Ian Jennings at BlueFort Security describes why forward-thinking CISOs are now prioritising application and device security over the network
As we move towards the end of 2021, the outlook for the next 6-12 months is anything but certain. While a significant proportion of the UK population is now fully vaccinated, if we’ve learned anything in the last 18-months it’s that we don’t know what’s around the corner.
And despite many employees now working at least partially from corporate offices, with the UK Government hinting at plans to reintroduce compulsory home working if COVID puts the NHS under pressure over the winter period, every organisation should be mapping out contingency plans for another workplace exodus.
CISOs are concerned
It’s a sobering thought given that for many security organisations, the last few months have been a chance to take stock, review changes and assess gaps in their infrastructure. A survey of 600 CISOs conducted by BlueFort Security recently revealed an overwhelming percentage (75%) of CISOs consider their organisation to be at greater risk of a cybersecurity attack due to the transition to home working.
The survey looked at how the COVID-19 pandemic triggered a transformation in the shift to remote working and the extent to which this contributed to the rise in the number of cyber-attacks targeting organisations. CISOs from a broad range of UK organisations, including financial services, professional services, non-profit, healthcare, travel and transport, education, manufacturing, and the public sector were questioned.
The research found that the combination of the COVID-19 pandemic, the resulting accelerated shift to digital and the ongoing skills gap have created a perfect cyber-security storm, leaving them more vulnerable to attacks than ever before. CISOs are struggling with limited visibility, with 30% admitting they’ve lost track of movers, joiners and leavers, and 29% stating they are missing corporate devices.
Perhaps the worst thing any CISO could do right now is to carry on as they did in the world before COVID. It’s fair to say the genie is out of the bottle on hybrid and remote working.
CISOs need to be flexible, adopt new ideas and ultimately, create a hybrid-first security culture. It would be a mistake to see this as a bad thing; there are lots of benefits to be had. Ultimately, those CISOs that do deliver this will have more secure applications and devices and likely more agile business processes.
The problem of movers and joiners
The problem of movers and joiners isn’t a new one, but it has changed dramatically over the past 18-months. In a typical office, the onboarding journey for new employees has been traditionally very much a face-to-face affair. Employees would likely have visited the office at least twice, for interviews and to meet HR. They would be given a laptop and walked-through an induction process.
Now, across all verticals new starters are being inducted remotely and will often only meet colleagues in informal settings. This is where the challenge of visibility starts. If employees are coming and going – whether in the office or other drop-in locations – it becomes difficult to keep track. Visibility is reliant on accurate processes and paperwork, which are not always present.
Leavers present an even greater challenge, particularly when it comes to reclaiming equipment and data. Many large organisations have abandoned equipment over the last 18-months simply because it’s proved too difficult to get it back. And while pre-pandemic this may have been limited to laptops, now this can include anything from printers and scanners to specialist IT equipment.
The leavers visibility challenge is similarly down to processes and paperwork. But while joiners are likely to actively flag any difficulties they might have in these areas, the same cannot always be said for leavers.
Even pre-pandemic, many organisations had up to 30% of their user accounts from Active Directory and and other systems unaccounted for – with incomplete records or uncontactable individuals – as a consequence of IT and HR systems not communicating effectively and limited centralised systems. Indeed, over the last few years there has been a significant uptick in identity and access management (IAM) projects aimed at closing the gap between what’s known ‘on the ground’ and the data available in various systems.
The security challenge is in cleaning up the data lifecycle across users and devices leaving the business. Organisations with a good level of maturity in this area are able to, for example, deactivate door passes remotely.
For others, where application access is not well tied together, the leavers challenge is now far greater – and should be a much higher priority to solve. This is most likely to be found in organisations where flexibility was limited pre-pandemic. Procedures and processes need to be reviewed from the ground up with a ‘hybrid first’ mentality.
Pre-pandemic, mobile device management (MDM) was often seen as ‘the’ remote working tool. And while it’s just as important as it always has been – after all, we still need to manage mobile devices – it’s now a small part of the bigger problem of managing remote devices.
Organisations now looking to deliver a hybrid-first environment will need to create a similar MDM program for their laptop estate. The reason is simple. Before the pandemic, most organisations were on a digital transformation journey to an inside-out model. Most applications and data were moving to the cloud, with direct access remotely via VPN.
But while the data is mostly outside the perimeter, what hadn’t been anticipated before the pandemic is that users and devices are now outside the network for the majority of the time. This is the outside-out model businesses now find themselves in.
From a security standpoint, this means that most of the management, control and patching solutions need to change. Traditionally, these processes and solutions assumed employees would spend most – if not all – of their time in the office. VPN was very much a remote access technology and not designed as a full-scale solution for remote management and patching.
The challenge for CISOs now is that although existing patching tools are in place, they are inaccessible to users. So, outside of a full layer 3 VPN connection to the network – which very few organisations will be running – a significant number of background processes are no longer working. Laptops in the field are clocking up vulnerabilities, connecting to unsecure networks and ultimately, returning to the office at some point as compromised devices.
Organisations need to look at cloud-based solutions to solve these problems – applying the same tools and techniques inherent in MDM solutions to laptops and other computing devices. Most action-to-date will have been tactical. CISOs must now think long-term and put a proper solution in place.
Improving visibility, intelligence and control
It may be a controversial view, but forward-thinking CISOs are now prioritising application and device security over the network.
That’s not to say that network security is no longer important – it is. But the threats facing organisations today – whether that’s malware, a disgruntled employee or an active adversary – are ultimately going to affect a device or an application and the data behind it.
If most users and devices are outside, the network becomes less important. Once the application and device are secured properly – through encryption, application firewalls, XDR and Zero Trust principles – the network itself becomes less important. Even when a user connects to a less secure network, if the device and application security is there, it’s less of a problem. The security risk of the network is mitigated – or at least minimised – by taking care of everything else.
Of course, like everything in security, this is a cyclical process. There is always the risk of a compromised device connecting to the network. But in the post-COVID world, the network is less important than it was. The focus should be on the device, the application and becoming network agnostic. The goal hasn’t changed. Security teams need to minimise risk.
Threat actors will always focus on the weakest link. With the right level of application and device security, CISOs will be better equipped to minimise that risk moving forwards.
Ian Jennings is Managing Director at BlueFort Security
Main image courtesy of iStockPhoto.com