A recent report by Menlo Security, a leader in cloud security, highlights growing concerns about securing users as the trend for hybrid and remote working is set to remain. The new report – which surveyed 500+ IT decision-makers in the US and the UK, including a third at C-level – looks at attitudes to securing remote access to applications and resources and the adoption of Zero Trust solutions.
While most respondents (83%) say they are confident in their strategy for controlling access to applications for remote users, three-quarters are re-evaluating theirs in the wake of new ways of working and the growth in cloud application use. While half of employees are currently working remotely or adopting a hybrid approach, around two-fifths (42%) are expected to continue in 12 months’ time.
According to the findings, three-quarters (75%) of organisations continue to rely on VPNs (Virtual Private Network) for controlling remote access to applications, which rises to 81% for organisations of 10,000+ employees. For around a third (36%) of organisations, a Zero Trust approach also forms part of their remote access strategy.
“It seems that most businesses are confident in their remote access security yet are still relying on a traditional and inherently insecure way of doing things using VPNs, which give access to everything on a network,” said Mark Guntrip, Senior Director, Cybersecurity Strategy at Menlo Security. “With only a third currently using Zero Trust network access, there’s a real opportunity to provide users with access to only those applications and resources needed to do their job. When you start to adopt this approach across everything you do then your whole security mindset changes.”
The top reason for implementing a Zero Trust solution is improved security, according to 60% of respondents, regardless of whether they are using it or not. One-third (32%) point to ease of use, while speed of access and scalability are both more widely recognised among those already adopting a Zero Trust approach. Significantly, 40% of respondents believe that implementing a Zero Trust solution places less pressure on IT.
Despite overall confidence by global IT decision-makers in the robustness of their strategy for controlling application access for remote users, Menlo Security’s research also shows that:
- Three-quarters of respondents believe that hybrid and remote workers accessing applications on unmanaged devices poses a significant threat to their organisation’s security. Despite this, around a fifth still allow unmanaged devices – laptops, desktops and mobile devices – to connect to corporate applications and resources.
- While the majority (79%) of respondents have a security strategy in place for remote access by third parties and contractors, there are growing concerns about the risks they present, with just over half (53%) planning to reduce or limit third party/contractor access to systems and resources over the next 12–18 months.
“As the Internet becomes the new corporate network, controlling user access to private applications has become more important than ever,” said Guntrip. “Organisations need to evolve their thinking from providing connectivity to the entire network, to segmenting access by each individual application. The right Zero Trust approach will ensure seamless access between users and the applications they are authorised to use, while all other applications are invisible, preventing lateral discovery across the network.”
Intelligent CISO spoke to three experts from Check Point Software Technologies, AT&T Cybersecurity and Outpost24 for their thoughts:
Jonathan Fischbein, CISO, Check Point Software Technologies
Over the past year, the ‘new norm’ workspace expanded the organisation’s perimeter. With remote work as the new standard and organisations working on multi-cloud environments, we had to make sure that all the developers and teams accessing confidential assets did not go out of the organisation. The ‘new normal’ required organisations to revisit and check the security level and relevance of their network’s infrastructures, processes, compliance of connected mobile and PC devices, IoT etc. Also, the increased use of the cloud meant an increased level of security, especially in technologies that secure workloads, containers and serverless applications on multi and hybrid cloud environments. Technologies such as VDI (Virtual Desktop Infrastructure) together with several security solutions were adopted to make sure that the exchange of data and information from home was secured. Organisations had switched to using collaboration tools more than ever before. These collaboration platforms, which are an extension of an organisation’s on-premises infrastructure, are completely in the public cloud. To make sure that the confidential information is secured and protected from being exposed in these environments, we had to implement SASE security or extend the CASB solutions to make sure that only the relevant people with Multi-Factor Authentication (MFA) are logging in and are able to access the information.
What needs to change, however, is the approach to cybersecurity. There are two alarming trends in cybersecurity nowadays: multi extortion phases ransomware attacks; and supply chain campaigns. For both, we have sophisticated mitigations technologies that we can implement and we need to step up against the adversaries. If the beginning was rushed and CISOs found themselves having to implement policies on the go, now there is a real need to level up as cybercriminals continue to take advantage of this global shift to exploit organisations and enterprises of all sizes. One of the key challenges facing organisations in a hybrid work environment is the intensity of cyberattacks rather than the exposure to new vulnerabilities. These vulnerabilities made IT and security professionals who faced the relentless discovery of new exploits, to constantly race to patch and fix the cyber incidents. However, patching external facing systems is not enough in this new normal. There is now a need for IT and security leaders to protect the ‘soft’ areas such as employees and assets from vulnerabilities which means securing all endpoints.
With the hybrid workplace in the limelight across many organisations, the important thing for IT professionals and SOC teams is to leverage unified solutions that will provide valuable protection on multiple fronts. The keynote is that hybrid workplace will become a part of our everyday life and as IT professionals and security leaders it makes sense to consolidate the security solutions to ensure each possible endpoint is secured.
Bindu Sundaresan, Director, AT&T Cybersecurity
Many organisations have been considering a network transformation to support the adoption of SaaS and cloud-based applications and an increasingly remote workforce. At the same time, many technologists have had to make sudden and unplanned changes in the way workers connect to corporate systems that could introduce new cyber-risks and vulnerabilities.
When developing a security strategy for supporting a hybrid workforce, it’s essential to identify risk blind spots. As CISOs embark on their transformational journey, identifying these areas of weakness should be the top priority. With hybrid workforces becoming the norm for many organisations, keeping business data safe everywhere is crucial to enabling people to work anywhere. Enforcing the same policies consistently from the endpoint, network, web and cloud requires a new approach. Mitigating third-party risk, baking security into the development process and defending against ransomware attacks are just a few things that should be part of future-proofing your cybersecurity strategy for a hybrid workforce. Key initiatives would include adopting Multi-Factor Authentication (MFA), achieving greater response time through automation, extending Zero Trust to applications, or accomplishing another worthwhile goal.
The rapid adoption of cloud services, IoT, application containers, and other technologies is helping drive organisations forward. However, it also means that security teams must work harder to maintain visibility. To do so, they need to continuously see and catalogue every asset in their environment and accurately determine the security status of their devices. Organisations are feeling a shift in networking and security as they rapidly adopt and embrace the cloud. Enterprises need efficiency, visibility and resiliency. Secure Access Service Edge (SASE) and Zero Trust implementations can provide a more comprehensive security capability to support Digital Transformation.
Martin Jartelius, CSO at Outpost24
Since the use of caves, most security is based on good things on the inside and bad things on the outside. With the introduction of hybrid working, this has dramatically increased the external attack surface and the need to monitor and identify risks proactively as the target on your back increases and network access is scattered from the introduction of insecure endpoints and BYOD. For those that are at the later maturity stage and have a secure hybrid working model in place, having an established network environment will protect against security weakness of users exposed to their home networks and ensuring the mixture of corporate and private access is controlled to protect against new threats and ransomware – providing robust security control and a strong barrier against adversaries looking for vulnerabilities to exploit.
However, for those less security mature and with stretched resources, it’s important to invest in automated and continuous vulnerability management and external attack surface management technologies to ensure you stay ahead of opportunistic hackers. As ransomware threats become rife and bad actors look to create businesses themselves by offering Ransomware-as-a-Service (RaaS), businesses should look at adopting a proactive approach to cybersecurity. This will be vital to help you identify your external attack surface from known and unknown assets and ensuring those outside your corporate firewalls are protected and your crown jewels are secure.
For others who have had to resort to ‘split tunnel’ VPNs to facilitate hybrid working, and earlier ran a traditional border-based security regime, this has been and remains a substantial challenge and requires full risk assessment to reduce your security exposure to this new layer of risk. There are some best practice actions you can take to ensure you’re protected in the interim from hybrid working. These include providing secure document and media repositories for staff, and ensuring your workforce is well trained in security best practice. Applying these to their day-to-day activities will minimise risk of phishing and malware attacks.
Implementing certifications such as Cyber Security Essentials will provide your workforce with best practice advice to help reduce your overall risk exposure. For example, if you are running with a split tunnel VPN, which in practice makes the laptop a bridge between the network and your internal network, the home routers also become the organisation’s responsibility and need to be patched to company security standards. Remaining issues with hybrid working for CISOs to re-evaluate include maintaining physical security controls, and the social factor that users cannot rely on their group for advice. Overall, the security challenge of remote working has become substantially impacted by resource bandwidth, logistics and finding automated solutions that provide complete protection against new technical threats.
Trevor Morgan, Product Manager at comforte AG:
The events of the past 18 months have accelerated the rapid adoption of distributed workforces. Where many companies allowed subsets of employees to work remotely, now most companies – especially those with knowledge workers in the tech and service industries – encourage their distribution away from centralised offices. This trend will probably continue for the foreseeable future.
CISOs have had to reckon with the fact that most legacy cybersecurity tools worked at or near the perimeters of networks, trying to keep hackers out or at least detect intrusion.
Securing the virtual borders around a company’s network always has and still does make sense, but more traditional approaches don’t go much further than that. The problem with hybrid workforces distributed to many different remote locations is that the edges (or borders) are pushed further away from any centralised environment. In this architecture, innumerable connections from many locations around the country or world come into an enterprise’s network environment rather than a limited number of remote sites or satellite offices which make it easier to monitor ingress and egress points.
Unfortunately, CISOs are also reckoning with the fact that, no matter how much they define the edges of their IT environment and protect them, threat actors find ways through or around perimeter defences. This is now a fact that is a primary tenet of Zero Trust, which encourages the assumption that your borders are porous, that hackers have already breached your environment and that in response you must have zero trust in any entity, user, device, or resource attempting to access any other, especially enterprise data (which is the prize possession of any business).
The harsh reality is that CISOs must now grapple with the idea that this highly sensitive information ultimately will make its way into the hands of unauthorised users, many of whom have nefarious purposes in mind and could generate serious risk for the organisation with that stolen sensitive data. Lawsuits, compliance issues and even sanctions can follow, triggering unwanted negative attention to the brand and company. CISOs don’t like unmanaged risk!
The good news is that new mindsets like Zero Trust encourage CISOs to think about the reality of the situation rather than to surround themselves with false complacency. Redesigning cybersecurity postures to challenge rather than to provide admittance provides strong risk prevention, but again the thought is that data will fall into threat actors’ hands one way or another. In this case, the mitigating force of data-centric security, which applies protections to the data itself, is the only real recourse.
Encrypted data is one way to do this, but classic encryption comes with its own issues, including key management complexity and potential issues with business applications not being able to work with encrypted data, which has its original format altered. Better for CISOs to look into next-generation tokenisation and format-preserving encryption, which replaces sensitive data with representational tokens that render sensitive data useless to bad actors but can still enable business users to work with that data in a protected state within mission-critical business applications.