The current reality of massive remote work began as a pandemic-induced necessity, but what most thought would be a short-term stopgap has become the current norm. And that’s not entirely a bad thing. I’m sure most workers don’t miss commutes or traffic, and enjoy the extra sleep and being able to take a conference call in their pajamas. As organizations have seen that they are still able to function, more and more employers and employees are embracing remote work as a viable long-term possibility. In fact, some companies, like Microsoft, have created a hybrid work-from-home option, where employees will be allowed to work a portion of every month remotely.
There was an initial scramble to set up technology and tools to make remote work at this scale possible, which meant there was little time to consider the security implications of remote working. But the attack surface has increased dramatically on devices and in environments that lie beyond the control of the enterprise. This is not welcome news for stressed and over-worked security teams who already struggle to respond to security events today. With infrastructure challenges behind us, now is the time to start planning for the long-term reality of the hybrid work environment and what that means for enterprises.
The attack surface expands
It’s been a constant struggle for security teams to try to maintain the pace of defense against ingenious attackers and their increasingly sophisticated and relentless attacks. A 2019 Critical Start survey of Security Operations Center (SOC) professionals found that 80 percent of respondents had reported experiencing between 10 percent and 50 percent SOC analyst churn in the previous year. That’s directly due to the increasing number of alerts that each analyst needs to examine.
The pandemic has only exacerbated the stress. According to a recent report from ESG and ISSA, Covid-19 has not only forced cybersecurity professionals to change their priorities/activities, it’s also increased their workloads. They’re having to attend more meetings and experiencing increased levels of stress associated with their jobs. And this means CISOs have to closely monitor their team members for signs of burnout.
On top of this, the number of attacks has increased during Covid-19. A recent report from VMware Carbon Black found that the shift to working from home has seen a 148 percent increase in ransomware attacks and exposed key areas for security teams to address. And this isn’t just statistics, it’s a trend IT professionals are really taking notice of. In fact, the VMware report also found that 91 percent of global respondents had seen an increase in overall cyberattacks as a result of employees working from home.
The security and compliance challenges
The main target for cybercriminals is personally identifiable information (PII). According to the latest Cost of a Data Breach Report 2020 from Ponemon Institute, 80 percent of data breaches involve customers’ personally identifiable information. This poses two major challenges. The first is a data security challenge, as remote working effectively expands the attack surface; the second is that customer data privacy is also compromised.
There are more vulnerabilities for cybercriminals to exploit as remote workers access enterprise and SaaS resources networks through home office environments that are not secure. Security teams can do very little unless corporate devices are allocated to each remote worker. The protections enjoyed while inside the corporate perimeter are now no longer available.
Now let’s turn to the challenge of privacy data and compliance. New data protection and privacy legislation similar to the EU’s GDPR and the California Consumer Privacy Act (CCPA) are being adopted across the globe. Currently, 66 percent of countries now have data protection and privacy legislation in place. These laws stipulate how quickly users need to be informed when a data breach occurs.
Using GDPR as an example, organizations have up to 72 hours to inform affected customers of a detected data breach or face fines of up to €20 million or 4 percent of annual global turnover (whichever is higher). This is a significant extra cost should a breach occur, and affected customers cannot be identified quickly. The EU has also been willing to litigate in this area, with fines already totaling €176 million in the past two years.
Remote employees need Identity Governance and Administration (IGA)
Business critical systems need to be protected from remote workers who don’t need access to them, but it’s not just about security devices and VPN solutions. It is also about managing who owns which accounts and ensuring that they can only access data that they are entitled to. While it might not be possible to always control the type of device or connection that remote workers use to access these accounts, it is still possible to enforce rules as to the type of system or application that a specific identity or role can access in a specific situation.
Best practice guidelines for IGA issues include managing identities and roles, managing the type of applications that specific identities and roles can access, and responding to security breaches involving identities.
As enterprises prepare for a longer-term, hybrid workforce, they can establish a solid foundation for identity governance using the following recommendations:
- Increase efficiency by allowing automated request and approval processes for system access
- Catalogue who has access to which systems and applications
- Map identities to roles and create policies for the privileges associated with each role
- Make sure that when the duties of a role change, so do the access rights
- As a user’s job responsibilities change ensure the access rights are reviewed and adjusted
- Enforce segregation of duties so multiple roles associated with an identity do not lead to unintended access to sensitive systems
- Perform regular audits on access and compliance data to detect discrepancies
- Use risk scores to understand the severity of audit events
The hybrid world
As it turns out, remote work is not merely a short-term fix but a long-term option. This makes the work environment harder to secure. Failure to secure data and keep it private could lead to not just breaches but hefty non-compliance fines. Using IGA gives organizations control over who can access which systems and under what circumstances. This strengthens both security and compliance as organizations settle into the new reality of hybrid work environments.
Thomas Müller-Martin, Global Partner Technical Lead, Omada