Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

9/17/2020
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Struggling to Secure Remote IT? 3 Lessons from the Office

The great remote work experiment has exacerbated existing challenges and exposed new gaps, but there are things to be learned from office challenges.

Businesses around the world are currently engaged in the largest remote working experiment in history. While COVID-19 may have been the catalyst for the transition to remote work, it inspired some of the world's largest enterprises to make the change permanent. Although this acceptance of remote work grants employees greater flexibility, it is not without serious challenges, including how best to comply with the California Consumer Privacy Act (CCPA).

Related Content:

ISO 27701 Paves the Way for a Strategic Approach to Privacy

EU-US Privacy Shield Dissolution: What Happens Next?

While the pandemic has led to delays in mortgage payments, taxes, and other obligations, implementation of the CCPA has continued apace. Enforcement began in July and its civil penalties run into the thousands. Unfortunately, organizations have never been less prepared to comply. 

When we spoke to 100 IT decision-makers in January, nearly 70% said that their organization struggled with compliance because of fundamental weaknesses in IT operations and security. At best, those weaknesses made it challenging for organizations to report breaches within 72 hours, with just 45% saying they were completely confident that they could meet the requirement. As many as a quarter of respondents said they were unsure how much sensitive data is even stored within their estates.

The great remote work experiment has exacerbated these existing challenges and exposed new gaps. In our latest survey of 1,000 CXOs and VPs, conducted in April and May 2020, respondents said that maintaining compliance with policy requirements, like CCPA, will continue to be the biggest hurdle to supporting employees as they work from home. Existing visibility gaps, like those created by the use of personal devices on corporate networks, have widened as people work from their living rooms with their own Wi-Fi networks or on unsecured devices. All of these factors increase the risks of noncompliance. 

So, in a remote work world, how can IT, security, and risk professionals ensure compliance? Strange though it may seem, there are three lessons to be learned from the challenges of the office.

1. Addressing the Root Cause
To prepare for the arrival of CCPA, business leaders told us they spent an average of $81.9 million on compliance during the last 12 months. Yet despite making investments in hiring (93%), workforce training (89%), and purchasing new software or services to ensure compliance (95%), 40% still felt unprepared for the evolving regulatory landscape. Why? Because the root causes were not addressed.

Perhaps their IT operations and security teams worked in silos, creating complexity and narrowing their visibility into their IT estates. Maybe their teams were completely unaware that other departments introduced their own software into the environment. Or more commonly, the organization used legacy tooling that wasn't plugged into the endpoint management or security systems of the IT teams. These are just some of the root causes that keep organizations in the dark and prone to exploits.

While the transition to remote work was swift, it has presented businesses with an opportunity to face these issues head-on. As workforces continue to work remotely, CISOs and CIOs now have the chance to evaluate how they effectively manage risk in the long term, which includes running continuous risk assessments and investing in solutions that deliver rapid incident response and improved decision-making. In time, they will restore fundamental IT hygiene for effective risk management and regulatory compliance.

2. Choosing Tools, Not Solutions
According to the organizations Tanium surveyed, US businesses ran an average of 38 discrete tools to manage their IT security and operations. As a new problem surfaced, a new tool was introduced to solve it. Unfortunately for most organizations, the result of so many tools isn't better visibility or better security but more confusion. When you have a problem, which solution do you turn to? When those sources present conflicting information, which one do you trust? 

The reason that point tools have always failed, and are failing now, is because management, security, and compliance are all connected. Doing them well means not doing them in a vacuum. If you need to ensure compliance at the endpoint, that means implementing a comprehensive solution that addresses everything from discovery and patching to threat detection and response. That was true when the majority of employees were still working from an office, and it's even more true now that most of them are remote.

3. Ignoring the Role of IT Hygiene
Forty percent of US decision-makers we spoke to said that a lack of visibility and control of endpoints is one of the biggest barriers to maintaining compliance. But as many as 77% admitted to finding a previously unidentified endpoint on a daily or weekly basis. While there is no silver bullet for this problem, a renewed focus on IT hygiene would go a long way toward ensuring that all assets with access to the network are accounted for and that they can be monitored and remediated in real time.

That means creating a process to continuously identify assets, risks, and vulnerabilities across the computing environment and fixing them at speed and scale. Get this right and it could drive a virtuous cycle in the organization, preventing the breaches, outages, and service disruptions that affect so many organizations.

In turn, firming up IT hygiene helps bolster regulatory compliance efforts by reducing the chances of breaches and improving the organization's ability to spot and fix problems when they occur. Transparency and prompt action are looked upon favorably by regulators when assessing whether incident response processes are fit-for-purpose.

Supporting Compliance, Avoiding Disruption
More than 12 months before the pandemic hit, enterprises began preparing for CCPA and other compliance regulations by investing in talent and tools to achieve compliance. Yet poor IT hygiene and overtooling undermined their best efforts in the office. Now that they are faced with a completely decentralized workforce, the challenge is greater than ever. Satisfying the requirements of CCPA requires a strategy that authenticates the trustworthiness of devices within the network, ensures activity is monitored at all times for malicious behavior, and prioritizes complete visibility and control of all IT assets.

Chris Hallenbeck is a security professional with years of experience as a technical lead and cybersecurity expert. In his current role as CISO for the Americas at Tanium, he focuses largely on helping Tanium's customers ensure that the technology powering their business can ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-33033
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
CVE-2021-33034
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
CVE-2019-25044
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.
CVE-2020-24119
PUBLISHED: 2021-05-14
A heap buffer overflow read was discovered in upx 4.0.0, because the check in p_lx_elf.cpp is not perfect.
CVE-2020-27833
PUBLISHED: 2021-05-14
A Zip Slip vulnerability was found in the oc binary in openshift-clients where an arbitrary file write is achieved by using a specially crafted raw container image (.tar file) which contains symbolic links. The vulnerability is limited to the command `oc image extract`. If a symbolic link is first c...