CIOs and CISOs at organisations across the globe are currently dealing with an unprecedented challenge as they look for the best way possible to keep employees secure and productive. David Higgins, EMEA Technical Director, CyberArk, talks to Jess Phillips about how IT leaders can best adopt a proactive approach to cybersecurity to reduce their risk management concerns.
How have working practices shifted to an increase in remote access for employees and third-parties?
Within a few short weeks, ‘business as usual’ has become anything but. Millions of workers have shifted to remote work, been redeployed to focus on evolving business priorities, or face general uncertainty about their jobs. As IT teams work around the clock to execute Business Continuity plans, cyberattackers have been working just as hard and fast to exploit weaknesses in these dynamic and changing environments.
What are the security implications of this?
As the number of employees working remotely increases rapidly, providing them with secure access to company systems, applications and data from outside their employer’s corporate network at short notice can often result in complications.
Remote users requiring access to critical systems must rely on a combination of VPNs, MFA and remote access control solutions in order to authenticate and access what they need.
How much of a role does access play in enabling – or preventing – cyberattacks?
Traditional enterprise identity management systems and access control solutions, for example, are typically designed to authenticate company employees and corporate-owned devices in controlled environments. But what we are seeing at the moment is that a huge and unprecedented shift for previously office-bound employees to work from home has meant that IT security teams have had to adapt quickly to onboard new applications and services to support remote work; collaboration tools like Microsoft Teams, virtual private networks and the like.
Also, employees will, to a degree, be using their own unsecured personal devices to connect to corporate assets. Taken as a whole, these are much less controlled environments.
And attackers are specifically targeting this new situation, essentially taking advantage of what they see as a relatively easy way of accessing sensitive data. Cybercriminals can see three things that help them achieve this.
First, collaboration tools can be exploited to provide a route to the critical data and assets that every organisation has. This is a very real threat. CyberArk’s Labs team found an exploit in the Microsoft Teams collaboration tool that meant credentials could be stolen simply by sending an infected image to another user. We worked with them to close this security hole.
Secondly, more people are accessing sensitive commercial information from their home office, often from unsecured personal devices. This can provide an open door for attackers. VPNs are often used to access corporate systems and these have become popular targets for attackers who are looking to take advantage of insecure connections.
Moreover, many workers will be allowing their corporate laptops and other devices to be connected to the Internet by a family member while working from home. So the good security habits that might allow an employee to recognise and avoid a malicious website or phishing mail can be bypassed by this kind of behaviour.
Finally, in the shape of Coronavirus, attackers have a subject that is top of mind that they can use to their advantage. This means when, for instance, attackers try to get people to click on malicious websites or phishing emails to compromise credentials and gain access to corporate systems, they have a better chance of success.
What should organisations look for in a privileged access solution for third parties and remote workers?
Businesses can improve their risk posture by managing employees and applications’ access permissions once in the infrastructure and making sure third parties have trusted entry points into the organisation.
Then it’s a matter of keeping an eye on data flows, training the people who have access to these systems and having a clear overview of security practices across the supply chain. Ultimately, collaboration carries an element of risk, but it can be addressed by taking a consistent approach to security, replicating good practices amongst partner companies and reducing risk by ensuring greater visibility into activity during secured sessions, and having the ability to take an action to mitigate risk.
Privileged access management provides greater visibility of – and control over – remote access to enterprise networks, as more and more employees work remotely.
Businesses should look for platforms that employ biometrics, Zero Trust and just-in-time provisioning to reliably authenticate remote vendor access to the most sensitive parts of the corporate network.
In the current environment, where endpoint devices have disparate levels of security and the office environment can be a café, car or home office, cybersecurity needs to match the flexibility of modern working to best ensure Business Continuity.
How can organisations secure the ‘new normal’?
Staying ahead of known and emerging threats in this new landscape has added even more levels of complexity to an already complicated job. CIOs and CISOs at organisations everywhere are looking for the best way to handle these challenges while keeping employees safe and productive. As they navigate this ‘new normal’, there are three fundamental areas that are emerging as key priorities for security leaders across critical people, process and technology dimensions.
One is securing people. Attackers have launched a wave of phishing, ransomware and social engineering campaigns, taking advantage of the confusion and distraction. Some cyberattack attempts are seemingly work-related – like a phony email from IT asking the user to click on a link as part of a set-up process – while some make emotional appeals looking for support of a ‘noble cause’ use government stimulus or other financial incentives as the hook.
Secondly, devices and applications must be secured. Some employees were able to take their office computers home with them while others set up shop with their own technology. This surge in new and personal device use has created a host of new challenges, particularly for those organisations that did not have an existing BYOD policy in place. In the rush to get connected, misconfigurations abound and leaving new devices in their default (insecure) factory settings can put companies at risk. Attackers look for these situations to gain a foothold into the organisation.
Finally, connections and access must be secured. Many organisations face both security and availability challenges as hundreds of thousands of employees try to connect using virtual private networks (VPNs) to send and receive data.
Compounding the issue, employees logging into their VPNs are using home Wi-Fi networks, which are often unsecured, unmonitored and overloaded as multiple people try to work and learn remotely. Attackers can easily infect these Wi-Fi routers with malware, making all of the household’s connected devices vulnerable – from TVs and smart thermostats to cell phones and computers.
What advice would you offer CISOs looking to improve their strategies to enable a secure, smart workforce?
Organisations need to adopt a proactive rather than reactive approach to cybersecurity to reduce their risk management concerns. On an organisational level, this means training staff to think like an attacker and identify potential security vulnerabilities before they are exposed by outsiders with malicious intentions. From a proactive security perspective, engaging in Red Team services is a valuable exercise to simulate a cyberattack.
These ‘ethical hackers’ can exploit discovered vulnerabilities to penetrate company systems and networks and remain undetected for as long as possible to determine what sort of damage could be done under a real attack.
By doing this, organisations will not only discover how vulnerable they are to an attack, but it also gives them an opportunity to play out risk mitigation techniques and prioritise assets for protection. Knowing how an attack could impact the business and establishing a game plan for response is critical to gaining a greater understanding of risk exposure.