National Cybersecurity Awareness Month (NCSAM) is upon us again, but the pandemic makes this October like no other in the 17 years that cybersecurity firms and associations have used the month to prompt businesses to think about their approach to cybersecurity.
Companies have seen a massive shift in their workforces that impacts their security posture. The coronavirus pandemic has led to many employees working from home. At more than three-quarters of companies, most workers—more than 60%—are no longer in the office, according to a June survey by consulting giant PricewaterhouseCoopers. And even after the pandemic ends, most companies—55%—expect the situation to remain unchanged, the survey found.
The shift represents a cybersecurity conundrum for businesses and the teams that secure them, said Samuel Visner, director of the National Cybersecurity FFRDC (federally funded research and development center) at MITRE.
“People are involved in telework who didn’t do it before—telework that is not just sporadic, sending a few emails. Instead, people are online for the entire day. Before, the lack of a remote-work asset would be annoying. Now, it can completely stop the work.”
Keeping remote workers secure without impacting productivity has become a major goal for firms. Here are five steps to make it possible.
1. Keep up user education
Among the most important steps that any company can take is to educate executives, managers, and regular users on cybersecurity and the most common threats. Hardening a company’s employee base against social attacks, such as phishing or credential reuse, could make the attacker’s job more difficult in more than half of incidents that would otherwise lead to breaches. Phishing and stealing credentials are techniques used in more than 40% of successful breaches, according to Verizon’s Data Breach Investigations Report (DBIR).
Ryan Kalember, executive vice president of cybersecurity strategy for Proofpoint, said in a statement kicking off the National Cyber Security Alliance‘s summit on cybersecurity in early October that “the vast majority” of attacks are not just targeted at people; they require human interaction to succeed.
“Cybersecurity really is a people problem as much as a technical problem.”
Using gamification, granting credentials, and tracking metrics can help make any security-awareness campaign more effective.
2. Include connected devices in security plan
With the majority of office workers doing their jobs from home, the model for security has changed. Employees’ technologies and habits are now a more critical factor in a company’s cybersecurity posture. Organizations need to make sure that the networks they provision for their employees working at home really do have security features built in, said MITRE’s Visner.
Part of that is taking into account the varied types of devices on most home networks. Home networks require a more comprehensive approach to security to take into account their diversity, from printers to smart TVs to thermostats.
The networks that we have outside of the office, which are connected to the enterprise systems at your company, at your university, at your government agency—they may be connected to your thermostat or to devices that do not have security built in, Visner said.
“We are going to have to address all the traditional cybersecurity questions that are important to us in the context of a mixed environment, in which the enterprise for which you work controls some but not all of that infrastructure, and you, the user, are responsible for the rest.”
3. Use zero trust to secure the distributed workforce
In 2014, Google wrote a paper on BeyondCorp—it’s zero-trust security model. The paper came after two major shifts in business weakened the traditional castle-and-moat security model: More applications had moved to the cloud, leaving behind the castle walls, and attackers had found ways to breach the moat by phishing or other social engineering scams.
Companies are now realizing that the model is really broken, said Matthew Prince, CEO of cloud-infrastructure firm Cloudflare.
“It was broken in 2014, but 2020 really has shown it’s not a sustainable model going forward. In addition to those two pieces, you now have nobody working from inside the castle. So your secrets aren’t inside the castle anymore, your security is all dependent on a moat, and now you have all these people working remotely, you have to open up a whole bunch of drawbridges across the moat, and that makes the security even harder.”
Adopting zero-trust processes and technology that continuously evaluates users’ and devices’ access to data and systems can help companies continue to operate securely, even when their applications, data, and users are no longer in an office.
4. Move from device identity to behavior monitoring
With employees out of the office, a key component of zero trust is taking a census of connected devices and monitoring their use of applications, data, and cloud services. Once a device has an identity in the system, its appropriate rights and privileges can be determined depending on which user it is associated with. In addition, behavioral monitoring of users becomes a possibility.
Depending on the actions of the device or user, many types of attacks can be blocked, said Robert MacDonald, director of solutions marketing at Micro Focus.
“Putting them under management is not enough. You have to look at the relationships those devices have with each other. If my device is accessing the network from China, that is not right, because the company knows that I’m in Ottawa.”
5. Check your supply chain
Finally, companies should verify their software supply chain, especially on the development side. The average application has 445 components, and 91% of applications have at least one outdated or abandoned component, according to software security firm Synopsys.
While a trusted information architecture is critical for cybersecurity, you have to be able to trust your software and hardware as well, said MITRE’s Visner.
“Security requires that you are making sure that your hardware and software are secure, understanding the supply chains, and identifying vulnerable software components and patching them.”
Stay aware all year
While National Cybersecurity Awareness Month ends on October 31, organizations should constantly revisit and review every aspect of their security programs, said Micro Focus’s MacDonald.
“While we have a month dedicated to cybersecurity, it is something that never ends. It is something that we have to pay attention to every hour and every minute, and it is forever changing. But the basic requirements or best practices still remain the same.”