In 2022, security practitioners struggled to address the growing attack surface created by their rapid push to remote work and cloud-based operations during the previous two years. Cyber criminals exploited new vulnerabilities – including those introduced by the growing use of third-party software – to launch ransomware and other attacks.
But with tools like zero trust, XDR and more automated threat intelligence tech to bolster vulnerability management, cloud, email and endpoint security, organizations fought back – and established plans to invest more to secure networks and data in the next two years.
The following is the fourth of a seven-part series about where security practitioners struggled and, in many cases, made headway throughout 2022. Here, we focus on their endpoint security challenges.
Endpoints out of control
The widespread shift to work-at-home environments and the proliferation of non-traditional endpoints had a significant impact on the number of enterprise-related security breaches since 2020.
In 2022 specifically, a multitude of risks emerged to test endpoint security. The explosion of mobile devices continued. Consumers and businesses alike increased their use of the so-called Internet of Things (IoT). And operational technology (OT) that historically was siloed off from the internet saw far more integration with enterprise networks, even among critical infrastructure sectors. The healthcare sector emerged particularly vulnerable, spurring an FBI alert in September 2022 that cited unpatched medical devices operating on outdated software and with a lack of adequate security features.
The end result: organizations struggled to obtain a holistic view of all the devices and their vulnerabilities, or how to mitigate and fix them to manage risk and ensure compliance.
To illustrate the endpoint challenges vexing security teams, an Ernst & Young Consulting study — the results of which were released in an October report — showed that Millennial and Gen Z employees are even more relaxed when it comes to cybersecurity on their work devices than their personal devices. Meanwhile, the risks posed by non-traditional devices were evident in headlines throughout 2022.
According to a September 2022 CyberRisk Alliance Business Intelligence Survey of 204 security and IT leaders and executives, security administrators, and compliance professionals based in the United States, the impact that mobile and other non-traditional endpoints have on security is significant: 43% indicated they are very or extremely concerned about device security in the next 12 months. The fear of ransomware and the damage it could inflict in their environments remained a top concern, as reported by about two-thirds of respondents, as did the expanding attack surface and data leakage. Survey respondents cited many challenges to device security, including limited budgets and resources, outdated device policies and compliance, and lack of upper-level management support for device management strategies and purchases.
According to one respondent, “the most significant hurdles our organization faces in this environment are dealing with the multitude of new mobile devices and OSes being introduced at a faster pace. It makes securing them as endpoints a challenge since the accompanying security solutions tend to lag the introduction of these devices and OSes. This trend will likely only increase in the future, with ever more complex devices being developed.”
Push for endpoint security improvements
As the number of endpoints continued to expand, the CRA survey respondents did their best to keep up. In addition to monitoring traditional devices like PCs and servers, a large majority (84%) reported they also monitor mobile devices on their network, with respondents reporting that their security solutions cover large volumes of both traditional and non-traditional endpoints and devices. Nearly two-thirds (63%) of respondents said they are managing more than 1,000 traditional and non-traditional devices.
As vexing a challenge as endpoint security was in 2022, respondents did state that their device security strategies are advancing along with the vulnerabilities and security concerns exacerbated by the remote workforce. Many organizations are evolving their endpoint security strategies to confront their fear of ransomware (61%), building business resiliency (58%) and complying with regulatory requirements (55%).
Many organizations predicted they would increase their budgets to provide better protection. While almost one in four respondents said their device security budgets will remain unchanged in the next 12 months, another 70% indicated they will likely increase their device security budgets at some level. Zero trust and automated remediation were at the top of those spending plans.
As the research suggests, the areas where organizations need the most improvement is around anti-malware, endpoint detection and response, patch management, and vulnerability management. Ransomware, business resiliency concerns, and regulatory compliance mandates will continue to drive spending and strategy to improve device security as they prepare for 2023 and beyond.