This is a guest blog post by Žygimantas Kaupas, Information Security Expert at NordVPN.
With WFH/WFA, focusing on a company perimeter security is definitely insufficient. Companies need to take into account a wide variety of risks. Unprotected employee networks used for remote work, work tasks performed on personal devices, or even IoT devices create conditions for insecure access of sensitive data.
Securing data between the company and personal networks
– The average cost was $1.07M higher in breaches where remote work was a factor in causing the breach, compared to those where remote work was not a factor.The prolonged time between the breach and public disclosure doesn’t solve the problem, on the contrary, it might exaggerate the damage
– Booking.com is an unfortunate example of how late reporting can lose you another half a million or so.
– There were 1767 publicly reported breaches in the first six months of 2021, a 24% decline compared to the same period last year – too early to celebrate, most likely it’s just a result of postponed reporting and a lower number doesn’t reflect the impact well – as a well-known example, one Solarwind hack is way more devastating than any number of others.
– The trending good practice with the most buzz around is SASE (Secure Access Service Edge) and ZTNA (Zero Trust Network Access).
– The average cost of a breach was $1.76M lower at organizations with a mature zero trust approach, compared to organizations without it.
Balancing data security and day-to-day usability
Most company environments are complex and require employees to follow inconvenient security procedures. It’s no secret that users will find a way to bypass them if they aren’t aware of potential security impacts. Therefore you must communicate the security goals clearly from the very beginning. And here are some insights on how to balance your security requirements so that they’re not excessive.
– Never trust, always verify – the slogan of the zero trust approach might sound like a real burden to the end-user, however, if implemented correctly, it should be close to invisible and shouldn’t negatively impact UX in any way.
– The user risk profile should be evaluated dynamically at every action, but additional user interaction should be required only when a potentially risky situation occurs – for example, activity beyond regular user behavior baseline is detected, like an unusual geographic location, changed device status (corporate-owned, privately owned), OS status (jailbroken/rooted or secure), patch status, time of the day, etc.
– Two-factor authentication and SSO methods do increase your ability to verify users correctly.
– Breach and attack simulation (BAS) tools are emerging to provide continuous defensive posture assessments, challenging the limited visibility provided by point-in-time assessments like penetration testing.
– Sensitive data should be followed by additional identity access controls that are risk-aware. The least privilege principle is crucial for data security.
Keeping end-users aware and ready
Even though the newest security solutions have most of the work done in the background without any actions required from users, you still need to make sure that they have a strong basic understanding of cybersecurity do’s and don’ts.
Encourage employees to follow at least the minimal set of security practices: multi-factor authentication, password managers, encryption tools, up-to-date devices, and common sense.
– One of the prevailing risks is credential stuffing. Work vs personal credentials must never be the same, but to implement this practice, users must make it a habit to generate and store unique credentials using a password manager tool.
– Phishing attacks are getting more sophisticated and harder to detect (for example, the many forms of Covid phishing scams), therefore constant security training is a must. It should be interactive, interesting, and preferably customized for the final user (for example, sample data related to a particular job role).
– Security incidents often require a fast response to reduce the negative impact. Employees should know the most critical security procedures by heart, without the need to search internal portals/slack channels for information. For example, if ransomware hits (and this happens quite frequently as this criminal sector is trending) and the lucky user detects that in very early stages, he might reduce the final impact to the organization a lot.
As work from anywhere is here to stay, big efforts should be spent on emphasizing the importance of the work environment and security habits. Public cafe Wi-Fi or home network with growing numbers of potentially unsafe IoT devices aren’t protected in the same way as a trusted company network. Employees should clearly understand potential risks and contribute to the company’s effort in defending business and personal data against malicious use.