Incident Response

Why traditional incident response must change in the face of remote work

First of a three-part series based on the CyberRisk Alliance/Exterro eBook Incident Response for a Remote World.

Much about cyber security has changed since the pandemic forced many organizations to adopt remote and hybrid work models for their employees. That includes the way enterprises handle incident response (IR).

The new work environment drastically shifted the dynamics of network access, device usage and cyber security protocols, essentially overnight. And today, remote work has become part of the new hybrid work model that seems to be here to stay for many organizations.

Along with the changes come several challenges for security leaders and their teams. That includes remote workers using their own personal devices and their own networks, which might be considerably less secure than what their organizations require in terms of minimum protection.

Many employees are no longer working behind company firewalls with fully updated, company-owned devices, and that means there is a lack of direct control that was not an issue before the great shift to remote. The move to mass work from home has extended environments in which incidents occur to remote networks, which tend to be less secure and where IR teams have less visibility.

Traditional network monitoring tools provide less utility in cases where most activity is now off network or does not occur on trusted internal networks. Without enhancing endpoint visibility, IR teams lose sight of devices and what’s going on with them.

In many cases, security staffers themselves have shifted to working remotely, and this can make it harder for them to perform tasks. Collaboration among IR experts can be more difficult when people are working apart.

Enterprises must adapt their IR approach to fit these new work environments, or risk suffering costly security breaches. In the current hybrid environment, with many shifting from home offices to corporate offices and back again in the course of a week, end-user devices are just as likely to be operating off the main corporate network as on it.

This scenario introduces a lot of cyber security risks, and many companies are not able to mitigate them because traditional enterprise IR plans were developed for an environment in which incident responders performed their tasks on site.

While home-based or hybrid workers are not necessarily more reckless

about security, they might sometimes let their guard down when using their own devices and networks for work. And they might be more inclined to download applications or click on links they might otherwise ignore or avoid.

In addition, with so many employees working from home and not in physical proximity to one other, they are less likely to notice or report suspicious behavior by others. In the corporate office, an employee could ask a colleague if something seemed a little strange about an e-mail message. But that kind of ad hoc communication is less likely to occur as often in work-from-home situations. IR teams have lost at least a portion of this valuable source of intelligence.

Finally, the targets of attacks are broader than in the past. While there might be a general perception that it’s mostly large global enterprises that suffer attacks such as ransomware, the fact is organizations of any size can be targets. And lately attacks such as ransomware have been aimed not just at the immediate targets, but supply chain partners as well. These types of attacks can put multiple systems throughout the supply chain out of commission for an indefinite period, wreaking havoc on markets.

Given all these factors, it’s clear that when it comes to the modern workplace, IR needs to change.

The next article in this series will address how to do that.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.