With remote mass working now the norm, and as the threat perimeter moves to wherever each employee chooses to work from, what digital security approaches must all enterprises have in place?
Remote working is here to stay. As businesses look to define their organisational processes in a post-pandemic landscape, how they ensure high levels of digital security across their workforces and network is paramount.
Research from Malwarebytes Labs report Enduring from home COVID-19’s impact on business security reveals 20% of businesses suffered a security breach last year because of remote working. Check Point found that 94% of organisations allow remote access to corporate apps and assets from unmanaged and managed devices, with just 17% allowing remote access using company-managed laptops.
Speaking to Silicon UK, Rick Meder, VP of Strategic Partnerships and Platform Architecture at SonicWall, commented: “With most employees no longer within the protected perimeter of a traditional corporate network, the basic secure access tools in place for remote access workers have become quickly inadequate. The potential attack surface expands exponentially, oversite by security staff is met with extreme challenges, and policy complexity reaches levels like never before. Efforts to uphold an adequate security posture while maintaining workforce productivity quickly become overwhelming.”
Some form of flexible, hybrid working has come into focus as workers look to rebalance work and their personal lives. In a rush to support remote mass working at the beginning of the pandemic, many enterprises needed robust security policies, processed and tools. Today, a new digital security approach is taking shape, heightening awareness of digital threats, and expanding their threat perimeters.
Protecting people and assets
Moving forward, it is critical to place security at the top of the agenda when developing new digital assets. The speed at which new assets must be built for a business to remain competitive can place a strain on security. And the expanding use of open source as a code source is a potential security threat.
A report from TechTarget is telling as it concludes businesses are paying more attention to security as they advance the velocity of asset development: “Organisations are making efforts to incorporate security processes in development so that the faster release cycles do not expose them to an unmanageable amount of security risk. This includes cybersecurity user stories in agile software development processes, security-as-code (SaC), and GitOps. While 59% say they have implemented security-as-code, respondents believe it will be a highly relevant approach in the next two years.”
Human behaviour has also consistently been identified as a weak link in any business’s cybersecurity. How workers approach their personal digital security must form an essential component of a comprehensive remote worker security policy—becoming more aware of the threats they face. How they can become more security conscious and change their behaviour is vital to protect these workers from threat actors and the attack vectors they use. Training is critical and will more than pay for the financial investment made with reduced attacks.
Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University, explained to Silicon UK: “As companies begin their recovery roadmaps and the hybrid working model continues, cybersecurity training for staff will prove vital. It is important to ensure all employees are well trained on cybersecurity best practices, such as keeping software updated, unique strong passwords and enabling two-factor authentication. The first line of defence for organisations to stop some attacks is to simply educate employees about the dangers of clicking on links. However, sadly, only a fraction will listen and learn.”
Coffee shop security
Remote workers, by their nature, will have a fluid working space. Businesses can’t assume that the endpoint will always be the homes of these workers. In addition, remote workers will often locate themselves in public spaces, which challenges their security.
A layered approach to digital security is a practical approach all businesses can take. First, assess the level of cybersecurity remote workers are using. Then, look closely at the devices and networks they access. This data will inform your company and enable it to identify the weak areas where security needs to be improved.
Shift to enterprise-managed devices to ensure your company has a full view of the devices in use and their level of security. Password management is a clear and present danger when digital security is considered. Moving to at least 2-factor authentication will improve password security. The National Cyber Security Centre (NCSC) also advises setting password security policies for each worker.
Securing remote access is, of course, vital for remote workers. Here, VPNs (Virtual Private Networks) have become highly popular. Again, the NCSC has core advice about how to choose and set up VPNs for business applications. However, SonicWall’s Rick Meder thinks businesses need a much more integrated approach: “Although encrypted tunnels will typically be part of a solution securing remote workers, the traditional sense of backhauling all remote worker traffic through VPNs to a centrally protected network may no longer be the best approach available. The adoption of cloud environments, SaaS, distributed edge, and other modern architectures have paved the way for re-imagined secure access architectures and improvements to how trusted access is established.”
Adopting a Zero Trust approach to remote worker security is essential to combat expanding threats all businesses face.
“VPNs are a means to secure data between remote workers and core systems,” says Ulster University’s Kevin Curran. “However, in an ideal world, organisations would have a Zero Trust network system deployed to connect with remote worker security. Ideally, this should be rolled-out in a phased manner, which entails pilot projects and tweaks in a safe environment before full deployment. After all, it is crucial to ensure that the zero-trust infrastructure is seamless for employees. That being said, if an organisation has not yet embraced the concepts of privileged access and least privilege, or still uses shared accounts for access, then Zero Trust is probably not going to work.”
Also, Mark Oakton, Infosec Partners Security Director and Consulting CISO, says: “At the moment, it would be a mistake to assume that there is a standard template approach to digital security that can be applied to all remote workers who may be operating in entirely different environments. Yes, there are some core requirements, such as AV, MFA and VPN functionality, that all users need. Still, in some cases, more specialist threat protection may be required depending on variable factors such as the nature of the work, the backoffice infrastructure and the location.
Oakton concluded: “The reality is that most security controls were not designed for large scale remote working and IT managers and CISOs have no real option other than try to adapt and hybridise the technology for this “new normal”. However, in the future with rapid developments in SD WAN technology, assuming that remote working is here to stay, users could be operating in a virtual office environment as if they are in their physical offices and protected by the same corporate security framework removing the need for a bespoke, hybrid approach.”
The European Union’s Agency for Network and Information Security (ENISA) defined what it called ‘cyber hygiene in 2017, stating: “Cyber hygiene should be viewed in the same manner as personal hygiene and, once properly integrated into an organisation, will be simple daily routines, good behaviours, and occasional check-ups to make sure the organisation’s online health is in optimum condition.”
This advice pre-dated the pandemic, but it is now vital for all business leaders to pay attention as they build their remote worker cyber defences. Also, as the post-pandemic era continues, we expect AI security systems to mature to offer a level of security automation that is impossible with current systems and services. Your business should refrain from handing remote worker security to these systems, as active human participation to create robust security behaviours is still your business’s best line of defence.
Patrick Hirscher, Wireless Market Development Manager, Zyxel Networks.
What are the main security challenges facing businesses with mass remote workforces?
“The shift to remote and hybrid work has created several new security risks for businesses, from an overreliance on unsecured home Wi-Fi networks to the rise of cloud-based software.
“Unfortunately, it is well-known that public Wi-Fi usage on company devices leaves gaps in cybersecurity protection. Before the remote shift, secure in-office Wi-Fi networks gave peace of mind to employers. Now, employees are using their own home and public Wi-Fi networks to remain productive without the protections that an employer’s network should provide. By adopting a Zero Trust security model, enforced with continuous and consistent internal security training, organisations can adopt a proactive approach to protecting their business from such threats.
“Another significant challenge presented to many companies is using cloud-based apps for their appliances and daily tasks like Office 365, CRM Systems, and other cloud-based applications. Unfortunately, this leaves massive gaps that IT professionals cannot monitor, making it easier for malware to infiltrate a company’s network. To combat these threats, organisations must implement cloud data protection (DLP) for sensitive data from internal and external threats across the web, email, Software as a Service (SaaS), and public cloud services.
“Finally, a lot of business’ workloads are exposed to the public internet through their cloud providers such as AWS, Azure, and GCP, with Microsoft’s RDP (Remote Desktop Servers) servers – a popular infiltration vector for attackers. As an organisation adopts cloud services, it’s increasingly important to evolve access to key enterprise applications – no matter where they are. Moving beyond legacy virtual private networks (VPNs) for remote network access, to a modern, application-specific model is essential as an organisation uses applications within data centres and public clouds. This means utilising Zero Trust Network Access (ZTNA) for private apps in data centres and public cloud services. ZTNA provides an additional level of security that cannot be achieved by a VPN alone because it has the ability to authenticate any company device regardless of location, which can significantly reduce exposure of apps and limit unwanted network lateral movement.”
Are VPNs always the answer to secure remote workers?
“A virtual private network (VPN) is a crucial component of an organisation’s security posture. VPNs enhance remote access security. However, they can’t protect against lax cybersecurity habits. Believing that their environment is fully secured by a VPN, some employees might be lured into a false sense of security and reuse simple passwords, not enable multi factor authentication (MFA), or open attachments from unknown email addresses. Consistent employee education and training remains a fundamental component of securing your network.”
Remote workers may work from multiple locations, including in public spaces. How should businesses approach digital security in these scenarios?
“With the rise of hybrid working, employees now have the flexibility to work from anywhere, but organisations must understand the security risks associated with this new working landscape. For example, allowing users to connect to internal infrastructure directly creates a risk of information exposure. A VPN will enable you to privately access your corporate network and establish secure communications between devices.
“When working remotely, employees might need access to resources previously only accessible on a wired network in one location. To make these resources accessible over a VPN, an segmented internal network design may need to be flattened networks. Problematically, this will open the door to malware spread and lateral movement. Client certificate authentication protecting web services might need to be turned off to enable BYOD working for employees that don’t have a company laptop.”
How does zero trust connect with remote worker security?
“Ensuring good cyber care for employees is simplified in an office setting, where all connected devices are on a secure network under the IT department’s supervision. However, with a distributed office setup, organisations can’t control which networks and devices their employees use to access company data and information.
“When employees work remotely, you must establish contextual relationships with them to ensure they’re who they say they are. Employers need to validate the devices and applications employees use to connect to their systems and data. They must ensure that the network employees are linking to is secure. The differences between working from an office setting versus a personal network or public Wi-Fi at a coffee shop or train station can be the silver bullet for a bad actor trying to override an organisation’s security measures.
“Companies have never been more vulnerable. Organisations should implement a Zero Trust strategy to galvanise their security and better defend their digital assets from emerging threats and attacks in the new telecommuting world. To guarantee success, they must provide a simplified user experience for their employees.
“Zero Trust security is an ongoing verification process that takes place whenever a device tries to obtain access or connect to a business’ network. Through this approach, companies are better positioned to defend against the leading causes of security breaches — including user impersonation, password reuse, data breaches and stolen credentials — by analysing various pieces of information to confirm one’s identity before granting access to the network. This can include a combination of numerous strategies, such as the micro-segmentation of networks, authentication of users and verification of a secure network.
By implementing zero trust security, companies can do away with standard password protection, one of the leading causes of phishing schemes. Simultaneously, they can ensure greater user privacy — granting peace of mind for the company and its employees.”
The human factor in digital security is often the weakest link. So how can enterprises improve this aspect of remote worker security?
“One of the biggest challenges of remote working is ensuring that employees maintain security-conscious behaviour when working offsite. Whether they’re downloading all available security patches, keeping devices with antivirus/antimalware solutions, or selecting strong passwords. Suppose employees aren’t implementing basic security practices at home. In that case, there will inevitably be a higher risk of a data breach, so it’s essential to make employees aware of how they can protect themselves by using security awareness training to educate them on the latest threats and best practices.
“While some companies enable employees to use personal devices to access internal resources, the use of personal devices creates significant security risks, because there’s no formal process for verifying that these devices are updated and maintained. As a result, it is safest for organisations to establish remote working policies that forbid the use of personal devices to access work resources. Then an administrator can take responsibility for managing work devices, ensuring that they’re patched so that there are no vulnerabilities in the systems that a cybercriminal can exploit.”
The consumerisation of business tech is now complete. How can enterprises ensure all endpoints are secure across the multiple devices in use by their workforces?
“Implement the principle of least privilege. Although enabling all employees to access a shared file or application may be convenient, it puts private information at risk of unauthorised access from malicious entities. Implementing the principle of least privilege and ensuring that employees only have access to the data they need to complete their day-to-day responsibilities is critical for ensuring that your data doesn’t fall into the wrong hands. A straightforward way to control access to applications and services is to use multi-factor authentication (MFA). Employees must provide multiple authentication factors to log in, such as a password and a passcode sent to a trusted email or device.
“As hybrid work has become the new normal, securing the workplace doesn’t just mean securing the office but securing all remote sites. In 2023, that means investing in building security strategies that are remote-working ready and prepared to secure devices in remote environments. While it is difficult to mitigate the risks of remote working entirely, organisations can significantly improve their security posture by ensuring that employees engage in security-conscious behaviours while working from home, enforcing the principle of least privilege, and building the detection and response capabilities to respond to incidents fast.”
What will the long-term security landscape look like for businesses with remote workers?
“In recent years, businesses across the globe have become the target of large-scale cyberattacks by malicious actors. According to the UK Government’s Cyber Security Breach Survey, phishing attacks accounted for 83% of all business cyber hacks in 2022. For organisations with access to sensitive data, falling victim to such an attack could have catastrophic implications.
“To prevent sensitive data from getting into the wrong hands, businesses should consider investing in an Access Point with a security component. Relatively new to the market, these APs can be managed centrally via a cloud platform, filtering out any unsafe web content and preventing users from accessing the data streams of others, barring malicious actors from spying, or stealing the information of others.
“While these security profile embedded APs have a premium price point, they eliminate the need for a separate security gateway device, saving businesses money in the short and long term.”