As government agencies and organizations embrace hybrid work models, they must actively adopt security strategies to protect against threats.The world heavyweight champion Mike Tyson famously quipped that, “Everybody has a plan until they get punched in the mouth.” Tyson’s statement rings true not just in boxing, but in cybersecurity as well. Even the strongest cybersecurity plans should be reexamined long before any punches are thrown — and this is more important than ever as a more hybrid approach to work is expected to continue for the foreseeable future. According to a CNBC survey of executives at major US companies, 45% of companies expect to lead with a hybrid workforce model in the second half of 2021.
Credit: fotokitas via Adobe Stock
Organizations may feel protected against cybersecurity threats with solutions such as virtual private networks (VPN) or virtual desktop infrastructure (VDI), but these solutions are vulnerable to common cyberattacks that can pack a devastating punch.
As hybrid work models become the new normal, federal agencies and commercial organizations alike should examine new approaches to cybersecurity, such as continuous, active monitoring and zero-trust access to ensure their cyber defenses work reliably, no matter where their employees perform their work.
Challenges With Standard Approaches to Security
Many organizations have turned to virtualization — VDI or cloud-native applications — to reduce the amount of data stored on endpoints, thus reducing the risk of data exfiltration from physical asset loss. Unfortunately, this approach has provided a false sense of security on endpoint protection and residual risk to enterprise assets. While data extraction is a significant risk, malicious injection of key loggers, advanced persistent threats, and other coordinated attacks against broader enterprise resources are potentially more damaging to organizations.
Hybrid Work and Its Unique Challenges for IT Leaders
Teleworking scenarios compound enterprise security concerns by reducing physical protections, expanding user access to compromised access points and/or networks, while providing organizations with fewer insights into user behavior when employees are not connected to corporate networks. Organizations lack insight into device status and ability to control security configurations until devices are decrypted, fully booted, and connected to enterprise monitoring tools — even then many tools are only used for post-event investigation. Users operating in a “disconnected state” could be subject to a number of malicious activities, intentionally or unknowingly, such as a USB compromise, microphone and camera driver attacks, and network spoofing.
According to recent research from Gartner, by the end of 2021, 51% of all knowledge workers, or individuals whose jobs involve handing or using information vs. physical or manual labor, worldwide are expected to be working remotely, up from 27% in 2019. However, teleworking presents a unique challenge for CIOs and IT leaders as they attempt to ensure their employees remain productive while keeping sensitive data out of the wrong hands. Providing employees remote access to an organization’s networks and data creates multiple vulnerabilities and attack vectors, exposing sensitive data and increasing risk.
The challenge with common security tools like VPN and VDI is that IT teams can’t see what employees are doing unless they login. Of course, many times, they don’t. Even if employees do use VPN, they could still be at risk, as the National Security Agency recently warned that VPNs are vulnerable to attack if not properly secured.
Threats to Organizations That Have Adopted Telework
Teleworking organizations face three common types of threats: human error, external attacks, and insider threats. Human error is a key vulnerability, which can manifest itself through spear-phishing, downloading unauthorized content, accessing unsecure networks, not using VPNs, weak password management, and lost or stolen devices. While these errors may seem minor, they can wreak havoc on the bottom line.
In addition, employees continue to fall victim to attacks by external actors. According to Verizon’s Data Breach Investigations Report, 70% of breaches in 2020 were perpetuated by external actors. Phishing represented 22% of breaches and stolen credentials represented 37% of breaches in 2020. External attacks include unauthorized system access through extortion, forced breach or device hack, malware links, keyloggers, air-gap-jumpers, and man-in-the-middle attacks. Insider threats include theft or misuse of organizational trade secrets or intellectual property, disgruntled employees, and nation-state extortion.
Taking Cybersecurity Protection Measures to the Next Level
As organizations continue to embrace a hybrid approach to telework, they must adjust their security measures to protect against all of these threats. To do so, CIOs at federal agencies and commercial organizations alike should upgrade their security strategies to include active protection and enforce secure, zero-trust access to their networks and data, no matter where they do business.
Actively protecting data, devices, and networks requires automated and intelligent safeguards tailored to enterprise security rules. This includes customizing devices to dynamically react to security threats in real time based on custom protection triggers and context from physical location. Enforcing secure, zero-trust access means ensuring enterprise devices are in a secure, trusted state before allowing users to access sensitive organizational resources.
As we look to the future, uncertainty abounds. But one thing we know for certain is that both malicious actors and innocent human error will continue to pose significant threats to organizations in all sectors and of all sizes. Now is the time to plan accordingly because when the next punch is thrown, it may be too late.
Beau Oliver is a VP at Booz Allen Hamilton. In his role, Beau helps drive the innovation and success of the firm’s proprietary solutions in digital, cyber, immersive, and artificial intelligence to enable, differentiate, and expand its existing services offerings.
Jason Myers is a Principal at Booz Allen Hamilton. In his role, Jason helps drive product development around digital and cyber proprietary solutions including the firm’s District Defend software to help meet Defense and Federal client’s toughest security challenges.
The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT … View Full BioWe welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.More Insights