Processing Your Payment

Please do not leave this page until complete. This can take a few moments.

October 12, 2021

Why the hybrid work era keeps IT and cybersecurity professionals up at night

Photo | Pixabay
By Zachary Comeau

When the COVID-19 pandemic disrupted the normal course of business as we know it, organizations everywhere were forced to work out of their homes and embrace the idea of a dispersed workforce.

However, what was once thought to be a temporary business continuity solution during the course of the pandemic has morphed into a new way of working, even as some organizations are welcoming employees back to the office in some capacity.

This new hybrid work model in which employees are free to work either in the office, their home or any location for that matter is here to stay, as countless studies and surveys have told us since spring 2020.

That includes Cisco’s Hybrid Work Index, the networking giant’s first such study, that found 64% of survey respondents would consider leaving a job if there was no option to work remotely. About half of the respondents to that survey also said their companies will allow working from anywhere over the next six months to a year.

The security challenges of hybrid work

While that much is clear, the demand for hybrid work has thrown IT teams a curveball as employees are logging into company systems from their inherently unsecure home networks. What was once a well-defined network security perimeter has all but disappeared as end users are out of the watchful eyes of IT and cybersecurity experts.

“It’s a huge visibility challenge for us,” said Jeffrey Brown, the State of Connecticut’s first ever chief information security officer (CISO).

In fact, remote work cybersecurity has been a challenge for organizations everywhere, according to a recent Tenable study conducted with research group
Forrester, which found that 74% of organizations that have suffered a business-impacting cyberattack attribute it to remote work vulnerabilities.

Further, 80% of security and business leaders surveyed say they are more exposed to risk as a result of remote work.

Brown, who was hired in March 2020 to oversee the state’s cybersecurity efforts, says assessing the security posture of remote employees – especially their home networks – is very difficult. Consumer networking equipment is generally less secure than commercial products, but it’s the lack of maintenance and updating that makes home networks dangerous pathways on which to send sensitive information about the business.

“We have no real control over anything other than the state-provided laptop,” Brown said.

Consumer networking equipment has improved, and now many products offer some level of data encryption, but most consumers are unaware of the other steps they can take to make home networks more secure.

“If you started asking users, ‘When is the last time you updated your router’s firmware?’, you’d get a lot of blank stares,” Brown said.

Most users aren’t even aware that they can log into their Wi-Fi router to change security settings or at least change their Wi-Fi admin dashboard’s password from the default “admin” or “password.”

One approach many organizations have taken is to require remote employees use a virtual private network (VPN) to funnel everything through the corporate network. Others have opted for a split tunneling approach that lets some applications and devices access the network directly, while others are routed through a VPN, Brown said.

However, those approaches can introduce some latency issues and negatively impact the end user experience, Brown said.

“At a time when some people are going crazy at home … we have to consider the end user experience and the fact that there’s going to be a portion of people that probably are never going to be back in the office,” Brown said.

The focus on endpoint security

However, securing the home networks of employees is not the job of the IT department or a third-party IT services provider. That means IT teams have to look elsewhere to shore up their hybrid workforce’s security.

According to the Tenable study, the lack of visibility into remote employee home networks is a major concern, as 71% of security leaders say they lack high or complete visibility into those networks. Even more alarming, 67% of those business-impacting cyberattacks targeted remote workers, according to Tenable.

Rather than impose requirements on the remote workers’ home networks, organizations instead should focus on the endpoint – the devices on which employees conduct business – like laptops and smartphones. That’s especially true now as some businesses are reopening offices or welcoming employees to work in the company’s building at least part of the time.

According to Brown, a device infected with malware outside of the office can introduce the same malicious activity to the entire organization’s network when an employee logs onto the device from the office.

“In a hybrid model, we have to worry about an infected endpoint coming in and infecting everybody else,” Brown said. “That absolutely happens.”

As part of that focus on the endpoint, users and their IT departments must be vigilant about updating critical systems, especially antivirus and other security software. When a software or firmware vulnerability is disclosed, hackers are quick to exploit unpatched systems. That’s why it’s critical that employees don’t use personal devices for work in the first place, and further, that they don’t bring those personal (and unsecure) devices into the office.

“What you don’t want is that unpatched machine that hasn’t seen an update in six months coming into the office and introducing that vulnerability,” Brown said. “It’s really about increasing the visibility into the endpoint.”

Mounting a layered defense

Phishing – and attack in which a hacker convinces a user to enter their username and password on a phony website after sending an email – is still the easiest way for hackers to compromise a user or company network.

Cloud storage company Cloudian released a report this summer that found despite anti-phishing training, about a quarter of ransomware is deployed after compromising a victim’s systems via phishing attacks.

One of the tools being pushed heavily by the cybersecurity community in recent years and months is multi-factor authentication, which requires an additional form of authentication other than the username and password.

According to Microsoft, multi-factor authentication is successful in stopping 99% of all cyberattacks.

Most methods of multi-factor authentication includes sending secure codes via email, but organizations can also deploy authentication apps or security key hardware like Google’s Titan Security Key or similar products from Yubico.

Now, multi-factor authentication is viewed as basic cyber hygiene, according to Dr. Laurent Michel, the Synchrony Chair professor in cybersecurity in the University of Connecticut’s computer science program.

“Everybody should be embracing multi-factor authentication and the idea that you don’t trust the devices that are coming in,” Michel said.

Michel refers to a Zero Trust approach, which is an IT security concept that views all users, apps and devices connecting to internal resources as potential threats. The idea is to assume that the network has already been breached and make it hard for bad actors to do damage within the network.

For example, a regular non-IT end user should not have access to IT monitoring and management tools, so if that user is compromised, it will be difficult for hackers to move throughout the network.

All users and apps are authenticated every step of the way, creating network security checkpoints at every access point. Think of it as installing a security system in a large building at which everyone needs a security badge to enter the front door. However, only specific employees’ badges work to unlock locations they need to access to do their specific jobs.

“You can mount additional obstacles to make it harder and really try to detract attackers from getting through,” Michel said. “At the end of the day, they’re not going after a specific organization – they’re going for the low-hanging fruit. If they managed to breach you, they will do everything they can, but if there’s another target that’s equally interesting but easier to attack, they will deploy their efforts over there.”

Sign up for Enews

Most Recent

Most Recent

0 Comments

Order a PDF