The cybersecurity strategies developed last year are already falling short. IT leaders face more complex attacks, and the shift towards remote workforces creates an increasingly distributed and challenging threat ecosystem. The latest Thales Data Threat Report shows that 79% of IT decision-makers are concerned about remote security risks as employees gain more power over their environment and leaders lose direct control over day-to-day cybersecurity decisions. With distributed remote workforces now a business norm, companies need to change how they think about security and get their employees to partner with them.
Shift the mindset
The main thought shift lies in how companies used to control access compared to how they need to manage security in digitally transformed environments.
In traditional environments, central thinking focused on controlling what came in and out of networks. People went into the office and connected to the networks with firewalls acting as the guardians of the gate and protecting everything inside that locked area. With distributed, remote workforces, those perimeters no longer exist.
People working from home means that companies can no longer control that gate. People work from home or a local coffee place, bringing the company-supplied devices.
Purchasing the most expensive firewalls, the newest Intrusion Prevention System (IPS) or Distributed Denial of Service (DDoS) protections fail to protect users working from home.
When people use their own devices, the risks increase further since organizations may not be able to control the configurations. With the move to the cloud, people can use their personal devices as easily as their work devices. Unfortunately, those personal computers may not have any protection, and the company may not be able to force the person to install protection.
Since the personal computer has access to corporate data, a successful phishing campaign means threat actors can grab the data and siphon it off undetected.
Capture the audience
Fostering security awareness with remote workforces is a never-ending battle. Companies provide security awareness training, and most of the time, employees just click through them quickly.
Capturing the audience’s attention is fundamental. Logically, employees know not to click every email that requests a password reset. Still, malicious actors are using targeted campaigns, like spear-phishing attacks tailored to the people who work in a company. They send an email that looks like it’s coming from the CEO or a supervisor asking for a favor. These attacks focus on exploiting emotion, not logic. Since people are inherently curious and helpful, people don’t respond logically.
With a remote workforce, cybersecurity awareness needs to look different. It should focus more on the idea of questioning everything. Do I expect this person to be contacting me? Does this person usually ask me for favors? Is this something unusual?
The lesson should be: Don’t click on it or respond to it if it’s unexpected.
IT and security teams need to take this same lesson with them. Remote work is shifting security to an “always verify, never trust” model. Just as employees need to be wary of unexpected things, IT and security teams must be suspicious of unmanaged devices or shadow IT.
Corporations lack visibility into the software people install on their own devices. IT and security teams may not be able to require installed agents on personal devices, meaning they have no ability to incorporate the shadow IT into their software inventory agents. Meanwhile, on a corporate device, they can implement and enforce controls like requiring employees to use a specific hardware or token when accessing services.
Then, they need to find a way to protect the cloud assets without affecting employee productivity. They need to provide good company access, so people are happy at work. The challenge here is balancing what can be competing organizational needs.
Shifting the security mindset along with the perimeter means rethinking how security teams define “gates.” Instead of thinking, “you shall not pass,” IT and security teams need to focus on “you can only pass if.” The “if” is the validation process. You can also pass if:
- We know that you are who you say you are.
- You have the most current operating system on the device.
- Your IP address is from a geographic location we recognize.
Manage compliance challenges
To validate everything, IT and security teams need to monitor everything. For example, employees managing cloud infrastructure should only be allowed to work from an encrypted, corporate device with scanners.
This is where monitoring logs can help. All the tools that companies use to manage remote workforces generate log data. Too often, companies collect the data, but no one is reviewing it on a regular basis.
It is important to collect log information all this information, then parse, normalize, correlate, and analyze it. IT and security teams can create the documentation needed to prove compliance.
For example, if they absorb the logs into their infrastructure, they will be able to correlate:
- User ID
- Assets coming from services
- Web browser running
- Host name
With that information, they can build alerts that detect when an employee is accessing a corporate asset from their personal device. Collecting log data can also help IT and security teams detect invalid access by dangerous threat actors who may have hacked into the company infrastructure through the employee’s computer. Regardless of what is going on, the logs paint the picture that helps IT and security teams see what’s happening, even when people work from anywhere.
Provide the right solutions
More than anything else, companies need to give their employees the right solutions to manage security. This might mean supporting how employees access the network by providing a password manager or requiring multi-factor authentication for the standard worker. For IT and security teams, it means finding the solution that answers their questions and responds to their needs.
For companies with smaller teams, it’s important to keep in mind that “right” doesn’t always mean “most expensive.” They should look for solutions that give their people the information they need with an interface they can use. Many expensive cybersecurity tools require experience with proprietary languages, meaning that many smaller IT and security teams fail to use all the fancy bells and whistles.
All employees need tools to meet them where they are and grow with them. While focusing on building gates worked in the past, modern companies with modern IT and security teams need solutions that help them shift their mindset while providing the flexibility needed to address the future threat landscape.
Distributed remote workforces are here to stay. A partnership between IT and security and the employees will emerge by providing solutions that support this style of working. The result is a robust security posture and happy and productive employees.