The pandemic accelerated the move to a new kind of digital workplace, but it also exposed new attack surfaces for cybercriminals to exploit. Hereโs how businesses can close the security gaps.
By Bedrich Chaloupka, Collaboration Platforms Architect, HPE Worldwide Network, Workplace and IoT Practice;
and Martin Zich, Master Cyber-Security Consultant, HPE Worldwide Security Risk and Compliance Practice
The difference between now and the time before COVID-19 is the scale, and also the way we think about the work environment model. We used to call it the Remote Workplace, as it was intended for a small group of remote workers. But when the pandemic pushed out this model to many employees, we started to call it the Hybrid Workplace. The โhybridโ part of the name implied that employees would be enabled to return to corporate offices at least for part of the time and for specific activities which were hard to accomplish from a home office. And everybody, for sure, heard the term โnew normal,โ which implied that many people would continue working from company sites as well as from home offices, cafeterias or wherever they happened to be. (See: What is digital workplace?)
Within the last two years employees and employers have learned the benefit of the flexibility provided by hybrid work, and it has become the new standard in many industries. However, corporate IT environments are now experiencing delays in adopting the necessary technologies to support the hybrid workplace.
Perhaps the most important reason for the delays is the cybersecurity challenge. Most companies were forced to quickly enable remote collaboration capabilities due to COVID-19, but their overall IT ecosystem was not ready for it. Before the pandemic we saw the growth of cloud collaboration platform adoption, but cybersecurity operations were still locked into the corporate network perimeter mindset.
Some companies might have started to talk about Zero Trust as the new cybersecurity model and adoption of identity-based security as the new perimeter, but real implementation of those models was usually in the very early stages or even just on paper.
Another thing that was quite typical of businesses that were caught unprepared was a very weak risk management practice. Many companies failed to recognize that their perimeter-based approach had serious holes. They were using many unmanaged cloud-based applications with little control over the data that was being exchanged with such solutions and with no control over the applications themselves (which were not owned by them).
Protecting the new digital workplace
The competition between cybersecurity operations and cybercriminals is a never-ending story; itโs like the rivalry between water and fire. The fast, unplanned expansion and extensive scale of remote work did not allow cybersecurity teams enough time to build necessary fences and barriers, and it provided the cybercriminal community with many opportunities to exploit new attack surfaces.
Here are some typical risks which we are repeatedly seeing, and how companies can mitigate them:
1. Help your users become more aware of cyber threats around remote work. When employees are working in the corporate office, the environment automatically influences them to pay more attention to the security aspects of their activities. Also, most training focuses on how to stay safe in the office environment and how to secure corporate assets there. When theyโre working from home, they may not realize that the level of security thatโs set in the on-site office is not the same as in their home office, and that most of the responsibility has been moved to their shoulders.
Companies should quickly adapt their cybersecurity and other internal training courses to reflect this fundamental change. They should help employees become more aware of the risks they face every day by doing their work not only from home offices, but sometimes also from cafeterias, various public places or shared working spaces/hubs. Examples of specific threats include: shoulder-surfing, listening-in to conversations, data leaks caused by failure to lock devices when left unattended, and use of possibly non-secure shared equipment, such as public printers. (Learn how cybersecurity training from HPE Education Services can empower your people to safeguard your business data.)
2. Reinforce your protection of (possibly vulnerable) edge networks. While training is always a useful reminder, many remote workers are already aware of the risk of using Internet hot-spots in public spaces, and theyโve accepted the limitations in being able to do only necessary work activities in such an environment. However, the home office often is not seen as a public space โ even though, from the perspective of Internet connectivity, it is.
Using home networks could in some cases pose an increased risk for the connected devices and data being transmitted over these networks. These environments are frequently used by other family members, logically for non-work-related activities such as remote gaming or various social networking. That increases the risk of these devices becoming infected as the connected threats use them as a pivot point to attack other resources on the home-based network.
In addition, companies are, of course, unable to set standards for managing and securing private or ISP-owned access points โ from the legal point of view, or even in terms of feasibility. How many times in your life have you upgraded firmware on your home AP? Some organizations have started to educate their employees about best practices for securing home networks, but not every employee is enough of a โcomputer nerdโ to be able to use such knowledge.
Businesses should protect the resources accessed from corporate-owned or known and registered employee-owned devices by adopting modern VPN or cloud-based end-point security solutions. They should also consider robust โ ideally artificial intelligence enabled โ identity and access management solutions to quickly detect and block any suspicious activity associated with the employee identity.
3. Control your end-point mixture. During the rapid adoption of remote work, companies were not always able to provide all employees with a corporate laptop, tablet or PC; they expected them to have a suitable device for personal use. However, the amount of device models, brands and version owned by employees for personal use is so extensive that no company can manage compliance for all of them with even minimal security requirements.
Given the shortage of microchips caused by the COVID-19 pandemic and the supply-chain crisis, itโs understandable that companies were unable to quickly provide hybrid workers with company-owned and managed devices. But the BYOD strategy was typically not completely worked out; there was basically no time to prepare and fine-tune all of the policies that would be necessary to adequately mitigate the connected risks. Companies were forced to allow these connections to ensure continuity of the business, but by doing so they rapidly increased the possible attack surfaces.
Companies should consider investing in technologies that isolate personal applications and data from corporate tools and resources โ for example, Client Virtualization solutions, modern Unified Endpoint Management (UEM) applications, and other tools that enable secure BYOD.
4. Ensure sufficient capacity for on-premises deployed systems. Many organizations did not allow their endpoints to connect directly through cloud-based security systems, which usually scale much better than, for example, an enterprise datacenter deploying a VPN or IDS/IPS system. Reason number one that end-user devices needed to connect to the corporate network first was that the solutions securing these connections were still exclusively deployed just at the organizationโs corporate network perimeter.
In fact, many organizations still have not recognized that, because they are using cloud applications (typically SaaS), their perimeter basically stopped existing in the form they remembered it for years. Remote users are routed to the corporate network, where the devices establishing such connections donโt scale well, causing big capacity problems that negatively affect the organizationโs ability to conduct business.
The logical way forward seems to be an adoption of the relevant cloud-based security tools that would securely enable users to connect directly to cloud-residing applications, such as todayโs heavily used modern collaboration platforms. That ensures much better scaling in case of any utilization spikes.
The top cybersecurity threats โ and how theyโre evolving
Of course, knowledge is the key to defense, and everyone in the organization should be familiar with the main threats and how they are changing:
Phishing. This remains one of the most common types of cyberattack, but thanks to the vulnerabilities described above, it has received an extra tailwind to expand even faster. The combination of personal messaging systems with corporate communication and collaboration solutions on a single device โ which could be even shared among several family members โ increases the risk of overlooking the signs of a phishing email and opening it or responding to it. Cybercriminals are aware of the situation, and they focus on precisely imitating corporate communications, meeting requests and notifications from online collaboration tools.
Phishing is typically addressed by a combination of a quality security awareness program and technology controls such as various safe-links solutions that re-write the contained hyperlinks. These links are then evaluated at the time when somebody clicks on them. Associated actions are blocked when the user would be either re-directed to a malicious internet site or would directly download harmful executables.
Ransomware. This is a widespread and growing threat, especially because of new ways of planting it through unsecured endpoints used by remote workers. It has become popular among cybercriminals due to its success rate and the level of damage it can inflict. In recent years it has become its own industry โ even less-sophisticated cybercriminals can leverage RaaS (Ransomware as a Service) platforms.
Ransomware threat actors not only encrypt the data, but also steal valuable and sensitive information assets to increase the potential for ransom payment. Today they typically threaten their victims by leveraging a combination of attacks such as DoS/DDoS and publication of sensitive data. This new approach is called "multi-extortion" โ it uses multiple techniques at the same time.
The reason for these combined attacks is that lots of companies think that having a resilient backup solution solves their ransomware problem completely, and nobody can blackmail them anymore. Backing up data to be able to restore it may solve the problem of data being encrypted by traditional ransomware. However, it would not safeguard the organization against a data leak or denial of services that the attackers could use to convince the victim to pay โ even though thereโs a robust backup solution in place.
Mobile malware. This has surfaced as a new cybersecurity threat in the last couple of years, as regular office workers have transitioned to being remote workers and started to use BYOD capabilities more frequently. Cybercriminals have started to develop malicious applications, often advertised as cool toolsets, UI customizations or games. They also leverage vulnerabilities of frequently used messaging tools to get control of the device or at least spread malicious links.
The solution to counter this threat is adoption of a UEM solution utilizing policy-based validation of the device health and potential misconfiguration of permissions on the application and operating system level, as well as control of access to corporate resources from installed applications.
Whatโs next โ upcoming threats for the hybrid workplace and how to counter them
There are also some emerging threats that are worth mentioning here โ things that we can see are waiting for us in the future. These include machine-learning-enabled or AI-enabled malware, which will be able to adapt based on the environment in which it appears.
Also, the threat of digital doppelgangers is worth mentioning, since the fact that we are working remotely requires that we prove our identity not by physical presence in the office with a chip card, but via various authentication attributes that include biometrics. Imagine a digital persona which has the same digital attributes as you do. It might have been constructed using the data that you published over social networks or that was collected through a historical security breach. This type of virtual entity might be able to bypass authentication checks.
There is no silver bullet solution for all of the existing and innovative threats. Itโs time to thoroughly plan and implement the Zero Trust principle of โnever trust, always verifyโ throughout the overall corporate IT ecosystem, including workplace solutions. (Read how HPE is enabling zero trust security architectures from edge to cloud with Project Aurora)
Modern technologies based on ML/AI (machine learning and artificial intelligence) can help to quickly identify misuse of an employee credentials or identify lateral moves among corporate resources. Identity and Access Management solutions can limit access to corporate resources only to verified users using compliant devices and authorizing access only at the time they need it to complete their work.
Apart from these already well-known solutions, we also see a growing demand for ransomware dedicated solutions (RDS), which go beyond the above-mentioned techniques and focus on, for example, setting up secure โclean data rooms.โ These contain a near-real-time copy of important data that is well tested before it is backed up (using a single-direction data transmission).
Not only that, but we also see a demand for designing and setting up whole emergency IT environments that are not used during normal operations but are securely fed by real-time data and are ready to immediately take over if the original infrastructure experiences an attack.
HPE Pointnext Services can help you build and maintain rigorous security for your IT assets โ learn more about our security risk management services.
Read about HPE hybrid workplace solutions and how we enable secure, seamless and safe environments for employees across sites, facilities, home offices โ and everywhere in-between.
Bedrich Chaloupka
Hewlett Packard Enterprise
twitter.com/HPE_Pointnext
linkedin.com/showcase/hpe-pointnext-services/
hpe.com/pointnext
B_Chaloupka
Bedrich Chaloupka is a Collaboration Platforms Architect with HPE's Worldwide Network, Workplace and IoT Practice
