Over the last few years, the modern office has evolved rapidly, with workforces becoming more mobile and geographically distributed than ever before. Even before COVID-19, modern enterprises were embracing the remote work model, and the average Fortune 500 company had more than 300 global office locations. Over the last few years — to attract and retain top talent who often list hybrid work as a priority — innovative companies have added even more emphasis on flexible workplaces. As we move past the worst of COVID-19, it doesn't seem we'll ever see a return to the pre-pandemic office. In fact, it's been estimated that by 2025, 70% of the workforce will work remotely at least five days a month.
To remain productive while working remotely, employees utilize many different cloud-based apps, such as Microsoft Teams and Monday.com. Though these apps are a boon for employee efficiency, their use has created challenges for IT departments and has opened new security vulnerabilities. To improve understanding of what's happening in their networks, IT professionals often rely on an increasing number of monitoring and management tools. Simultaneously, they must defend against hackers who relentlessly pursue new and dangerous attacks.
Even before the swift global adoption of remote work, enterprises faced rapidly rising cyber threats, including professionalization of hacking groups and increased ransomware and phishing attacks. Today, dispersed workforces have expanded threat surfaces, with highly sophisticated threat actors constantly exploiting challenges posed by remote work for financial gain, such as stealing intellectual property, carrying out supply chain attacks, and more.
Five Ways to Reduce Vulnerabilities
At SolarWinds, we've seen firsthand how the threat landscape has evolved. Below are just five steps we've taken as an organization we hope can help other IT departments reduce vulnerabilities and become secure by design:
1. Limit Shadow IT
Having control over and visibility into all parts of a network is critical. It means understanding what employees do and what data and resources they access. Unfortunately, dispersed modern workforces make this a particular challenge due to "shadow IT." Shadow IT essentially entails employees who use technologies or services — such as Dropbox or Google Workspace — the company IT department hasn't approved. Though using productivity apps like these may seem like a harmless practice on the surface, shadow IT inherently prevents teams from having control and visibility into their systems, which can result in loss of data and increased apps and services for attackers to target.
2. Adopt Zero Trust
As businesses embrace long-term hybrid and remote work policies, it's critical to monitor and secure not only a company's workforce but its resources and data. At its core, the zero-trust security model closely guards company resources while operating under the "assumed breach" mentality. This means every request to access company information or services is verified to prevent any unauthorized network access. Through policy management, multifactor authentication, and consistent network monitoring, enterprises can leverage zero-trust principles to prevent or flag unusual or unauthorized access to company resources based on user identity, location, and other key criteria. At a time when more employees are accessing more information in more geographies than ever, zero trust is a powerful tool to help improve visibility, effectively identify threats, and mitigate vulnerabilities.
3. Strengthen Software Development Processes
Though the majority of cyberattacks are aimed at stealing data, money, or intellectual property, software development companies must also defend against another unique threat: supply chain attacks. These attacks occur when hackers access and manipulate code capable of impacting users of the affected software. To help prevent and ensure resilience against attacks, the integrity of the software build process and environment must be of the utmost importance for software development companies.
At SolarWinds, we prioritized upgrading and strengthening our own software build process. One thing we learned and we believe other enterprises should adopt involves developing portions of software in multiple separate environments, each of which requires different security credentials to access. Creating code in these parallel, secure environments makes it more difficult for threat actors to obtain or corrupt a complete product. Companies can further strengthen their software development process by implementing dynamic environments, which are build locations automatically destroyed once their use is complete. These dynamic environments are key, as they eliminate the opportunity for attackers to infiltrate and remain inside a network.
4. Leverage Red Teams
Identifying vulnerabilities and assessing threats doesn't need to be a burdensome practice. One strategy enterprises can adopt to reduce the need for IT departments to identify each and every threat is employing the use of red teams, which hunt for vulnerabilities in a network and simulate attacks in real time. Some of these simulations include phishing campaigns or brute-force attacks. These red teams help keep IT employees' skills sharp, ensuring they're ready to adapt, stay a step ahead of bad actors, and thwart breach attempts. In addition to attempting intrusions, red teams also document each step of their process to break down attack methods and implement prevention techniques.
5. Make Your People Part of Your Defense
There's no doubt the technology and automated processes an enterprise employs are a huge part of remaining secure and preventing hacks and breaches. The many proven solutions security experts have developed to stop hackers are nothing short of extraordinary, but regardless of the technology available, a large amount of risk is still produced by humans and our behavior. To create a truly secure network environment, enterprises must treat every employee as though they're part of the security team. Companies should hold regular training sessions to ensure employees practice good cyber hygiene and keep up to date on the latest hacking methods.
Becoming "secure by design" is now a C-level priority and is no longer only a responsibility of the IT department. With the threat landscape rapidly evolving and the new reality that any business — large or small — can and will face new and sophisticated threats, community vigilance across the entire organization and industry at large is required to defend against these challenges.