As work from home continues, implementing a Zero Trust approach should be the priority for CISOs, their security teams, and users
Even as the world prepares itself for the New Normal, the impact of COVID-19 pandemic on enterprise security has been huge. According to Gartner’s research, 54% of HR leaders have cited that poor technology infrastructure for remote working is the biggest barrier to effective communication. Leading brands across the globe have found themselves struggling with going from a 0% remote workforce to 100% in a matter of days challenging. What used to be safe, thanks to office-based systems and procedures, may now be unsafe. Today, IT departments are facing increased pressure to ensure business continuity by providing remote users with access to essential corporate applications and services through Virtual Private Networks (VPNs).
In fact, according to the study, 88% of the workforce in India prefers to have the flexibility of working from home. In addition to this, 69% of Indian employees believe their productivity has increased while working remotely. With the modern workforce becoming increasingly on the go, accessing applications from multiple devices outside of the business perimeter, enterprises have adopted a “verify, then trust” model which means if someone has the correct user credentials, they are admitted to whichever site, app, or the device they are requesting.
This has resulted in an increased risk of exposure, dissolving what was once the trusted enterprise zone of control and leaving many organizations exposed to data breaches, malware, and ransomware attacks. Recently, the Computer Emergency Response Team of India (CERT-IN) issued an advisory about social engineering attacks in which threat actors pose a legitimate threat to capture confidential data from employees.
There has always been a tension between the need for security and the requirement for ease of access to enable high productivity. But right now, with almost all businesses operating with a distributed workforce, security diligence is often losing out in the negotiations in favor of fast adoption. What are some of the ways to overcome these challenges?
Boost to Zero Trust Networking
Traditional perimeter security depended on firewalls, VPNs, and Web gateways to separate trusted from untrusted users. But as mobile employees began accessing the network via their own devices, perimeters blurred. Employees virtually disappeared with the rise of cloud computing and IoT devices. This resulted in an escalating risk of vulnerability, breaking down what was once the trusted enterprise zone of control and leaving many organizations exposed to data breaches, malware, and ransomware attacks. Protection is now needed where applications and data, and users and devices, are located. Zero Trust security requires meticulous identity verification for every person and devices trying to access resources on a private network, regardless of whether they are sitting within or outside of the network perimeter. Every organization’s first inclination is often to set up a VPN but this is not always enough. While they are still commonly used and there are still occasional needs for them, “Zero Trust” or “Beyond Corp” style virtual networking is a far better solution. This approach must be implemented across the entire organization. Whether you are giving users access to apps or administrators access to servers, it all comes down to a person, an endpoint, and a protected resource. Users include your employees, contractors, and business partners that have access to your systems. Once you have built your Zero Trust policy around your protected surface, enterprise should ensure that user access specific applications that are updated.
Basic Cyber Hygiene
Cyber Hygiene can be a great practice of end-users when they are engaging in activities on the World Wide Web. It is crucial to ensure that your employees are in the habit of practicing good cyber hygiene. Everyone doing their part can go a long way to protect both individual employees and the company from cybercriminals. Providing tools like multi-factor authentication and password managers are good examples. It is important to remind employees to make sure their home routers are also up to date with WPA2 security and strong passwords, resist the urge to work at insecure networks without protection.
As work from home continues, implementing a Zero Trust approach should be the priority for CISOs, their security teams, and users. We are fortunate that there are devices accessible today to shift to remote work seamlessly. It is essential to use this time to polish up your security posture and make them work in any environment.
The author is Security Solutions Architect at F5