Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

9/17/2020
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Struggling to Secure Remote IT? 3 Lessons from the Office

The great remote work experiment has exacerbated existing challenges and exposed new gaps, but there are things to be learned from office challenges.

Businesses around the world are currently engaged in the largest remote working experiment in history. While COVID-19 may have been the catalyst for the transition to remote work, it inspired some of the world's largest enterprises to make the change permanent. Although this acceptance of remote work grants employees greater flexibility, it is not without serious challenges, including how best to comply with the California Consumer Privacy Act (CCPA).

Related Content:

ISO 27701 Paves the Way for a Strategic Approach to Privacy

EU-US Privacy Shield Dissolution: What Happens Next?

While the pandemic has led to delays in mortgage payments, taxes, and other obligations, implementation of the CCPA has continued apace. Enforcement began in July and its civil penalties run into the thousands. Unfortunately, organizations have never been less prepared to comply. 

When we spoke to 100 IT decision-makers in January, nearly 70% said that their organization struggled with compliance because of fundamental weaknesses in IT operations and security. At best, those weaknesses made it challenging for organizations to report breaches within 72 hours, with just 45% saying they were completely confident that they could meet the requirement. As many as a quarter of respondents said they were unsure how much sensitive data is even stored within their estates.

The great remote work experiment has exacerbated these existing challenges and exposed new gaps. In our latest survey of 1,000 CXOs and VPs, conducted in April and May 2020, respondents said that maintaining compliance with policy requirements, like CCPA, will continue to be the biggest hurdle to supporting employees as they work from home. Existing visibility gaps, like those created by the use of personal devices on corporate networks, have widened as people work from their living rooms with their own Wi-Fi networks or on unsecured devices. All of these factors increase the risks of noncompliance. 

So, in a remote work world, how can IT, security, and risk professionals ensure compliance? Strange though it may seem, there are three lessons to be learned from the challenges of the office.

1. Addressing the Root Cause
To prepare for the arrival of CCPA, business leaders told us they spent an average of $81.9 million on compliance during the last 12 months. Yet despite making investments in hiring (93%), workforce training (89%), and purchasing new software or services to ensure compliance (95%), 40% still felt unprepared for the evolving regulatory landscape. Why? Because the root causes were not addressed.

Perhaps their IT operations and security teams worked in silos, creating complexity and narrowing their visibility into their IT estates. Maybe their teams were completely unaware that other departments introduced their own software into the environment. Or more commonly, the organization used legacy tooling that wasn't plugged into the endpoint management or security systems of the IT teams. These are just some of the root causes that keep organizations in the dark and prone to exploits.

While the transition to remote work was swift, it has presented businesses with an opportunity to face these issues head-on. As workforces continue to work remotely, CISOs and CIOs now have the chance to evaluate how they effectively manage risk in the long term, which includes running continuous risk assessments and investing in solutions that deliver rapid incident response and improved decision-making. In time, they will restore fundamental IT hygiene for effective risk management and regulatory compliance.

2. Choosing Tools, Not Solutions
According to the organizations Tanium surveyed, US businesses ran an average of 38 discrete tools to manage their IT security and operations. As a new problem surfaced, a new tool was introduced to solve it. Unfortunately for most organizations, the result of so many tools isn't better visibility or better security but more confusion. When you have a problem, which solution do you turn to? When those sources present conflicting information, which one do you trust? 

The reason that point tools have always failed, and are failing now, is because management, security, and compliance are all connected. Doing them well means not doing them in a vacuum. If you need to ensure compliance at the endpoint, that means implementing a comprehensive solution that addresses everything from discovery and patching to threat detection and response. That was true when the majority of employees were still working from an office, and it's even more true now that most of them are remote.

3. Ignoring the Role of IT Hygiene
Forty percent of US decision-makers we spoke to said that a lack of visibility and control of endpoints is one of the biggest barriers to maintaining compliance. But as many as 77% admitted to finding a previously unidentified endpoint on a daily or weekly basis. While there is no silver bullet for this problem, a renewed focus on IT hygiene would go a long way toward ensuring that all assets with access to the network are accounted for and that they can be monitored and remediated in real time.

That means creating a process to continuously identify assets, risks, and vulnerabilities across the computing environment and fixing them at speed and scale. Get this right and it could drive a virtuous cycle in the organization, preventing the breaches, outages, and service disruptions that affect so many organizations.

In turn, firming up IT hygiene helps bolster regulatory compliance efforts by reducing the chances of breaches and improving the organization's ability to spot and fix problems when they occur. Transparency and prompt action are looked upon favorably by regulators when assessing whether incident response processes are fit-for-purpose.

Supporting Compliance, Avoiding Disruption
More than 12 months before the pandemic hit, enterprises began preparing for CCPA and other compliance regulations by investing in talent and tools to achieve compliance. Yet poor IT hygiene and overtooling undermined their best efforts in the office. Now that they are faced with a completely decentralized workforce, the challenge is greater than ever. Satisfying the requirements of CCPA requires a strategy that authenticates the trustworthiness of devices within the network, ensures activity is monitored at all times for malicious behavior, and prioritizes complete visibility and control of all IT assets.

Chris Hallenbeck is a security professional with years of experience as a technical lead and cybersecurity expert. In his current role as CISO for the Americas at Tanium, he focuses largely on helping Tanium's customers ensure that the technology powering their business can ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
CVE-2021-21245
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
CVE-2021-21246
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...