2020, meant it was one the busiest year on record for security teams as they fought off bad actors and adapted to new employee behaviours
When the pandemic began, organisations believed remote working would be temporary, but as two weeks became six, and six weeks became six months and most of us remained at home. As we begin 2021, it has become too clear to many businesses that remote work is here to stay. In fact, from /former MobileIron found that 80% of the global workforce never wish to return to the office full-time.
Cybercriminals have never struggled to find new ways to infiltrate organisations, and the mass exodus from the office created even more opportunities for them to exploit. They quickly caught onto the fact that as mobility became essential and workforces were dispersed around the world, it was people, together with their devices and a hodgepodge of home networks, that would make up the new enterprise perimeter.
Cybercriminals adapted to this new reality and began to target remote workers, and the cost was colossal. Conservatively, around the world experienced phishing attacks in 2020, and in the third quarter alone, from the previous quarter, all while the dollars.
Before the pandemic, the cardinal sin most companies committed was inaction. Organisations had simply never prepared to accommodate remote work on such a large scale. In IT, we often spent time pondering different business continuity questions like, “What if there is a fire - where I am storing my data? What about a flood, hurricane?” As a result, localised disaster plans were implemented, but no one planned for the prolonged exodus of the worker.
Fortunately, there are steps companies can take today to begin operating securely with a dispersed workforce, but to do this securely it’s important to consider a Zero Trust framework. Whether on-prem, in the cloud, or at the edge, security will no longer be determined by where you sit or which network you are connected to.
Zero Trust is predicated on the notion that we must assume bad actors are on our network, no matter what security controls or technologies we have in place. So, we take a ‘never trust, always verify’ approach to security. If you haven’t begun this journey yet, here are 5 steps that will help put your organisation squarely on the Zero Trust path:
1. Understand and validate the device being used to access the network
Your company may encounter several device ownership models: corporate-owned, BYOD, edge devices, on-prem and cloud, all of which need some sort of access to business data for productivity. Whether or not there are threats that exist on a device must be weighed prior to allowing any device to access a company resource.
A platform that allows for the provisioning of any device, including corporate-issued and employee-owned, is vital. This will allow IT teams to have maximum visibility over all endpoints that are being used to access business data.
2. Tighten security beyond usernames and passwords
Instead of relying on insufficient and often forgotten passwords and usernames, companies should strive to use more secure tech such as digital certificates that combine with biometric capabilities like facial recognition. This not only removes the burden and the responsibility for an employee to consistently supply and memorise strong passwords, but it also improves the user experience by unlocking Single-Sign-On capabilities.
Eliminating passwords should be tightly coupled with the ability to establish a contextual relationship between the user and the data that they are accessing. It simply isn’t good enough to grant access after the correct username and password is entered. According to , compromised passwords are responsible for 81% of all hacking-related data breaches. Limiting simple passwords access, while governing the capabilities that are granted to users by default needs to be squarely in your company’s crosshairs.
IT staff should also be armed with the ability to look at contextual attributes like “Where is the employee connecting from?” “From which type of device, and is it compromised?” “Which network they are connecting from, is it secure?” "What’s the time and location?” For example, if an employee logs in from London, and then tries to log in from New York or Singapore directly after, that should raise an alarm. Only by consistently examining key security attributes that are continuously collected from the user and device can we establish a Zero Trust relationship.
3. Understand which applications are accessing your data
Just because a service like Salesforce.com is an established and reputable brand, doesn’t mean every app connecting to the service can be trusted. For example, there are many third-party apps designed to help Salesforce users. These apps can download and even share company data with other third-party cloud services. And of course, there is also the risk that an app can contain malware, which may share data with unknown parties or be used to compromise a device.
Companies should only allow access to their data from apps they trust and that they can manage. Even for trusted apps, they should implement DLP (Data Loss Prevention) policies dictating how, and with whom, data can be shared. If an app, or even the user or device become untrusted, companies should have the ability to revoke access to a cloud service, remove or patch an untrusted app, and delete sensitive data from the device.
4. Verify networks
It would also benefit organisations to implement polices dictating how data can be accessed from insecure networks, including common hotspots like a coffee shop or other open Wi-Fi networks. If users are accessing trivial or non-critical data that may be acceptable, but for access to more sensitive data, users will need to be on trusted networks. Companies should endeavour to ensure that employees are not inadvertently accessing rogue networks that may be a launching point for a MiTM attack. Companies should also consider requiring the use of a VPN connection to access company data, because they can be sure the Data-In-Motion is encrypted.
By far the best and most secure user experience for remote workers can be provided by deploying a per-app VPN. A per-app- VPN is an encrypted split-tunnel that allows the mobile user to connect to company resources via a secure SSL connection and access personal apps and websites via the Public Internet. Only company-approved apps (as opposed to malware) access the secure tunnel and ultimately the protected corporate resource.
5. Protect and remediate threats in real-time
Hackers and bad actors are increasingly targeting remote workers with mobile phishing attacks via SMS, messaging apps and email. Increasingly, social media is also an avenue for infiltration; Verizon’s 2020 found 22% of breaches involved social media attacks. It’s vital to protect against phishing attempts, particularly with a remote workforce accessing data from a wide variety of devices that have many attack surfaces. To combat this, automation and machine learning (ML) can be utilised to detect threats and take proactive action to prevent users from opening malicious links before they cause irreparable damage.
Understanding the threat posture of a device is therefore critical: Does the device have the ability to detect phishing URL’s, malware, zero-day exploits, and risky network conditions like MiTM attacks? In the case of mobile, is there a mobile threat detection solution in place? If it’s a desktop device, is endpoint protection deployed? It’s important to build comprehensive defences that look at all of the attack vectors, including device, network, application and phishing attacks.
It’s important to detect threats, but companies must also be able to respond to threats as they emerge. A good solution should also allow you to mount a defence when suspicious activity is detected. You may wish to warn a user, or you may wish to block access to a company or cloud resource. You may even wish to remove data from an untrusted endpoint. Equally important is the ability to self-heal.
Organisation’s need to provide their employees with tools they actually want to use, and that will aid their productivity. The last thing they want is employees waiting on hold with the helpdesk, which is why a comprehensive solution should have the capability to reprovision services once a threat has passed. A threat dashboard isn’t enough if you can’t respond to a threat quickly and get back to business when that threat is no longer active.
The rise in cyberthreats in 2020, meant it was one the busiest year on record for security teams as they fought off bad actors and adapted to new employee behaviours. To mitigate these threats in 2021 and beyond, organisations should consider embracing these five steps on the path to Zero Trust security. Companies that do will have an easier time operating in the post pandemic, everywhere workplace and will be prepared for a secure and productive future, no matter what it may bring.
Author: By Russ Mohr, Ivanti