their team was the biggest hindrance to productivity during lockdown, a MobileIron study reveals.
The COVID-19 pandemic has clearly changed the way people work and accelerated the already growing remote work trend. This has also created new security challenges for IT departments, as employees are increasingly using their own personal devices to access corporate data and services.
Adding to the challenges posed by the new “everywhere enterprise” – in which employees, IT infrastructures, and customers are everywhere – is the fact that employees are not prioritizing security. The study found that 33% of workers consider IT security to be a low priority.
Mobile devices and a new threat landscape
The current distributed remote work environment has also triggered a new threat landscape, with malicious actors increasingly targeting mobile devices with phishing attacks. These attacks range from basic to sophisticated and are likely to succeed, with many employees unaware of how to identify and avoid a phishing attack. The study revealed that 43% of global employees are not sure what a phishing attack is.
“Mobile devices are everywhere and have access to practically everything, yet most employees have inadequate mobile security measures in place, enabling hackers to have a heyday,” said Brian Foster, SVP Product Management, MobileIron.
“Hackers know that people are using their loosely secured mobile devices more than ever before to access corporate data, and increasingly targeting them with phishing attacks. Every company needs to implement a mobile-centric security strategy that prioritizes user experience and enables employees to maintain maximum productivity on any device, anywhere, without compromising personal privacy.”
The study found that four distinct employee personas have emerged in the everywhere enterprise as a result of lockdown, and mobile devices play a more critical role than ever before in ensuring productivity.
- Typically works in financial services, professional services or the public sector.
- Ideally splits time equally between working at home and going into the office for face-to-face meetings; although this employee likes working from home, being isolated from teammates is the biggest hindrance to productivity.
- Depends on a laptop and mobile device, along with secure access to email, CRM applications and video collaboration tools, to stay productive.
- Believes that IT security ensures productivity and enhances the usability of devices. At the same time, this employee is only somewhat aware of phishing attacks.
- Works constantly on the go using a range of mobile devices, such as tablets and phones, and often relies on public WiFi networks for work.
- Relies on remote collaboration tools and cloud suites to get work done.
- Views unreliable technology as the biggest hindrance to productivity as this individual is always on-the-go and heavily relies on mobile devices.
- Views IT security as a hindrance to productivity as it slows down the ability to get tasks done. This employee also believes IT security compromises personal privacy.
- This is the most likely persona to click on a malicious link due to a heavy reliance on mobile devices.
- Finds being away from teammates and working from home a hindrance to productivity and can’t wait to get back to the office.
- Prefers to work on a desktop computer from a fixed location than on mobile devices.
- Relies heavily on productivity suites to communicate with colleagues in and out of the office.
- Views IT security as a low priority and leaves it to the IT department to deal with. This employee is also only somewhat aware of phishing attacks.
- Works on the frontlines in industries like healthcare, logistics or retail.
- Works from fixed and specific locations, such as hospitals or retail shops; This employee can’t work remotely.
- Relies on purpose-built devices and applications, such as medical or courier devices and applications, to work. This employee is not as dependent on personal mobile devices for productivity as other personas.
- Realizes that IT security is essential to enabling productivity. This employee can’t afford to have any device or application down time, given the specialist nature of their work.
“With more employees leveraging mobile devices to stay productive and work from anywhere than ever before, organizations need adopt a zero trust security approach to ensure that only trusted devices, apps, and users can access enterprise resources,” continued Foster.
“Organizations also need to bolster their mobile threat defenses, as cybercriminals are increasingly targeting text and SMS messages, social media, productivity, and messaging apps that enable link sharing with phishing attacks.
“To prevent unauthorized access to corporate data, organizations need to provide seamless anti-phishing technical controls that go beyond corporate email, to keep users secure wherever they work, on all of the devices they use to access those resources.”
QR codes are rising in popularity and use, according to a consumer sentiment study by MobileIron. Sixty-four percent of respondents stated that a QR code makes life easier in a touchless world – despite a majority of people lacking security on their mobile devices, with 51% of respondents stating they do not have or do not know if they have security software installed on their mobile devices.
Mobile devices have become even more important and ingrained in everyone’s lives during the COVID-19 pandemic, and 47% of respondents have noticed an increase in QR code use.
At the same time, employees are using mobile devices – and in many cases, their own unsecured devices – more than ever before to connect with others, interact with a variety of cloud-based applications and services, and stay productive as they work from anywhere.
Many employees are also using their mobile devices to scan QR codes in their everyday lives, putting themselves and enterprise resources at risk.
QR codes skyrocketed in popularity and use during the pandemic
- 84% of people have scanned a QR code before, with 32% most recently having scanned a QR code in the past week and 26% most recently having scanned a QR code in the past month.
- In the last six months, 38% of respondents have scanned a QR code at a restaurant, bar or café; 37% of respondents have scanned a QR code at a retailer; and 32% have scanned a QR code on a consumer product.
- 53% of respondents want to see QR codes used more broadly in the future.
- 43% of respondents plan to use a QR code as a payment method in the near future.
- 40% of people would vote using a QR code received in the mail, if it was an option.
Attackers are also capitalizing on security gaps during the pandemic and increasingly targeting mobile devices with sophisticated attacks. Mobile devices are appealing targets for hackers because the mobile user interface prompts users to take immediate actions, while limiting the amount of information available. Plus, users are often distracted when on their mobile devices, making them more likely to fall victim to attacks.
“Hackers are launching attacks across mobile threat vectors, including emails, text and SMS messages, instant messages, social media and other modes of communication,” said Alex Mosher, Global VP of Solutions, MobileIron.
“I expect we’ll soon see an onslaught of attacks via QR codes. A hacker could easily embed a malicious URL containing custom malware into a QR code, which could then exfiltrate data from a mobile device when scanned. Or, the hacker could embed a malicious URL into a QR code that directs to a phishing site and encourages users to divulge their credentials, which the hacker could then steal and use to infiltrate a company.”
QR codes pose significant risks to both end users and enterprises
- 71% of respondents cannot distinguish between a legitimate and malicious QR code, whereas 67% of those surveyed are able to distinguish between a legitimate and malicious URL.
- While 67% of respondents are aware that QR codes can open a URL, they are less aware of the other actions that QR codes can initiate. Only 19% of respondents believe scanning a QR code can draft an email; 20% believe scanning a QR code can start a phone call; and 24% believe scanning a QR code can initiate a text message.
- 51% of respondents have privacy, security, financial or other concerns about using QR codes, but still use them anyway; 34% have no concerns about using QR codes.
- 35% of respondents are unsure whether hackers can target victims using a QR code.
“Companies need to urgently rethink their security strategies to focus on mobile devices,” continued Mosher. “At the same time, they need to prioritize a seamless user experience. A unified endpoint management solution can provide the IT controls needed to secure, manage and monitor every device, user, app and network being used to access business data, while maximizing productivity.
“Organizations can also build upon UEM with a mobile threat defense solution to detect and remediate mobile threats, including malicious QR codes, even when a device is offline.”
The 2020 United States presidential election is already off to a rocky start. We’ve seen technology fail in the primary elections, in-person campaigning halted, and a plethora of mixed messages on how voting will actually take place. Many Americans are still uncertain where or how they will vote in November – or worse, they’re unsure if their vote will be tabulated correctly.
For most of us, voting by anything other than a paper ballot or a voting machine is a foreign concept. Due to the pandemic and shelter in place restrictions, various alternatives have been considered this year — in particular, voting via our mobile devices.
On paper, it might seem like COVID-19 has created the ideal opportunity to introduce voting options that utilize the millions of mobile phones and tablets in U.S. voters’ hands. The reality is, our country is not ready to utilize this technology in a safe and protected way.
Here are the four things holding back mobile voting:
Testing and scalability
If we have learned anything from the Iowa Caucus app failure, it is that testing for scalability is key. Prior to Election Day, we must confirm that every voter will be able to vote from their mobile device from any location, all at the same time, without the system crashing.
This is no small feat: newly deployed code almost always has faults, and if a voting app has not undergone rigorous testing at scale by now (less than 75 days from Election Day), it is highly unlikely that it could be sufficiently tested and distributed in time.
Verification and secret ballots
Tying an identity to a user and phone negates the concept of an anonymized ballot, something we’re entitled to as eligible voters. If the vote is cast via a mobile device — especially if there is some way of reconciling the paper ballot back to the electronic vote — then there has to be an identity key that is used to correlate them.
Verifying the identity of the voter and their device and doing it in a way that also allows for secret ballots is a critical challenge to overcome if mobile voting is ever to become a reality.
Even if the kinks in mobile voting are worked out, how can we ensure overall trust in the system? Not only do we need to trust that our vote was cast, but that it was cast in a way that is private, secure, and for the person it was intended. If there is no reconciliation with the paper ballot, how are any risk-limiting audits conducted? Without an auditable system, it is impossible to win the trust of the electorate, which is an absolute necessity ahead of a process as integral to our country as voting.
QR code risks
Chances are, voters would be directed to a voting website via a QR code. While the reliance on distributed ledger technology — even with a cryptographic signature that is highly resistant to alteration — provides a strong method of recording and tabulating votes, it is still not cyber-invincible.
QR codes are not “readable” by humans. Therefore, the ability to alter a QR code to point to an alternative resource without being detected is simple and highly effective. The target of the QR code could result in compromise of credentials, phishing, and malicious code downloads.
Most significantly in this scenario, the QR code could redirect the voter to a site where their vote is captured, altered, returned to the device or forwarded on to the actual site, and when the voter signs the affidavit and submits their vote, it may or may not be for who they actually intended to vote.
Ultimately, the most important thing we can do this election is vote — vote by mail, vote in person, vote early, and vote in a way that you can be sure your vote will be counted for the candidate for whom you intended to vote. However, the idea that we’ll be able to safely via our mobile devices — at least this time around — is nothing but a pipe dream. Until we work out the security and privacy concerns associated with mobile voting, we’re going to have to stick to traditional methods.
The C-suite is the most likely group within an organization to ask for relaxed mobile security protocols (74%) – despite also being highly targeted by malicious cyberattacks, according to MobileIron.
The study combined research from 300 enterprise IT decision makers across Benelux, France, Germany, the U.K. and the U.S., as well as 50 C-level executives from both the U.K. and the U.S. The study revealed that C-level executives feel frustrated by mobile security protocols and often request to bypass them.
Make security exceptions for the C-suite
- 68% of C-level executives said IT security compromises their personal privacy, while 62% said security limits the usability of their device, and 58% claimed IT security is too complex to understand.
- 76% of C-level executives admitted to requesting to bypass one or more of their organization’s security protocols last year. Of these, 47% requested network access to an unsupported device, 45% requested to bypass multi-factor authentication (MFA) and 37% requested access to business data on an unsupported app.
“Accessing business data on a personal device or app takes data outside of the protected environment, leaving critical business information exposed for malicious users to take advantage of. Meanwhile, MFA – designed to protect businesses from the leading cause of data breaches, stolen credentials – is being side-stepped by C-Suite execs.”
C-level execs highly vulnerable to cyberattacks
The study also revealed that C-level execs are highly vulnerable to cyberattacks:
- 78% of IT decision makers stated that the C-suite is the most likely to be targeted by phishing attacks, and 71% claimed the C-suite is the most likely to fall victim to such attacks.
- 72% of IT decision makers claimed the C-suite is the most likely to forget or need help with resetting their passwords.
“These findings highlight a point of tension between business leaders and IT departments. IT views the C-suite as the weak link when it comes to cybersecurity, while execs often see themselves as above security protocols,” said Foster.
“In today’s modern enterprise, cybersecurity can’t be an optional extra. Businesses need to ensure they have a dynamic security foundation in place that works for everyone within the organization. This means that mobile security must be easy to use, while also ensuring that employees at every level of the business can maintain maximum productivity without interference, and without feeling that their own personal privacy is being compromised.”
MobileIron, the company that introduced the industry’s first mobile-centric, zero trust enterprise security platform, announced a new partnership with Adeya, the secure collaboration leader, to empower today’s global workforce with private, end-to-end encrypted real-time voice and video calls, conference calls, SMS, instant messages, group chats and file exchanges on any device.
The two companies have joined forces, combining their products to offer organizations the ability to add secure collaboration interactions within teams on top of device security. This partnership responds to the growing market demand for compliant, encrypted and secure mobile solutions for enterprises of all sizes.
In recent months, many remote workers have turned to consumer collaboration apps to enable teamwork and business continuity during the COVID-19 pandemic. However, this has exposed security flaws of consumer apps related to backend data sharing with third parties.
Companies have come to quickly realize that many ‘frictionless and free’ consumer apps do not offer an adequate level of security and may share usage data with third parties, which creates data privacy risks.
The potential leakage of a company’s messages, videos, and critically confidential information onto public forums can open myriad legal, financial and reputational risks.
Leveraging the combined solution, customers can now rapidly manage and deploy Adeya’s end-to-end encrypted communication, collaboration and file-sharing solution through MobileIron’s unified endpoint management (UEM) platform.
IT administrators can meet advanced compliance requirements by securely containing the Adeya app on any device with MobileIron and add a layer of additional protection with MobileIron’s Tunnel per-app VPN, while end-users can seamlessly access the app to collaborate and connect with teammates.
“We’re excited to partner with Adeya to help organizations secure their mobile collaboration with a military-grade solution designed for the enterprise,” said Ahmed Shah, Vice President of Business Development at MobileIron.
“With our joint solution, employees can collaborate in real-time, sharing files on any device, while promoting compliance and securing corporate data. The best part is there’s no training or learning curve to slow users down; this is especially important since remote workers have so many other things to juggle as they adapt to a new normal during the COVID-19 pandemic.”
“Remote work has become ubiquitous in the Coronavirus era, and our strategic partnership allows organizations to quickly and easily respond to the growing cyber threats to their digital workplaces, during this extraordinary time,” said Samir Khosla, Chairman at Adeya.
“What is unique about Adeya is that we believe in data sovereignty, and some describe our world view as ‘anti-big data’ – unlike other companies, we do not retain and monetize customer data.
“While our users experience an intuitive consumer-style app, behind the scenes our engine is built on robust military-grade security and privacy technology. The brilliance of our partnership lies in the ease of deployment through the MobileIron UEM.”
As an added benefit, MobileIron and Adeya are offering a free trial till the 15th of June, to quickly enable remote enterprise workers, with an unlimited number of new users and devices.
Passwords remain the dominant method of authentication and top cause of data breaches, according to MobileIron. A new report also highlighted the importance of a zero trust security strategy that provides context-aware, conditional access to a device or user.
EMA surveyed 200 IT and security managers and looked at a range of IAM technologies.
“The digital workplace is driving transformation within organizations of all sizes as employees are increasingly accessing business apps and data from locations outside of their offices and homes,” said Steve Brasen, research director of endpoint and identity management at EMA.
“At the same time, mobile threats are increasing. More than 60 percent of respondents indicated their organization had experienced a security breach in just the last year. Organizations need to implement context-aware security and passwordless authentication to dynamically adapt to modern threats while removing the friction that is inhibiting end user productivity.”
The report reinforced that it’s time to make passwords a thing of the past.
- The username/password continues to be the dominant method of authentication used to access business devices, apps and data.
- The password is still the top attack vector for organizations of all sizes, with 42% of respondents indicating their organization had been breached as a result of a user password compromise.
- Poor password hygiene is also a top cause of data breaches, with 31% of respondents indicating their organization had been breached as a result of user credentials being shared with an unauthorized peer.
- Phishing attacks, which are designed to harvest employee credentials, are prevalent. Twenty-eight percent of respondents indicated their organization had been breached as a result of a successful phishing attack.
- IT and security managers are most confident in the ability of hardware tokens/security keys, thumbprints, and mobile devices to prevent access-based security breaches, compared to other authentication methods like passwords and PINs.
“We all know that passwords are antiquated and open us up to even more cyber threats,” said Rhonda White, CMO at MobileIron. “Organizations urgently need to replace passwords with a secure and frictionless alternative. Making mobile devices the primary form of authentication to enterprise cloud services provides the best user experience for employees and significantly reduces the risk of data breaches for security leaders.”
RSA Conference 2020 is underway at the Moscone Center in San Francisco. Check out our microsite for the conference for all the most important news.
Here are a few photos from the event, featured vendors include: MobileIron, CodeScan, BlockChain Security, DigiCert, LogRhythm.
MobileIron announced that its FedRAMP Authorized MobileIron Cloud offering now includes MobileIron Threat Defense (MTD). This means federal agencies can build upon MobileIron Cloud with MTD for mobile threat detection and remediation.
FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. The purpose of the program is to accelerate the adoption of software-as-a-service (SaaS) technologies by saving individual agencies the time and money required to do their own information assurance assessment.
“Federal agencies can now build upon MobileIron Cloud with MobileIron Threat Defense to improve their mobile security,” said Bill Harrod, federal CTO at MobileIron. “This is critical as mobile threats are reaching new levels of sophistication and impact every day.
Federal agencies can block mobile threats and stop attacks by implementing a layered security strategy with MobileIron Threat Defense. With one app, federal agencies can detect and remediate both known and zero-day attacks on the mobile device, without disruption to user productivity.”
MTD offers immediate, on-device threat protection. It detects and remediates mobile threats such as device, network, app and phishing attacks, even when the device is offline. MTD also helps protect against Android threats and iOS vulnerabilities with continuous protection against mobile device threats that exploit user behavior and security gaps.
In addition to protecting federal data from mobile attacks, MTD enables federal agencies to comply with regulatory requirements, reduce total cost of ownership, and drive business innovation with secure mobile devices, apps, and cloud services.