Be it a handful of days a week, or full-time Remote Working (or perhaps more accurately flexible working) is here to stay.
So what changes to Remote Work Security have organisations considered to keep their Employees, Data and Devices safe and secure in 2021?
And what other considerations should you be making as we move into 2022?
Keeping Employees Safe
This is perhaps where we’ve seen the biggest focus from organisations. Fortunately, the prevalence of Instant Messaging has meant it’s quick and easy to check something with a colleague. However, it’s not the same as being able to check something with a colleague who’s physically in the Office with you.
Humans Are Still a Weak Link
The 2021 Hiscox Cyber Readiness Report and the 2021 Verizon Data Breach & Incident Report (DBIR) both broadly spoke about the same issues. Most breaches aren’t as a result of highly complex hacks by Nation State actors.
Predominantly it’s organised crime syndicates seeking to exploit the weakest links for financial gain – The likes of Phishing, Ransomware and Exfiltration of Data to ransom back to the owner or to sell on the Dark Web.
People, E-Mail and Passwords are still common entry points. That’s unlikely to change – Verizon’s report cites Social Engineering, System Intrusions and Basic Web Application Attacks in the top 4 when looking at patterns in incidents and breaches.
(Verizon define an Incident as an event that compromises the integrity, confidentially or an asset. They define a Breach as an incident where they has been confirmed disclosure/potential exposure to a third party.)
When it came to breaches, Verizon found that 85% of those studied involved a human element and 61% involved credentials.
For incidents, the biggest financial impacts were good old Business E-Mail Compromise (BEC) and Computer Data Breaches (CBDs). That’s probably unsurprising to you.
Education, Education, Education…
The two reports underscore the importance of User Awareness Training and serve as good validation for those organisations investing in it.
There’s a plethora of options. You can go people led in terms of courses and training or to technology platforms which drip-feed short, sharp, interactive modules to users on a monthly, or biweekly basis.
Although some training is better than none, here at Koncise we believe the two key factors to a successful Awareness Training programme you should focus on are:
1. Engagement level from users (as a benchmark, Mimecast would suggest that 70% engagement and above is excellent)
2. Measurable results and trends
It’s easy to get caught up in content, but it can be a Red Herring. Broadly speaking the shorter the better and don’t be put-off by the use of humour in an otherwise serious subject. The content isn’t designed to be likeable – memorable is far more important.
Taking it one step further, once you have users engaging and benchmarked you can measure trends over time – i.e. Are users digesting the content and able to respond to questions on it accurately?
User Risk Profiling
Increasingly, we’re seeing integrations between platforms to allow a user’s risk profile to be weighted across multiple platforms.
An example of this within the ecosystem of Vendors we work with (other platforms are available – KnowBe4 and Tessian have a neat integration, for example) the following are data points for calculating a user risk score:
- Mimecast’s E-Mail Security service looks at how a user interacts with URLs that come through E-Mail. Are they clicking on safe or unsafe links and are they correctly identifying and reporting the odd phishing E-Mail? The fewer the dodgy links they are clicked (Mimecast stops bad links from being accessed, but monitors the users’ behaviour) and accuracy of reported Phishing positively impacts a users risk score
- Netskope looks at a users risk profile across how they behave and interact with data across Web/Cloud services – A user might be great at not clicking on dodgy links and spotting phishing E-Mails but then could be using or trying to use the likes of ZippyShare to share confidential corporate data
- Mimecast’s Awareness Training can correlate this data with a risk score from training module output to give a broader calculation of risk and allow Netskope/Mimecast policies to be orchestration to give extra scrutiny to what risky users might be allowed to do.
Personal Cybersecurity, Not Just Corporate
Some businesses are buying AV licences on behalf of their users with both ESET and Norton Lifelock offerings companies the ability to offer licenses as a Corporate Benefit. If BYOD is allowed, this makes a lot of sense!
Companies could even look at something like Jumbo to help their employees better understand how common consumer and social media platforms use, share and mine their data. Jumbo also gives people the chance to easily set up MFA on many consumer platforms.
Remote Work Data Security
Whether it’s fully remote or flexible with several days a week in the office, it’s clear that the days of people working from a traditional Office 5 days a week are long gone and unlikely to be a norm anytime soon.
For many organisations, this has accelerated a cloud-first modernisation strategy (Many organisations were already moving this way but perhaps had planned to do so slower than they’re being forced to). Making applications and Data are more readily accessible from wherever an employee chooses to work.
CASB Goes Mainstream
Whilst many SaaS applications are able to give some insight into the nature of the data contained and controls over how they are accessed, managed or data extracted the ability to have a single pane of glass for IT Teams to manage and control the data flow between applications and devices is a big requirement at the moment.
Through a mixture of API integrations, identity integrations and agents on endpoints to proxy web traffic organisations can get oversight and control of:
- SaaS and IaaS applications and services being accessed – Highlighting both known/sanctioned and also unknown/unsanctioned applications being used by employees
- Activities within those applications – for example, when it comes to uploading files you might only want to enable file uploads to corporate apps – Like OneDrive/GoogleDrive/Dropbox corporate instances etc service instead of a personal Dropbox instance
- Data contained within key applications – Does it contain sensitive data, what files might have been shared externally etc…
- Unusual activity – for example, has a user downloaded data from the CRM and then uploaded it to a personal file sharing service
Platforms providing this sort of capability have previously been referred to as Cloud Access Security Brokers (CASB). There has already been an evolution for many of these platform providers into a Secure Access Service Edge (SASE) platform that combines both cloud/web application controls and DLP to also include some or all of Web Security, Remote Browser Isolation, Software-based Network Security/Management controls, Firewall-as-a-Service and Threat-Protection.
Aside from providing better-suited visibility and controls for the modern-day infrastructure SASE also provides a consolidation opportunity with many organisations able to disband legacy DLP, Web Security and VPN services and amalgamate them into a single platform that combines much of the functionality that SASE encompasses.
Keeping Sight Of Devices – Back To The Cyber Future
The emergence of SASE as an architectural concept to better manage and secure remote, flexible and cloud-first workforces has flipped traditional Network Security on its head.
Traditional Network Security vendors like Check Point, Palo Alto and Darktrace have all brought out modules seeking to extend their capabilities into devices that are off-network as well as manage and control cloud apps/services.
That’s great, but a major problem that remote/flexible working brings IT Teams is the lack of visibility of devices out there that they need to be responsible for. If devices aren’t regularly in the Office on a corporate network then how can IT Teams be sure that they know of all of the devices they’re responsible for?
Beyond that, how can they be sure that those devices have the right security tools installed on them, or meet company policy for configuration? (i.e. that they have the hard disk encryption and are properly patched without major vulnerabilities exposed)
Asset Management 2.0
We’re seeing a renewed interest in Asset Management of IT Hardware to try and highlight gaps in coverage so that they can be plugged. A focus of Cybersecurity Asset Management, if you like. Some of this is done by CMDB tools, Directories, Endpoint Management tools or good old-fashioned Excel but still risks missing devices that are out there.
We believe the best practice is to correlate device information across existing tools and platforms to build a centralised list of devices, their tools, vulnerabilities, and configuration.
This can be done in Excel or can be done using a tool like Axonius (We’d wager that many of you reading this wouldn’t have heard of them until reading this sentence). Axonius are pioneering Cybersecurity Asset Management – A platform that enables you to:
- Correlate device information across multiple tools (Like AD/Okta, Vulnerability Scanners, Endpoint Management/AV, Networking Equipment CMDB tools – There’s 400+ connectors to tools and growing rapidly) using read-only APIs to give a centralised, current repository of
- Devices known by these tools
- What tools/software they have installed on them
- What vulnerabilities a device has that might not have been patched
- Configuration Information
- Easily query the repository to work out gaps in coverage (i.e. which devices might not have an Endpoint AV agent installed on them) or to find devices that don’t meet your organisation’s configuration policy
- Once identified policies can be configured to install missing tools, or to patch vulnerabilities on autopilot meaning you can quickly plug gaps and be confident of posture
- As a byproduct it enables SOC teams responding to incidents to quickly see all important information about a device reducing triage time
Asset Management might be something that is pretty unfashionable as far as Technology is concerned but with all of the Major Cybersecurity Frameworks suggesting it’s a foundation component to build upon we expect it to make a fashionable come back to help make audits and proof of coverage far easier and far less time consuming on IT, InfoSec and GRC Teams.
And What Should We Expect Into 2022?
We’d like to think we’re ahead of the game here and most Blogs tend to make their predictions for the next Calendar Year in December or the January of the New Year. At Koncise HQ, we’re placing our bets in September.
As it’s budgeting season – Here are the trends we’re hearing and speaking to our Clients about:
They’ve Got Too Many Security Tools – It’s Time For A Clear-Out
A report by IDC and Reliaquest researched in 2020 but published a few months ago found the average number of Security Tools maintained by companies (30%) surveyed was 19. That said, 24% of those surveyed had 21-30 tools and 21% had 31-50 tools.
We’ve got our thinking caps on and something is busy in the making (so watch this space). We’ve been looking at how few tools we think could be used to provide comprehensive coverage against the CIS v8 Framework (which also maps nicely to ISO27001, NIST and CMMC). With the exception of the Secure Software/Application Development module (we exclusively work with organisations on their Workforce IT Security), it’s definitely sub-10 tools including a fully-managed MDR and Risk Management service.
If you’d like to know more, get in touch.
Identity and Access Management (IAM) will play a more prominent part in Cybersecurity than in the preceding years
This will be driven by organisations continuing to adopt a Zero-Trust model to ensure that as users and devices seek to access Apps, Data and Infrastructure from variable locations and times they can be sure they are who they purport to be.
A combination of user authentication and device validation will be used so that even if a user can authenticate, the device will also need to be scrutinised to ensure it meets organisational policy – Avoiding the likes of jailbroken personal mobile devices to be used to access corporate data and apps.
E-Mail, Web and Human Error will continue to lead the stats as the key vectors for Breaches and Incidents
They’ll be no let-up for organisations on doing the basics well and E-Mail Security will evolve beyond just traditional Gateway (SEG) services and AI-driven supplement (CESS) services. Implementing DMARC controls to prevent unauthorised usage of E-Mail domains as well as monitoring for lookalike domains being registered and used will become a de-facto part of the E-Mail Security Stack.
Managed Detection and Response (MDR) will take the pressure off of stretched IT Teams
We should caveat this as most of our clients are sub-2000 employees without in-house SOC Teams. Almost all of them are already stretched with resources and would benefit from strategic elements of their IT to be managed externally. And they are all, without exception seeking to improve their Cybersecurity posture and capabilities.
The economics of moving to a service like this (We work with Crowdstike and their Falcon Complete offering as well as Arctic Wolf) are compelling.
By the time most of the organisations we work with could hire, onboard and even potentially train a SOC Team they could have full MDR coverage and if using Arctic Wolf have their entire environment optimised and operationalised for significantly less cost (often 50% less). The economics even stack up for SMEs that are 150 users and below.
Have we missed anything that you’re seeing? We’d love to know if you agree or disagree.
If you want to know more about the solutions we offer, or even if you just fancy debating whether Teams or Zoom is the King of the Conferencing Tools, then contact us today on firstname.lastname@example.org or call us on 020 7078 0789.