How can organizations mitigate the risk of damaging cyberattacks while juggling the constantly changing mix of office and off-site workers?
The pandemic may finally be receding, but remote working is very much here to stay. The model that appears to be gaining most traction is a hybrid one, where most staff are allowed to spend some time working from home (WFH), but will also be required to come to the office for at least part of the week. It’s intended as a “best of both worlds” solution for staff and employers. But as we’ve seen over the past 12 months or more, mass remote working has also created the perfect conditions for threat actors to thrive.
It should be hoped that with more time to operationalize the switch, combined with the experiences of the past year, IT security leaders and their teams will be better prepared than they were in early 2020. But many business leaders admit to being still vague on the details of hybrid working. Any new security strategy must focus on both human and technology, particularly cloud-based, risks.
What’s hybrid working and why now?
The move to hybrid working seems inevitable. When the world stayed at home in 2020, employees found they rather liked the new work-life balance, not to mention the time and money saved on commuting. Managers were surprised to find that productivity didn’t fall off a cliff as many had predicted. Technology stepped in to fill the void with online collaboration, company-issued laptops and cloud infrastructure empowering and supporting a new way of working.
Now that there’s light at the end of a long COVID-shaped tunnel, things are unlikely to return to the way they were pre-pandemic. According to Microsoft, two-thirds (66%) of business leaders say they’re considering redesigning office space, while 73% of employees want to stay flexible with working options, and 67% want more in-person collaboration. A new hybrid model will be an important way to improve staff wellbeing, retention and recruitment, drive productivity and re-energize the workforce – not to mention justify expensive inner-city office space.
Yet there’s still confusion over the details. According to McKinsey, 90% of global organizations will be combining remote and on-site working permanently post-pandemic, yet 68% have no detailed plan communicated or in place yet. Cyberthreats often thrive in the absence of strategic decision making and preparation.
The security challenges of the hybrid workplace
So how big is the cyber risk to organizations as they embrace a new way of working? ESET research from earlier this year found that 80% of global businesses are confident their home-working employees have the knowledge and technology needed to handle cyberthreats. However, in the same study, three-quarters (73%) admitted they are likely to be impacted by a cybersecurity incident, and half said they’d already been breached in the past. This kind of disconnect does not make for coherent cybersecurity planning.
There are in fact multiple challenges facing organizations – many of which were witnessed first-hand during 2020 and the first part of 2021. These include:
The human element
Ask any cybersecurity professional and they’ll probably tell you that the weakest link in the corporate security chain is the employee. That’s why we saw phishing campaigns repurposed en masse during the early days of the pandemic to lure users desperate for the latest news about the crisis. In April 2020, Google claimed to be blocking over 240 million COVID-themed spam messages each day, and 18 million malware and phishing emails.
Home workers are more exposed because they may be distracted by housemates or family members, and therefore more likely to mistakenly click on malicious links. Contacting IT support or even getting a colleague to sanity-check a suspicious email is much harder when working remotely, while personal laptops and home networks may also offer fewer protections from malware.
Now that workers are returning to the office, there are understandable concerns that they may bring bad habits learned over the past 18 months with them.
Technology and cloud-specific challenges
Also exposed during the pandemic has been remote working infrastructure: think exploits targeting unpatched VPNs and misconfigured RDP servers protected with weak or previously breached credentials. ESET reported a 140% increase in RDP attacks in Q3 2020.
The heavy adoption of new cloud services also drew the attention of threat actors last year. There are persistent concerns over vulnerabilities and user misconfiguration of SaaS offerings, as well as reports of stolen account passwords and anxiety over the commitment of some providers to security and privacy. It’s telling that 41% of organizations polled by the Cloud Industry Forum still believe the office is a safer environment than the cloud. Moreover, a hybrid workplace will arguably require even more shuttling of data between remote workers, cloud servers and office-bound employees. This complexity will require careful managing.
How do I plan for a more secure hybrid workplace?
The good news is that, while securing the new hybrid workplace will be challenging, there are best practices that can guide CISOs. The Zero Trust model is gaining in popularity as a way to manage the complexity of on-premises and remote, cloud-based workers and systems.
Led by internal deployments at Google, Microsoft and other tech pioneers, it’s based around the premise that the old notion of corporate perimeter security is now defunct. Today, devices and users within the corporate network are no longer to be blindly trusted. Instead, they must be dynamically and continuously authenticated, with access restricted according to “least privilege” principles and network segmentation put in place to further limit potentially malicious activity. It will require multiple technologies to work effectively, from multi-factor authentication (MFA) and end-to-end encryption, to network detection and response, micro-segmentation and more.
That may not be within the reach of every organization today, especially those with fewer resources to throw at the problem. In the meantime, there are some useful best practices outlined here. Before even thinking about new security controls and technologies, organizations must rewrite their policies for the new hybrid workplace. This should include access rights for individual employees, remote connection processes, off-site data handling, and users’ cybersecurity responsibilities, among many other elements.
Finally, while technical measures like prompt patching are obviously vital, so are human considerations. Regular training and awareness sessions, delivered via bite-sized lessons for all employees, are a crucial component to enhancing any organizations cybersecurity posture. They may be your weakest link, but staff are also your first line of defense.
written by Phil Muncaster, ESET We Live Security