Ransomware, Security Staff Acquisition & Development

Endpoint security: How to protect end users from themselves

There’s a lot that can go wrong when trying to get endpoint security right. 

Misconfigured devices, lack of proper encryption, fragmented visibility of endpoints and poorly enforced IAM policies are just some of the hazards security pros are likely to encounter. The last few years haven’t made it any easier, either. In the post-pandemic landscape, many organizations have seen their digital footprints extend far beyond their corporate headquarters and office firewalls as more endpoints came online in employee homes, public meeting spaces and on the go. 

This may give workers flexibility to work how they want, when they want, but it also increases the likelihood of employees misusing endpoints, exposing their organizations to new threats. 

According to a survey conducted by CyberRisk Alliance in August 2023, 50% of IT security respondents point to user negligence, carelessness or oversight as the top challenges standing in the way of effective endpoint security. Additionally, other top obstacles were those associated with users’ interaction with endpoints – such as BYOD devices (26%), insider threats (22%) and shadow IT (20%). 

It’s clear that security pros see the human element, with its mess of motivations and shortcut-seeking behaviors, as a major reason for why endpoints so often let the wrong people inside. 

Fortunately, there are multiple ways for companies to address the issue, creating better protections for their end users. Here are a few of the top recommendations. 

User awareness training

We know this might be obvious, but it’s imperative organizations train their employees to recognize the classic signs of phishing and malware attacks. Training should be mandatory and conducted on a routine basis (quarterly, annually) so that employees are up-to-speed on the latest techniques used by adversaries. With ChatGPT and other large language models (LLMs) now capable of generating convincing emails, it’s only going to become more difficult for employees to tell when they’re looking at a genuine request from inside the organization versus an AI-created email with malicious intent. Does that mean training is now irrelevant? Not at all, according to Chester Wisniewski, Field CTO of Applied Research at Sophos:

“We need to do a hard reset on our expectations. We need to teach users to be suspicious and to verify communications that involve access to information or have monetary elements. Ask questions, ask for help, and take the extra few moments necessary to confirm things are truly as they seem. We’re not being paranoid; they really are after us.”

Expand your endpoint security toolkit

IT respondents from CRA’s survey prioritize securing what they see as a defining feature common to most endpoints: email access and communication. At least 3 in 4 respondents use a secure email gateway server to monitor and manage all emails being sent and received from devices connected to their corporate network, which should reduce the likelihood of email compromise from malware and phishing attacks. However, organizations shouldn’t stop there. We have noted a number of endpoint security tactics that haven’t received as much application – like the use of insider threat protection (32%), sandboxing (27%) and browser isolation (16%), for example. 

Organizations should consider endpoint security investments that provide continuous monitoring of their endpoints. Anything short of 24/7 monitoring is nearly guaranteed to give attackers an open window, as Sophos found out when examining incident response data from the last 12 months. According to their research, 81% of ransomware payloads are deployed outside of traditional business hours, and of the attacks that occur during local business hours, only five percent happen on a weekday.

Zero trust network access

Zero trust network access (ZTNA), to borrow Gartner’s definition, is a “product or service that creates an identity- and context-based, logical access boundary around an application”. The basic idea is that trust is never freely granted, but rather earned by verifying credentials of the endpoint and user that is attempting access, which is key to minimizing unchecked lateral movement through a network. Applications shouldn't trust you because you're physically in the office, but because they can verify who you are with some degree of certainty, and they can verify the device you're using meets requirements. For those that haven't taken the path to zero trust, however, now might be the time to reconsider. “If organizations are still in that phase of making infrastructure changes as a result of remote work, it's not too late to pivot toward modernizing rather than doing more of what you've been doing,” says Wisniewski.

Multifactor authentication

Multifactor authentication (MFA) requires users to submit more than one form of identity to obtain access, which can be any combination of something you know (like a password or PIN code), something you have (such as a hardware token), or biometric data (such as fingerprint and voice recognition). According to Sophos, MFA still hasn’t caught on with a substantial portion of businesses — and the consequences are clear. Compromised credentials are the most common root cause of endpoint-based attacks (50%) according to Sophos' 2023 Active Adversary report — with external remote services taking the top spot among initial access techniques used. In 70% of cases, abuse of valid accounts allows attackers to access external remote services. 

What’s most concerning is that MFA policies were not being applied in 39% of the cases Sophos examined in 2023. Removing barriers to entry makes it much easier for threat actors to breach an organization's first (and only) line of defense. With recent social engineering attacks encouraging users to disable their Yubikeys, we know that MFA is a headache for bad actors when properly configured and enforced.

Daniel Thomas

Daniel Thomas is a technology writer, researcher, and content producer for CyberRisk Alliance. He has over a decade of experience writing on the most critical topics of interest for the cybersecurity community, including cloud computing, artificial intelligence and machine learning, data analytics, threat hunting, automation, IAM, and digital security policies. He previously served as a senior editor for Defense News, and as the director of research for GovExec News in Washington, D.C.. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.