By: David Cummins, VP of EMEA, Tenable
Flexible working practices have grown in popularity since the start of the pandemic as U.K. employees were mandated to work from home. This trend will be further fuelled given the U.K. government’s recent announcement that all staff will have the right to request flexible working from their first day of employment, rather than having to wait until they’ve been in the role for six months. With hybrid remote work officially a long-term model, there are several challenges companies must face.
Over the last 18 months, organisations were forced to mobilise large percentages of their workforce. This saw the acceleration of digital transformation with new technologies introduced and working practices completely overhauled. However, despite the rise in technological advancements, most organisations were forced to prioritise productivity over security considerations.
Unfortunately cybercriminals reacted quickly and capitalised on the insecure working practices that ensued. In fact, 90% of U.K. organisations experienced a business-impacting cyberattack1 in the last 12 months, with 51% falling victim to three or more. This data is drawn from a commissioned study, conducted by Forrester Consulting on behalf of Tenable, that surveyed more than 1,300 security leaders, business executives, and remote employees worldwide. The study, Beyond Boundaries: The Future of Cybersecurity in the New World of Work, was conducted in April 2021 and also included 168 respondents in the UK Looking at the nature of these attacks the study revealed that:
- 72% resulted from vulnerabilities in systems and/or applications put in place in response to the pandemic
- 68% targeted remote workers or those working from home
- 63% involved an unmanaged personal device used in a remote work environment
- 51% resulted from VPN flaws or misconfigurations
- 51% involved cloud assets
The impact to organisations was far from trivial as 36% said they had suffered a ransomware attack while 33% reported the attacks resulted in a data breach.
Security for the new normal
The challenge is that legacy security approaches weren’t designed to handle an attack surface of the scope and complexity organisations now find themselves with. That said, it doesn’t mean game over. There are few steps security teams can take to regain control
A holistic approach: Organisations need the ability to see into the entirety of the attack surface — on-premises and in the cloud. In tandem, they need to determine where vulnerabilities exist and the impact if exploited.
All on the same page: Understanding the impact of exploited vulnerabilities requires business and security leaders to work in conjunction with each other. Security needs to understand the larger mission of the organisation and safeguard the tools and assets that enable staff to complete business critical activity, while also ensuring important data is safe-guarded.
Basic cyber hygiene: The vast majority of data breaches today are not sophisticated to the trained eye. In fact, the majority are due to known but unpatched flaws in applications and hardware. One example is Zerologon — it was initially fixed in August 2020 but, by the end of the year, featured in several government alerts and had been adopted by threat actors of various motivations and capabilities. By maintaining regular patching cycles, developing plans to address out-of-band patches and performing regular backups, the vast majority of threats can be neutralised.
Trust is earned: With many users working outside the physical perimeter, access management is critical. Attackers only need to compromise one machine to get access to Active Directory — a WHAT developed by Microsoft for Windows domain networks that helps organise a company’s users, computers and more. Given that a network is not bound by physical location but that all remote employees are part of it, this would allow attackers to not only compromise the device, but the network too. The attacker could then leapfrog between accounts until they get administrative control, allowing them to pose as legitimate IT users, authenticate using valid credentials, create new accounts, change user access controls, escalate permissions and move from on-premises to Azure Active Directory in the cloud — all without being detected because they appear to be legitimate, trusted users.
Cybersecurity has been on the agenda for a while, but recent events highlight how critical it is that it be addressed as a business imperative. As companies prepare to indefinitely support a hybrid environment, with employees that are both office based and remote depending on the day of the week, it’s crucial to align cybersecurity with business practice. Organisations must rethink how they define the risks they face, looking beyond software flaws and device compliance to achieve a holistic view of their dynamic and disparate environment.
- A business-impacting cyberattack is one which results in one or more of the following outcomes: loss of customer, employee, or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft; and/or theft of intellectual property.