Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

9/17/2020
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Struggling to Secure Remote IT? 3 Lessons from the Office

The great remote work experiment has exacerbated existing challenges and exposed new gaps, but there are things to be learned from office challenges.

Businesses around the world are currently engaged in the largest remote working experiment in history. While COVID-19 may have been the catalyst for the transition to remote work, it inspired some of the world's largest enterprises to make the change permanent. Although this acceptance of remote work grants employees greater flexibility, it is not without serious challenges, including how best to comply with the California Consumer Privacy Act (CCPA).

Related Content:

ISO 27701 Paves the Way for a Strategic Approach to Privacy

EU-US Privacy Shield Dissolution: What Happens Next?

While the pandemic has led to delays in mortgage payments, taxes, and other obligations, implementation of the CCPA has continued apace. Enforcement began in July and its civil penalties run into the thousands. Unfortunately, organizations have never been less prepared to comply. 

When we spoke to 100 IT decision-makers in January, nearly 70% said that their organization struggled with compliance because of fundamental weaknesses in IT operations and security. At best, those weaknesses made it challenging for organizations to report breaches within 72 hours, with just 45% saying they were completely confident that they could meet the requirement. As many as a quarter of respondents said they were unsure how much sensitive data is even stored within their estates.

The great remote work experiment has exacerbated these existing challenges and exposed new gaps. In our latest survey of 1,000 CXOs and VPs, conducted in April and May 2020, respondents said that maintaining compliance with policy requirements, like CCPA, will continue to be the biggest hurdle to supporting employees as they work from home. Existing visibility gaps, like those created by the use of personal devices on corporate networks, have widened as people work from their living rooms with their own Wi-Fi networks or on unsecured devices. All of these factors increase the risks of noncompliance. 

So, in a remote work world, how can IT, security, and risk professionals ensure compliance? Strange though it may seem, there are three lessons to be learned from the challenges of the office.

1. Addressing the Root Cause
To prepare for the arrival of CCPA, business leaders told us they spent an average of $81.9 million on compliance during the last 12 months. Yet despite making investments in hiring (93%), workforce training (89%), and purchasing new software or services to ensure compliance (95%), 40% still felt unprepared for the evolving regulatory landscape. Why? Because the root causes were not addressed.

Perhaps their IT operations and security teams worked in silos, creating complexity and narrowing their visibility into their IT estates. Maybe their teams were completely unaware that other departments introduced their own software into the environment. Or more commonly, the organization used legacy tooling that wasn't plugged into the endpoint management or security systems of the IT teams. These are just some of the root causes that keep organizations in the dark and prone to exploits.

While the transition to remote work was swift, it has presented businesses with an opportunity to face these issues head-on. As workforces continue to work remotely, CISOs and CIOs now have the chance to evaluate how they effectively manage risk in the long term, which includes running continuous risk assessments and investing in solutions that deliver rapid incident response and improved decision-making. In time, they will restore fundamental IT hygiene for effective risk management and regulatory compliance.

2. Choosing Tools, Not Solutions
According to the organizations Tanium surveyed, US businesses ran an average of 38 discrete tools to manage their IT security and operations. As a new problem surfaced, a new tool was introduced to solve it. Unfortunately for most organizations, the result of so many tools isn't better visibility or better security but more confusion. When you have a problem, which solution do you turn to? When those sources present conflicting information, which one do you trust? 

The reason that point tools have always failed, and are failing now, is because management, security, and compliance are all connected. Doing them well means not doing them in a vacuum. If you need to ensure compliance at the endpoint, that means implementing a comprehensive solution that addresses everything from discovery and patching to threat detection and response. That was true when the majority of employees were still working from an office, and it's even more true now that most of them are remote.

3. Ignoring the Role of IT Hygiene
Forty percent of US decision-makers we spoke to said that a lack of visibility and control of endpoints is one of the biggest barriers to maintaining compliance. But as many as 77% admitted to finding a previously unidentified endpoint on a daily or weekly basis. While there is no silver bullet for this problem, a renewed focus on IT hygiene would go a long way toward ensuring that all assets with access to the network are accounted for and that they can be monitored and remediated in real time.

That means creating a process to continuously identify assets, risks, and vulnerabilities across the computing environment and fixing them at speed and scale. Get this right and it could drive a virtuous cycle in the organization, preventing the breaches, outages, and service disruptions that affect so many organizations.

In turn, firming up IT hygiene helps bolster regulatory compliance efforts by reducing the chances of breaches and improving the organization's ability to spot and fix problems when they occur. Transparency and prompt action are looked upon favorably by regulators when assessing whether incident response processes are fit-for-purpose.

Supporting Compliance, Avoiding Disruption
More than 12 months before the pandemic hit, enterprises began preparing for CCPA and other compliance regulations by investing in talent and tools to achieve compliance. Yet poor IT hygiene and overtooling undermined their best efforts in the office. Now that they are faced with a completely decentralized workforce, the challenge is greater than ever. Satisfying the requirements of CCPA requires a strategy that authenticates the trustworthiness of devices within the network, ensures activity is monitored at all times for malicious behavior, and prioritizes complete visibility and control of all IT assets.

Chris Hallenbeck is a security professional with years of experience as a technical lead and cybersecurity expert. In his current role as CISO for the Americas at Tanium, he focuses largely on helping Tanium's customers ensure that the technology powering their business can ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.