As threat actors adapt with typical speed to take advantage of our new hybrid working era, security teams must tackle the creeping threat of the new shadow IT.
Some of our recent research has found that unsanctioned and unmanaged home working devices represent a critical emerging risk—placing unprecedented operational pressure on security and IT teams. This new future of work requires a new security architecture: One rooted in zero-trust principles and designed from the hardware up.
The shadow lengthens
In the scramble for business continuity during the height of the pandemic, security processes and policies were bypassed in many organizations. This was understandable at the time, but has led to an astonishing expansion of shadow IT – this typically refers to non-IT departments deploying software outside the purview of IT. The new research shows that nearly half of global office workers bought a PC, laptop or printer during lockdown. Unfortunately, 68% of them claim security wasn’t a major consideration in their purchase, with functionality and cost rated more important. Some 43% say their laptop wasn’t even checked or installed by IT.
This creates a situation where many remote and hybrid workers are using unsanctioned and potentially unsecured devices. To make matters worse, they’re also increasingly likely to engage in risky behavior away from the office. One-fifth claim to have clicked on malicious links since work from home (WFH) began. In fact, three-quarters of IT leaders say they’ve seen an increase in this activity. Yet very few (30%) workers report these errant clicks to IT, either because they’re afraid to, they don’t think it’s important, or feel it’s a hassle. If initial access isn’t detected by the organization and threat actors are allowed to dwell inside corporate networks, we could see a great deal of pain waiting down the road.
IT at a breaking point
Given the perfect storm of expanding shadow IT, risky WFH behavior, and mounting external threats, it’s not surprising that IT feels the heat. This was true before the pandemic, but it’s even more pronounced today. Some 79% of IT teams say their device rebuild rate has increased—a sure sign of escalating compromise. With devices now out of the office, the time taken to rebuild compromised machines has increased to an average of around four hours of IT’s time. They could otherwise spend their time on higher-value work.
Security Operation Centers (SOCs) are also being flooded with thousands of alerts. A significant amount, running to hundreds each week, are related to the endpoint, but nearly two-thirds of these classed as false positives. That’s more wasted time for stretched IT security professionals.
Recovering operating systems, patching endpoints, and onboarding new employees with secure devices also takes more time and effort. This has a major impact, not only on the bottom line, but also the ability of organizations to protect themselves. Respondents calculate the cost of IT support to have risen by 52% during the pandemic. All this combined means that more than three-quarters of IT teams are concerned colleagues will quit due to burnout.
On the front line
Most of these trends aren’t necessarily new. But they’ve certainly been exacerbated by the shift to hybrid and remote work. Corporate security must adapt to this new reality.
Start by deploying better endpoint security that equips IT and security teams with greater visibility and management tools. IT teams should offer users devices that have security built-in to the hardware to reduce the burden on support teams. For example, devices with remote recovery capabilities and self-healing firmware can help endpoints recover in case of compromise. These devices can help transform IT support in security and keep teams focused on delivering value to the business.
But this shift to hybrid also requires a new architectural approach to protect against known and unknown threats while reducing the burden on cybersecurity teams and end users on the front line.
Principles such as zero-trust can help here—the idea that organizations should assume breach and continually verify/authenticate access to and between resources based on context. Crucially, this shouldn’t just apply at an individual device level, but also to the discrete components of the endpoint including firmware, OS, applications, and users. By applying principles such as strong identity management, least privilege, and isolation at this level, organizations reduce their attack surface and enable quick recovery in the event of compromise.
Security teams use this isolation to nullify attacks against common threat vectors. By executing risky tasks—such as clicking on links or attachments—in a disposable virtual-machine, organizations can render any potential malware or exploits harmless. This has several benefits. First, it mitigates risk by effectively trapping the attacker inside a VM, preventing attackers from exfiltrating data, moving laterally, or persisting. Second, it’s better for users as they get a more seamless experience and fewer annoying security roadblocks on their productivity. Third, it gives IT teams more time to patch at their own speed, safe in the knowledge that they can render emerging exploits deployed through common threat vectors will as harmless. Finally, by executing any malware inside isolated containers, organizations gain intelligence to enhance threat hunting efforts.
We’re entering an exciting new period of workplace transformation. But big changes often lead to the emergence of new security gaps. This will require secure-by-design features that contain and neuter cyberthreats and also let systems recover quickly and automatically when compromised. Organizations that master endpoint security first will gain an early lead in the hybrid work era.
Ian Pratt, global head of security, personal systems, HP Inc.