Maksim Kabakou - Fotolia
Before the days of mobile computing and smartphones, employees worked exclusively on-site in an office. For security professionals, these were simpler times; external risks were confined to the office network.
However, the current Covid-19 outbreak and subsequent lockdown has forced many people to work remotely and avoid the office, which, in turn, has placed further burden on CISOs who must kick-start their business continuity plans to support these workers, who have no clear timeline for returning to the office.
Now, with the number of remote workers rapidly increasing annually and with 60% of industry professionals in ISACA’s State of cyber security research indicating that it is likely or very likely that they will experience a cyber attack this year, CISOs need to think much more holistically about how access to data will be done securely. This includes remote access back to the corporate network in a secure way, such as using a virtual private network (VPN), and making sure the company has set up multifactor authentication to access company resources.
Redefining company networks
With the ever-growing use of portable smart devices, CISOs today need to worry about data loss prevention in many ways. This is often achieved via mobile device management (MDM) and mobile application management (MAM), where there are administrative and technical controls in place to help restrict the leakage of corporate information (including personal identifiable information) outside the network.
So, most networks are no longer constrained to the organisation’s physical premises, but rather are extended to become an identity-driven perimeter where CISOs have the daunting task of also making sure employees’ corporate devices are protected wherever they are.
Best practices include:
- Ensuring by default that portable device hard drives are encrypted.
- Strong passwords and mandatory password rotation policies.
- Multifactor authentication.
- Having the appropriate remote agents installed on portable devices to continuously scan for viruses and malicious attacks, and end-point patch management.
User awareness training
User awareness training will always be a critical factor. The human element of cyber security is always the biggest risk, as phishing is the number one tactic that hackers use to infiltrate corporate networks.
Just because more employees are working from home for an extended period of time these days does not mean organisations should forget about training them on security. Employee awareness training should keep going, as there are new threats all the time, and some employees may not have had experience with working remotely and must understand the basics of social engineering and how attackers could be anywhere – including airports and the coffee shop they like to work from.
Some simple approaches to employee awareness include ensuring not to connect to free Wi-Fi in public spaces, because that is typically an attacker’s paradise, and ensuring employees have a VPN application before they access the internet on any external network they may be using.
Modern technologies for modern challenges
To contend with a more remote workforce, CISOs will have to adopt new technologies to leverage risk-based conditional access. Rampant use of big data technologies allows them to leverage the cloud and service providers to determine how risky a person’s remote access is. Rather than leveraging reactive and detective controls after the fact, CISOs now need to take a preventative approach to remote employees and deploy risk-based tools to detect issues earlier or gather data to predict the likelihood that an employee could be compromised.
Take cloud storage, for example. If a company has remote employees accessing lots of data in the cloud, there is a chance the employee may lose his or her laptop, have it stolen, or potentially hacked via an account takeover. In this instance, one of the first things bad actors may do is download as much information as they can from the cloud storage platform connected to the device.
Detective controls are effective in this case, but are not fantastic. The hacker may have downloaded a significant amount of valuable data already and be halfway round the world before this issue is discovered the next day.
What if we could detect it earlier? What if we could prevent this by catching bad actors in action? Modern technology allows this. Cloud access security brokers (CASBs) work as a proxy in the cloud, so the CISO’s team can have near-real-time visibility of any potential malicious activity going on, such as being alerted if it looks like the user is accessing files and downloading large chunks of data from an IP address and physical location where they may never have been before.
Risk-based conditional access could trigger alerts to the security team, but could also automate actions to restrict access until they re-authenticate back into the system (forced lock-out and requiring MFA again to verify identity and access).
Zero-trust security model
In combination with risk-based conditional access, a zero-trust security model will help to continuously verify who the person is, validate his or her identity, access and device being used, and then grant (and limit) least privilege to that user to access resources.
And with industry developments in user-entity behaviour analytics (UEBA), companies can now get a much better idea with benchmarking typical normal behaviour for any particular user, regardless of where the user is working. The ongoing telemetry of data gathered may be used in the feedback loop to improve (and refine) future detection and reduce false positives.
The machine learning component to this is still in the early stages, but it will be a rapidly growing field in coming years. A CISO’s role is never easy, and recent surveys have shown that CISOs are experiencing a high amount of stress and burnout.
One way to resolve this is through the use of emerging cyber security technology to improve overall efficiency and serve as an additional barrier in a CISO’s defence-in-depth strategy.