Why the IT fraternity has little choice but to take the security challenges head on
Finally, in India, as elsewhere in the world, governments are giving in to the demands of a ravaged economy and have opted for staggered opening. India’s Lockdown 5.0 that kicked off on June 1 is certainly different from the previous versions. What is also different is the sentiment of the people. Workplaces are opening with a lot of mandated and self-mandated precautions in place to safeguard employee health. But the sentiments of white-collar and blue-collar workers at best remains cautious. Those who have been working from home are requesting an extension to continue so. Organizations too are hesitant to call them back. Lockdown or no lockdown, the workplace seems to have changed forever – becoming online and remote. As WFH becomes the new normal, there are security challenges. Based on the various surveys that have been published on the security concerns arising from the remote working environment and the fact that many are thinking of moving at least a large part of the workforce to a WFH regime permanently, it is not an either-or situation. The security has to be tackled head on.
Preparing for a new work order
IT leaders, it seems, had foreseen this eventuality. In a Citrix survey that polled more than 3,700 IT leaders in seven countries at the end of May, more than three-quarters said they were expecting a majority of workers to be reluctant to return to the office as it was. Expecting this shift in workers’ demands for more flexible ways of work even after the pandemic, 62% said they are expediting their move to the cloud. If we needed any further proof that WFH is here to stay, take a look at these finding from the survey – 62% of respondents are exploring downsizing physical infrastructure and transitioning to a cloud model; 42% are anticipating they will need to introduce digital workplace platforms and 44% are looking to public cloud services to facilitate long-term remote working.
COVID-19 put to test IT teams across industries as the continuity of the business became dependent on their speed and skill to deliver digital work environments. To their credit, IT leaders held their own under the spotlight and succeeded in making this challenging switch. But the time to sit on these laurels is not now.
Challenging times ahead
Facilitating work from home for entire workforces was surprisingly easy for the majority of IT leaders, especially as most had put in place technology that enabled them to collaborate in the WFH environment. For others though it was not a cakewalk in the absence of a business continuity plan that supports WFH for the entire workforce and it was challenging to make the switch.
The pandemic heightened the concerns around security and COVID-19 was the litmus test – testing the security control and policy of organizations. Information security has become the top challenge in the pandemic, giving sleepless nights to ‘WFH warriors’ – the IT teams. Adding to the concerns is the spike in employees installing unsanctioned software, and unscheduled virtual personal network (VPN) shutdowns; issues that need to be tackled urgently.
Ensuring security of home network of employees scattered across geographies is not an easy task especially as ransomware, phishing and social engineering attacks have seen a spike. IT teams also need to keep remote systems configured securely and compliant. For many top IT brass, their inability to secure employees’ home office environments, manage the diverse devices connected to corporate networks and gain visibility into remote assets and systems have become stressful in the backdrop of rising incidents of security breach. As early as April, 63% of IT leaders polled by Tripwire had reported spike in COVID-19 related attacks.
In most of the studies around WFH security so far, securing network access is consistently a top concern for IT teams, as is the security around personal devices. Enterprises are also concerned about securing access to SaaS apps and cite malware and unauthorized user access as the top threat vectors.
Various reports show that many organizations are yet to take steps to implement security measures to protect their data in the remote work environment. Pressured to ensure business continuity, many just accelerated the migration of user workflows and applications to the cloud without deploying the requisite cloud security solutions. With 84% organizations likely to continue WFH, as per a report; the absence of adequate security around remote work capabilities is a ready recipe for disaster.
Businesses are still struggling to adjust to the new normal, says the Bitglass’ 2020 Remote Work Report. The analysis carried out in partnership with a leading cybersecurity community, surveyed IT leaders to understand how their organizations have adjusted to the new normal, how prepared businesses were for the sudden shift, what actions they are taking in cybersecurity, and what their top security concerns are now. Alarmingly, 41% of the organizations in the survey have not taken any steps to expand secure access for the remote workforce, and 50% are facing challenges in implementing it due to lack of proper equipment. With 65% of organizations enabling personal devices to access managed applications, the fragile security infrastructure is a huge concern.
Rising attacks on corporate cloud accounts in WFH
Remote working environment led to increased use of cloud services and collaboration tools by enterprises. A research study, titled ‘Cloud Adoption & Risk Report – Work-from-Home Edition’ published by McAfee in May finds there is a direct correlation between this and the increase in cyberattacks targeting the cloud during the pandemic. The report says, worldwide, between January and April, there have been significant and potentially long-lasting trends that include an increase in the use of cloud services, access from unmanaged devices and the rise of cloud-native threats.
In the period under study, the overall enterprise adoption of cloud services rose by 50%. Industries, such as manufacturing and financial services that typically rely on legacy on-premises applications, networking and security more than others, were also forced to adopt cloud services to enable WFH. As IT teams raced to enable online collaboration of teams in the WFH environment, use of cloud collaboration tools increased by up to 600%. The education sector was the biggest adopter of collaboration tools as classes went online and remote.
During the period, threat events from external actors increased by 630%. The main target of these external attacks were collaboration services and were large-scale attempts to access cloud accounts with stolen credentials. Companies can heave a sigh of relief that there was no rise in insider threats during the pandemic, which indicates that employees can be trusted to work in virtual offices. However, access to the cloud by unmanaged personal devices doubled, adding to the challenges of security professionals.
The findings underline the need for IT leaders to develop new security delivery models in the distributed WFH environment. IT leaders have displayed exemplary courage to overcome the restrictions placed by the pandemic on businesses. Unfortunately, for the bad actors the pandemic generated WFH environment has presented a ready opportunity to exploit. The sudden uptick in cloud adoption without commensurate security measures has created a fertile environment for attacks.
Time to strengthen those firewalls
On-boarding to a remote workplace was perhaps the easier part. Ensuring that WFH continues smoothly and securely is the real challenge. Gauging the future needs, some IT leaders are revving up the digital engines to implement solutions for the long haul and to tackle the challenges that the new regime has thrown open.
The focus needs to shift from enabling remote working to implementing secure remote working capabilities. The only way for enterprises to counter cloud-native threats that are increasing in step with cloud adoption is for IT leaders across industries to evaluate their security posture. Measures to protect against account takeover and data exfiltration must be the priority. IT leaders must look at implementing cloud-native security solutions with the ability to manage remotely for detection and prevention of external attacks and data loss from the cloud and from the use of unmanaged devices.
Given the critical nature of financial institutions, the security teams seem to be ahead of the curve in securing their companies. The Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry consortium dedicated to reducing cyber risk in the global financial system, reports that 75% of cybersecurity professionals representing financial institutions around the world made dramatic changes to their firm’s cybersecurity programs to cope with the rapid shift to remote work. FS-ISAC had polled 871 cybersecurity professionals from financial institutions around the world at its Virtual Summit on May 19.
As threats mount, this must become the norm for all enterprises that have sizable workforce working from remote offices.
Security-first model: Need of the hour
The patchwork approach to cybersecurity adopted for the lockdown period will not help in the long-term remote working environment. The legacy datasecurity approaches are at best piecemeal and make the task harder. As the third-annual Oracle and KPMG ‘Cloud Threat Report 2020’ that studied 750 cybersecurity and IT professionals across the globe found, a patchwork approach to data security, misconfigured services and confusion around new cloud security models have created a crisis of confidence among IT leaders. The report found 78% of organizations use more than 50 discrete cybersecurity products to address security issues and 37% use more than 100 cybersecurity products. Organizations that discovered misconfigured cloud services experienced 10 or more data loss incidents in the last year. In 59% of organizations, employees with privileged cloud accounts have had those credentials compromised by a spear phishing attack.
Security must be part of the cultural DNA of the business to be able to address increasing data security concerns and trust issues. In the new norm, IT teams need to work with cloud service providers to build a security-first culture. Organizations will need to build a team of skilled IT security professionals, while constantly improving processes and technologies to mitigate threats as cloud consumption grows creating new blind spots. Reactive responses to a cybersecurity incident may help save a situation, but it will not secure the vulnerabilities. Organization-wide security policies will have to be enforced covering expanded remote workforces as organizations upgrade to enterprise-grade security.