Even as Pfizer and Moderna announce apparently effective COVID vaccines that could jumpstart the economy, organizations in the public and private sectors will continue to grapple with the security implications of remote or hybrid work environments.
Last March's hasty dispatch of employees to work remotely as the pandemic bore down challenged even the most nimble of security teams. But supporting a hybrid workforce – one that accommodates workers migrating back to the office and those working from home – will bring its own set of security challenges.
“With the real possibility of future disruption to businesses and changed economic conditions, organizations would be foolish not to transition to a more agile workforce who can be effective working in the office or remotely,” said Brendan O’Connor, CEO of AppOmni.
Rapid change, potential oversights
Realistically, the pandemic accelerated a trend that was already in motion. A Securing the Future of Hybrid Working report from Tessian found that 75 percent of IT decision makers believe that remote and hybrid scenarios are the future – with only 11 percent of employees saying they want to work exclusively from home and most saying they wanted to work remotely at least two days per week.
Cities from Los Angeles to New York to London and organizations around the world moved to support suddenly remote workers, with varying degrees of success. And most have spent the better part of the months since retrofitting those strategies with security that understandably got short shrift in the changeover, accelerating their digital transformation, and hastening migration to the cloud to fend off an uptick in threats and rapidly expanding attack surfaces.
They have reason to be concerned.
“It’s unimaginable that a technology shift that big, made that quickly, didn't create new avenues of exposure,” said O’Connor. “Lack of expertise in both cybersecurity and SaaS also contribute to this challenge.”
And attackers were poised and ready. Between March and July approximately one-third of organizations said ransomware delivered by phishing increased over the five months prior. And more than half recorded a security incident, such as a breach. In the months that have followed, the threats have only accelerated as attackers show an appetite for exploiting anything COVID.
“Whenever things change, there are opportunities for bad actors to take advantage of the disruption and uncertainty,” said Tim Wade, technical director in the Office of the Chief Technology Officer at Vectra. The Tessian report found that 78 percent of IT decision makers feel the risk of insider threats is much greater when employees are working remotely.
Not surprisingly, those organizations whose move to cloud and a distributed environment was already well underway have fared better in the transition to a work from home (WFH) model. Deborah Blyth, chief information security officer for the State of Colorado said the steady move to the cloud over the previous few years made the transition to remote working that much easier.
Similarly, because it was prepared, NYC Cyber Command was able to essentially “move from a centralized SOC to a managed, distributed environment," said Deputy CISO Quiessence Phillips.
That’s a trend that should – and will – continue as organizations move to support a hybrid posture. The pandemic “drastically accelerated” the shift already underway at many organizations, O’Connor noted. To create and support a more agile workforce, “many organizations have migrated their operations to the cloud to take advantage of the always-on, always-available SaaS applications,” he said.
Those SaaS applications are essential to remote work strategies and business continuity but present new challenges for security teams. “Many organizations were already struggling to accurately and securely configure their SaaS environments,” said O’Connor.
A more permanent shift to a hybrid model gives enterprises the opportunity to do cloud migration right. Rather than have security try to catch up to business operations, as O'Connor said can often be the case, they must and can include security as a core part of the migration plan.
“The maturity of SaaS applications and modern cybersecurity solutions make this very possible,” he continued, noting that organizations have many options – from the traditional cloud access security broker to modern cloud security posture management solutions.
“The important part is not to overlook the security component of the migration but rather make it a necessary first step."
The risk of office returns
Just as businesses must take steps to prevent employees from bringing the coronavirus to work, security teams must work diligently to prevent them from bringing security issues back to the office with them.
“The security risks that many organizations should be concerned about when employees start returning back to the office is what malicious malware will be hiding in inside their laptops, waiting to latterly move onto the corporate network, providing attackers remote access or ransomware waiting to strike when more devices get infected,” said Joseph Carson, chief security scientist and advisory CISO at Thycotic, who suggested scanning those devices for malicious before reconnecting them to the corporate network.
Carson cautioned that the risks could be serious since “attackers will likely be using employees devices as mules” to access corporate networks. “These risks differ significantly. When accessing networks through a VPN, most traffic is monitored and secured, while when connecting directly to the corporate network they tend to have access to all devices,” he explained. “It is important to segment devices until they are thoroughly scanned and clean before allowing them full network access.”
Companies should map out a path from where the networks are now, to where they're going “to ensure an accelerated recovery when things do return to ‘normal,’” said Mike Spanbauer, security evangelist at Juniper Networks. In a transition period with new architectural deployments, “vendors must be protected every step of the way,” he said. “New solutions exist that converge networking and security as one, enabling a more agile and rapid response both in prevention and in mitigation phases of an attack.”
Rethinking how to limit access is critical, too, particularly for organizations that have had more open access to sensitive data and systems within the traditional office or data center. “This means ultimately putting tools that were once applied to narrow sensitive fields like payment data to a broader array of data – customer and personal data being the top of the list that’s also under new scrutiny from privacy regulation,” maintained Mark Bower, senior vice president at comforte AG. That's a strategy that he contends “avoids propagation and access to live data where it isn’t needed while also enabling to move to less directly controlled environments, including cloud platforms – a double win.”
Rick Holland, CISO and vice president of trategy at Digital Shadows, recommended security teams conduct “after-action reviews” of the months employees were home “to capture lessons learned and to identify any gaps in their security controls.”
During the pandemic, many organizations have learned a hard lesson in “how weak their security controls for managing remote assets and attack surface monitoring were,” he said. Because they might not have instituted comprehensive patching of laptops and mobile devices, “defenders will need to provide some tender loving care to any devices that aren’t up to security standards.” Take advantage of the windows between waves of COVID infections, he added, to ensure proper deployment endpoint detection, to assess VPNs, to upgrade multi-factor authentication and single sign-on solutions.
New York Cyber Command officials recounted how they had to expand visibility in excess of sevenfold to accommodate the whole of the city’s endpoint stack.
“You can’t defend what you can’t see,” said Colin Ahern, the deputy CISO for the City of New York, who oversees security sciences for NYC Cyber Command. The number of devices that needed securing increased by volume and type “by orders of magnitude."