How to secure remote digital workspaces during and after the pandemic
When the pandemic hit, companies scrambled to get remote workers up and running. Security, while not ignored, didn't get the consideration it deserved. We are past that now.
"This pandemic has been a wake-up call to double down on your employees' ability to do their job on any device from anywhere at any time of day," says Tim Ferrell, master cybersecurity architect at Hewlett Packard Enterprise. "You now have these unmanaged, unsecured, and untrusted devices, and they're all attempting to connect into what is a normally very secure corporate or, in some cases, government agency network. You can see it just dramatically increases the amount of risk in the environment."
Attacks from the inside with phishing
The Ponemon Institute 2020 Global Study on Closing the IT Security Gap found that 65 percent of more than 4,000 respondents lack confidence that they can detect an inside attack before it occurs. And 61 percent believe attacks inside the network will do the greatest damage.
"You have the technical approach—firewalls, antivirus, and encryption—and we've been using these technologies for over 20 years now," says Larry Spitzner, director of security awareness at SANS Institute. "And we're getting pretty good at using those technologies. But the problem is that we've done very little for the human operating system.
"Bad guys have learned that really the easiest way to now hack any type of company isn't to target the technology but to target the employees because they have not been trained," Spitzner says. "That usually involves sending emails, phone calls, or some other way to try to trick or fool employees into doing something they should not do."
The methods of attack are familiar. "Phishing is the primary delivery vehicle for some of the most devastating ransomware out there," Ferrell says. "The bad actors are growing more sophisticated and more socially aware of what's going to get a person to open an email. For example, as we reach a point where there could be a vaccine generally available for COVID-19, you're going to see an onslaught of emails from phishers saying click here to get your vaccine free and click here to apply for your vaccine."
"The human has become the primary attack vector of cyberattackers today," Spitzner says. "They're no longer hacking technology. They're hacking people."
The most common phishing scenarios involve the attacker tricking the victims out of their usernames and passwords. The attacker then uses the credentials to log in, grab valuable data, and perform other operations using the victim's authorized account.
The best defense against this scenario is to use multifactor authentication, which usually means two-factor authentication. In addition to knowing the username and password, the user must possess a physical device the connected service uses to authenticate the user. Typically, this is an authentication app on the user's smartphone.
Rigid adherence to two-factor authentication blocks a large percentage of real-world attacks. It is also generally available as an option on personal services, like email and social media accounts.
Zero trust is about continuously authenticating and authorizing every element of an attempted access, regardless of whether the user or device is inside the building or elsewhere.
"Zero trust means we make no assumptions about how safe or trusted a user or device is based on the fact that they may be connected to a corporate network," Ferrell says. "Everything is checked with no assumptions. Everything we can determine about that access is validated. And if we're not happy with it, we either reject the access or we quarantine you and put you out on this special network for things we don't trust. And you have very limited capability to what you can do until you remediate or solve the problems."
"A zero trust model is not something somebody does overnight," says Jeff Enters, chief technologist and strategist at HPE. "It's something that you have to take a step-wise approach towards. It's about helping people establish systems that can handle variability, keep them secure, and keep them productive without driving exorbitant costs."
Enters advises companies to reduce complexity and "keep it simple" when thinking about zero trust. "I think it's very easy to layer on complexity as we layer on security at the same time, especially as we're trying to adapt and shift," Enters says. "And in doing that, we can create complexity very quickly, which just introduces risk."
Ferrell adds, "There is no silver bullet. It does not exist. You have to do many things and do them all well. Collectively, they all support each other so you don't have a single point of failure in your security chain."
Increasing security awareness through training
Planning for a remote workforce or a hybrid in-office/remote model for after the pandemic will require not only the right security technologies (e.g., a virtual private network, antivirus, and two-factor authentication), but also continuous security awareness training and testing.
"We have to start thinking about humans from a security perspective. And that starts with training," Spitzner says. "Let's move this from a compliance play to a managing human risk play. That's when you start focusing on behavior change. And that's where you go beyond just once-a-year death by PowerPoint [and instead provide] continuous training and reinforcement throughout the year."
He adds, "By focusing on key behaviors, you end up making security simpler for people and the more likely people will exhibit those secure behaviors in years to come."
Lessons for leaders
- Now is the time to double down on investments in cybersecurity technologies and training.
- Adopt a zero-trust model with multifactor authentication for security, but remember to start simple and scale complexity as you go.
- Ensure the cybersecurity training you give to your workforce is relevant, continuous, and long term.
Zero trust means we make no assumptions about how safe or trusted a user or device is based on the fact that they may be connected to a corporate network.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.