Mobile devices, bring-your-own-device policies, traveling employees, and remote contractors and partners have been stretching the security perimeter for the last decade. Still, using VPNs, access control, strong authentication, and other technologies, primary devices and network activity remained in IT's control by being effectively tethered to on-premises systems and continuously monitored within the confines of the extended corporate network.
That was until the work-from-home (WFH) explosion crushed it. Now people routinely use home networks, shared personal computers, and their own devices to access corporate and software-as-a-service (SaaS) resources. Yikes! IT is left with little visibility or cybersecurity control over corporate assets and network activity. Businesses now need cybersecurity that they can take with them.
As CISOs and security teams work furiously to extend their perimeter and re-assess their posture to encompass WFH and provide security people to help them, an essential question to ask themselves is what areas do we prioritize?
The Verizon "2020 Data Breach Investigations Report" (DBIR) stats below can help inform that decision. Here are three top priorities that deserve careful examination, data driven by the top breach actions identified in the report. For each, we provide questions to self-challenge your level of preparedness. But here is the catch: Ask yourself the questions in the context of a WFH employee using their own device and network, not someone on-premises or with a company device though a VPN.
Phishing, Still No. 1
Business communication runs on email, and phishers are right there with their hooks in the ocean. Based on post-breach analysis, phishing remains the top threat, accounting for more than 20% of data breaches. IT teams must scrutinize how they are protecting WFH employees using their own devices and networks, often shared with family members, from phishing risks.
Self-challenge assessment questions to ask include: Do we get alerts on suspicious email activity targeting employees? Are we identifying phishing attempts and fraudulent schemes that target our business? How quickly do we discover new themes like COVID-19 phishing emails and react? How are we protecting the WFHers? Ramping up your phishing protection for the WFH users should be your first priority.
Stolen Credentials? Well, Yeah
This might be more of an outcome from the other threat actions and perhaps part of all breaches at some point, but however the DBIR decided to slice the pie it is the second most frequent data breach action at around 20%. While strong authentication is an effective solution, usability, cost, and complexity remain barriers to widespread adoption. On the other hand, half a loaf is better than none. Other actions can reduce credential stuffing for privileged accounts or help mitigate its effectiveness as hackers try to spread laterally.
Ask yourself, do we at least require system admins with privileged accounts to use multifactor authentication, and if not, why? How do we audit admin activities such as adding new users and privilege escalation? Can we identify account takeover risks like brute-force attacks? Do we identify successful logins from unexpected countries or evaluate first-time new logins to an asset? Do any trigger alerts, and if so, who responds?
Stolen credentials have many serious ramifications, but you should pay attention to privileged admin accounts and actions, and make sure high-risk anomalies are being flagged — and acted on.
SaaS Misconfigurations … Oops
Surprisingly, cloud configuration errors were high on Verizon's list, and of these, SaaS misconfigurations were highest. Gartner forecasts that through 2025, 90% of the organizations that fail to control public cloud use will inappropriately share sensitive data and 99% of cloud security failures will be the customer's fault. WFH just amplifies the problem.
Ask yourself, how do you backstop configuration errors or advanced threats to safeguard your cloud infrastructure and SaaS applications like G Suite and Microsoft 365? Do you identify and evaluate successful logins from unexpected countries and improbable geographic access? Is there a process to find and review admin actions with changes to forwarding rules, permissions, or new admin accounts created? Do we monitor downloads from cloud-shared drives?
With so many SaaS apps in use, this should be a top priority for most organizations.
Every organization is facing new challenges in the WFH era, and hackers enthusiastically embrace these challenges as fertile new opportunities. If you want your employees and other collaborators to have cybersecurity they can take with them, you have to re-examine these basic tenets of ITSEC through the new lens of users being at home on uncontrolled and shared devices and networks. You will have to find ways to fence them in.