In March 2020, the U.K. Government made an unprecedented announcement that everyone who could, should stay at home. Almost overnight, organisations were forced to mobilise systems in response to a work-from-home mandate. Many of the remote work and cloud tools were pressed into service without security controls; in some cases, the tools themselves were nascent and their security controls immature.
Today, while most of the UK has reopened, a study1 by Forrester Consulting on behalf of Tenable found that 70% of U.K. organisations still have employees working remotely, compared to 30% prior to the pandemic. Looking to the future, 86% plan to permanently adopt a hybrid environment, with employees working part time in the office and the remainder from home. This flexibility benefits employees, and the organisations they’re employed by, but embracing this new world of work has opened up unprecedented and unmanaged cyber risk.
The risks introduced as a result of this new world of work weren’t just theoretical, as the same study revealed. In fact, 90% of U.K. organisations experienced a business-impacting cyberattack2 in the last 12 months, with 51% falling victim to three or more. When looking at the focus of these attacks, 72% resulted from vulnerabilities in systems and/or applications put in place in response to the pandemic and 68% targeted remote workers or those working from home. The impact to organisations is far from trivial, as 36% said they’d suffered a ransomware attack while 33% reported the attacks resulted in a data breach.
The challenge is that legacy security approaches weren’t designed to handle an attack surface of this scope and complexity. So how do organisations secure the new world of work?
The move to a hybrid work model required three significant shifts, all of which served to atomise the attack surface:
- Dissolving traditional workplace perimeters and providing technology that enables employees to work from anywhere
- Moving business-critical functions to the cloud
- Rapidly expanding the software supply chain with new tools for collaboration, communication and productivity.
Organisations need the ability to see into the entirety of the attack surface — on-premises and in the cloud. In tandem, they need to determine where vulnerabilities exist and the impact if exploited. This is critical as the vast majority of data breaches today are not sophisticated to the trained eye. In fact, the majority are avoidable incidents that are either the result of known, but unpatched vulnerabilities, or someone visiting a malicious website encrypted with malware. Identifying and patching common vulnerabilities favoured by criminals and blocking known malicious sites and IP addresses from the network, will help protect data and systems.
Another key focus is Active Directory; the dissolution of traditional perimeters makes the configuration and management of user privileges and access more critical than ever before. Attackers only need to compromise one machine in a network to get access to Active Directory and from there, they can run rampant. They can leapfrog between accounts until they get administrative control and then they can pose as legitimate IT users, authenticate using valid credentials, create new accounts, change user access controls, escalate permissions and move from on-premises to Azure Active Directory in the cloud — all without being detected because they appear to be legitimate, trusted users.
The final element of addressing cybersecurity without borders is to adopt a model in which nothing – no device, person, or action – is inherently trusted. Commonly referred to as a ‘zero trust model’, security is woven throughout the network – with users, endpoints, applications, and files on the network and in the cloud monitored and authenticated at every access point.
However, there’s a huge misconception that zero trust is a ‘thing’ that can be purchased and implemented as a one-time exercise to create a secure environment. This simply isn’t true. Zero trust is a philosophy. It’s a journey that doesn’t have an end. By building adaptive user risk profiles — based on changing conditions, behaviours or locations — the organisation can continuously monitor and verify every attempt to access corporate data before granting or revoking the request.
Remote work habits have impacted security posture, and will continue to do so if not managed properly. Organizations need visibility of the entire attack surface – on-premises and in the cloud, to address the risks introduced. This provides the security team with visibility of their entire threat landscape, the intelligence to predict which cyberthreats will have the greatest business impact and controls to address the risks introduced by the new world of work.
Author: David Cummins, VP of EMEA, Tenable
- The data is drawn from ‘Beyond Boundaries: The Future of Cybersecurity in the New World of Work,’ a commissioned study of more than 1,300 security leaders, business executives and remote employees, including 168 respondents in the U.K., conducted by Forrester Consulting on behalf of Tenable
- A business-impacting cyberattack is one which results in one or more of the following outcomes: loss of customer, employee, or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft; and/or theft of intellectual property