As the business landscape becomes accustomed to having a higher proportion of people working from home, attention is now turning to how to secure a remote workforce into the future, according to Empired.
Temporary measures and those put in place to respond rapidly to lockdowns and social distancing measures are unlikely to sufficiently protect organisations in the long term, requiring a new approach to cybersecurity.
“Most businesses have gone from a fraction of their workforce working remotely occasionally to the vast majority of the workforce working from home all the time," says Jaen Snyman, practice manager – modern workplace, Empired.
"However, cybersecurity systems, for the most part, were designed around on-premise working. This means existing security solutions need to evolve to accommodate the new remote workforce."
The risks facing businesses aren't necessarily new, although threats continue to increase in terms of both frequency and sophistication.
Phishing attacks, ransomware, data exfiltration, and other types of cyberattacks remain key focus areas. The stress, anxiety, and confusion caused by COVID-19 disruptions created an ideal environment for cybercriminals to step up their attacks. This has been manifested in an increase in attacks on virtual private network (VPN) services, for example, which many businesses rely on to provide secure remote access to workers outside the office.
The security control plane was already shifting from the traditional castle-and-moat model to one focused on identity. This has led to increased adoption of a zero trust or lean trust security model.
This is a security approach that assumes every access attempt is potentially originating from an untrusted network. A zero trust approach, therefore, is focused on managing risk.
There are three pivotal steps on the maturity curve to a true zero trust environment:
1. Strong, multifactor authentication is in place for all users, not just high-risk users.
2. All devices are enrolled and managed according to risk-based policies.
3. Risk-based management occurs across identity, devices, and session.
“It's important to develop an architecture that's appropriate for the individual organisation depending on budget, risk appetite, resources, and executive buy-in," says Snyman.
"It's essential to approach security by assuming there is a pervasive risk.
There are four teams that need to collaborate to move towards zero trust maturity:
1. Identity teams: connecting all applications for single sign-on reduces complexity and delivers consistency. Using strong authentication such as multifactor and policy-based access can help contain breaches. And, analytics can determine what behaviour is normal for each user so that abnormal behaviour can be quickly and accurately detected and investigated.
2. Device teams: devices should be registered and teams should implement mobile device management (MDM) security baselines and compliance reporting. Control should include configuration and patching both for the operating system and the multitude of applications in use. Endpoint threat detection is essential to monitor device risk.
3. Network and infrastructure teams: cloud workload protection should be enabled across the environment. Just-in-time access can reduce the attack surface by opening access to key servers and systems purely for the amount of time needed to complete the necessary work, then closing them down again, limiting the opportunity for cyberattackers to gain entry.
4. Applications and data security teams: it's important to agree on a label taxonomy and classify all documents and emails accordingly to minimise the risk of data exfiltration and leakage. If data needs to be shared externally, that can be managed accordingly. It's important to apply real-time protection to high-risk scenarios and perform shadow IT discovery and a cloud control program.
“IT teams can gain executive buy-in for zero trust programs by laying out the risk and the benefits of zero trust plainly and in business terms," explains Snyman.
"Quantifying the cost is important, as is demonstrating how zero trust can mitigate risk. It's also useful to provide a concise roadmap that includes short-term goals.
“Organisations that are unsure of where to start or that have limited resources should start with multifactor authentication as an absolute must-have.
"If multifactor authentication is already in place, it's probably worth reviewing because it is often possible for people to use legacy authentication. It's important to close those gaps. If the business is using a VPN, it's essential to have the latest firewalls and protection in place because of the targeted attacks on VPNs that are occurring right now.
“With these basic steps in place, organisations can secure the remote workforce now and into the future, letting employees get on with growing the business.