How to manage endpoint security in a hybrid work environment
The future of the workplace is clearly hybrid, but this has untold implications around endpoint security. How can businesses overcome these?
Once upon a time, remote working was fairly uncommon in the corporate world. But when Covid-19 spread across the globe at the start of 2020, most businesses had to send their employees home and ask them to work online instead.
Even in the early stages of the pandemic, there was a general feeling among business leaders that remote working would continue in some form afterwards. Indeed, Gartner research conducted in the summer of 2020 found that 82% of business leaders would continue to provide occasional remote working opportunities. Fast forward 18 months and remote working is still standard practice for millions of workers globally.
While remote and hybrid working models have proved their effectiveness during the pandemic, they have opened up a range of challenges for IT and cyber security departments. The use of work devices offsite, coupled with unmanaged personal devices connecting to corporate networks, can increase risks such as unauthorised access, malware infections and data leaks.
For businesses to mitigate these risks and ultimately protect their distributed workforces, they must evolve endpoint security strategies to meet the intricacies of remote and hybrid working environments. But what steps are required to do this?
Dealing with the new norm
In the post-pandemic world, hybrid working will be the norm for many businesses and their employees. But Jake Moore, security specialist at ESET, warns that this presents major obstacles for IT and cyber security teams.
“Switching between onsite and remote working locations multiple times a month may seem like a good balance for employees, but it can cause constraints on IT infrastructure,” he says. “The challenges for the security teams on an increasingly distributed mobile workforce suggest no sign of slowing down. Therefore, IT teams will need to continue ramping up their game.”
The issue with remote working is that lots of employees leave their work devices at the office – or don’t have any at all – and end up using their own personal electronics for work purposes. Often, these are insecure and put business data at risk.
Moore says employees can access secure office-based machines while working from home through virtual desktop infrastructure (VDI), but they still need to use their own computer to do this.
He warns: “Endpoint security may not be the first thought on employees’ minds, which can cause issues when data is transferred to these devices not owned by the company. Even with regulations drawn up, employees are able to transfer data relatively easily.”
Hybrid working can also exacerbate the risk of illicit data transfers by people within an organisation. “This can be where the employee is in the early stages of exiting a company and considering taking company information with them,” says Moore. “Furthermore, there is a threat of the employee who wants to damage the company by stealing sensitive data, which is made much harder to police when remote working.”
Finding the perfect solution
In addition to implementing VDI, some IT departments deactivate the USB ports of corporate devices and install monitoring software on them as part of endpoint security efforts. But Moore says neither solution is perfect.
“If company devices are offered to all employees, then USB ports can be turned off,” he says. “This may hamper the usage of some workers, but it doesn’t stop those photographing the screens with no one around them to monitor their behaviour. Placing monitoring software on each device can be extremely intrusive and can often have a negative effect on morale, so it must be heavily considered whether this option is the best idea.”
Moore believes that organisations should ideally provide hybrid workers with their own dedicated laptops for completing all tasks. That way, they shouldn’t need to use personal devices for work purposes. “It [the work laptop] would need to be managed by the IT team remotely and forced to update and patch accordingly,” he says.
Organisations can also use simple centralised endpoint management and control systems for streamlining the hybrid working model, says Moore. “This new way of working for many is not going away, so teams will need to reconsider their best practice or risk falling short of security. These short fallings can often be the break or even vulnerability that cyber criminals are looking to exploit at any moment.”
Major issues at play
Ensuring that every distributed corporate device has up-to-date security patches is the primary challenge faced by organisations with remote workforces, according to Andrew Hewitt, senior analyst at Forrester.
“During the pandemic, organisations have forced endpoints to connect to a VPN to receive patches, but that impacts performance and patch success,” he says. “With hybrid working poised to continue, it will become more difficult to ensure the right patches are pushed down under subpar network conditions.”
Since the start of the pandemic, businesses are also likely to have seen an influx of unmanaged devices entering their corporate networks – and managing these is not an easy task for IT and cyber security professionals. “Most organisations have no visibility over the number of unmanaged endpoints connecting to their corporate information,” says Hewitt.
“Especially if these are personally owned devices accessing information on an insecure network, such as a coffee shop, it poses a risk to the organisation if those devices are infected with malware, etc. Connecting to a multitude of networks will be standard in the hybrid future, so we expect that issue to only exacerbate.”
Hewitt says the third biggest issue here is that corporate endpoints are reconnecting to office-based networks after being away for a significant number of months. “Organisations will need to do device compliance checks prior to allowing these devices to connect to Ethernet or Wi-Fi within the building,” he adds.
The nuances of perimeter firewalls
Moving to a remote or hybrid working environment will be particularly challenging for organisations that depend highly on perimeter firewalls, argues Jeffrey Goldberg, principal security architect at 1Password.
“In the old days, people treated traffic that originates from within the corporate network as safe, while traffic originating externally could be malicious,” he says. “Under this model, the natural solution was to do a lot of security within a perimeter firewall. But the underlying assumption was never good.
“Instead, network topology and the difficulty of maintaining and securing individual services within the corporate network meant that a perimeter firewall was the most effective place to build defences. That is, the whole notion that what is coming from inside the network was safe was motivated not by the reality of the threats, but by the reality of where people could put defences.”
But thanks to a greater selection of modern cyber security tools, Goldberg says organisations can ensure they put defences in the right place. And he is confident that they no longer need to rely on the “old, dubious threat model”.
For example, there are now tools that enable organisations to maintain and update their systems more effectively. Goldberg says: “So if you have a service running on some host, you make sure that it has all the security updates. The bad old days of letting a vulnerable system run and hoping that bad packets can't reach it are over. Vendors of operating systems and software get security fixes out faster and make it easier to perform security updates with far less disruption than we used to have.”
While firewalls are still a commonly used endpoint security tool, Goldberg says they are used on each host. “Any particular host should only be listening on the particular ports needed,” he says. “So if something is meant to be running a CIFS/SMB file server but not a web server, it simply won’t listen for traffic coming into the HTTP and HTTPS ports. This moves such filtering from the perimeter firewall to each host, with a default deny policy on those hosts.”
Goldberg says any system that receives input over a network should treat this as potentially hostile, whether it comes from “some unknown net on the other side of the planet or a machine you manage in the same rack”.
He adds: “The individual services you are running should not do bad things if given malicious data. While it is important to authenticate a connection, you also need to authenticate, or at a minimum validate, all data you read. This is even true when reading data that you believe you wrote to a local disk.”
Modern perimeter firewalls are best used for controlling and monitoring the outbound traffic of computer networks, says Goldberg. “If you find that your supposedly internal database is sending stuff to the outside world, you have a problem. Indeed, you might want to have traffic from that machine blocked entirely.”
The impact of poor cyber hygiene
Poor cyber habits exhibited by remote employees can result in an endpoint security headache for organisations, according to Aaron Zander, head of IT at HackerOne. For example, some workers may forget to lock their corporate laptops, allow non-employees to access work devices and write down Wi-Fi passwords.
“Many businesses are starting to prepare and lay the foundations for a hybrid workforce,” he says. “Something gaining a lot of attention at the moment is what this means for security as we start to reconnect our devices and bring the potential bad IT habits we might have picked up into the corporate office.”
Zander says that while businesses can never be too prepared from an endpoint security perspective, bringing devices back onto office networks should not be riskier than home working. “Many businesses used VPNs or file-sharing tools to facilitate the remote workforce and the truth is that this means organisations already opened themselves up to the potential vulnerabilities,” he adds.
However, Zander stresses that this does not mean organisations should not review their endpoint security strategies. “Compromised devices can easily spread across the network and for businesses that are taking security seriously, implementing a zero-trust model is key,” he says.
“In an ideal world, this is something organisations will have already done. Zero-trust allows for IT teams to monitor access and restrict permissions levels, so if a threat actor does get through to the secure network, anything they can access and encrypt will be limited.”
Sean Wright, application security lead at Immersive Labs, says hybrid working does not need to be a massive change for modern endpoint protection. “Threat actors have chased enterprises into cloud environments which, in turn, has informed the capabilities of endpoint protection,” he says. “Subsequently, most solutions now have a strong enough focus on the cloud for the location of a workforce to be largely inconsequential.”
Remote working has proved incredibly powerful during the pandemic, keeping employees safe from catching Covid and providing businesses with a much-needed lifeline. And it is no surprise that many businesses plan to shift to a hybrid working environment even when the pandemic ends. But this introduces a range of endpoint security challenges that must be overcome to protect employees and employers.