As lockdowns end, many organizations are beginning to return to normal and move their staff back to offices. Unfortunately, for IT security professionals, this return is not likely to be smooth, as our cyber-reality has changed dramatically over the last five months. With a phenomenal increase of 350 percent in phishing attacks during the pandemic, adversaries have gained significant experience in how to access organizations’ systems and steal sensitive data. At the same time, the complexity of organizational IT environments has increased due to the pandemic, making it even more challenging for IT security professionals to ensure adequate defense. As well as this, the majority of organizations are implementing a hybrid-working format as Gartner states 82 percent of company leaders plan to allow employees to work remotely at least some of time, which means they may be using unprotected devices. Therefore, it has never been as important as it is today for IT security professionals to manage and protect digital access and secure sensitive data. This is particularly challenging for SMBs since they have limited resources compared to enterprises yet face threats of a similar scale.
Why is it challenging to secure access in the post-lockdown world?
Today, the volume of phishing attacks is growing exponentially. As we know from 2018 Verizon Data Breach Report, even in pre-pandemic circumstances, at least 4 percent of employees always click on malicious links sent to them via email; yet, during the current crisis conditions, this number has been much higher. Such emails vary widely from the fake HR notes about updates in working policies to fake notifications about free Covid-19 testing. As most people lack adequate information about the global health crisis, they are more likely to react to emails that give them this information, meaning that they may click on a malicious link and install malware, or share credentials with criminals. What’s worse, even if an organization has not itself fallen victim to phishing attack, it might yet suffer because of the credentials and information that have been compromised during other data breaches as people often reuse their passwords across different systems.
A quick digitalization of business processes has made the task of protecting digital access even more challenging. The very first aspect of this is rapid adoption of cloud applications, which may be accompanied with some level of risk, as any fast implementation of a new system often comes with a lack of expertise and proper security planning. The second aspect is the rapid move to a remote working format, which has meant that many organizations have had their internal systems exposed to the internet. For example, the latter is what happened to Twitter – hackers got access to the company’s helpdesk system that had been previously available only from intranet, but became accessible from the public internet without some critical access controls due to lack security amid the pandemic. Finally, the “hybrid working” format is technically even more tricky than a traditional work from home model, since it assumes a wider variety of possible scenarios of user behavior. With a 100 percent remote model, IT teams could assume that all employees would access the organization’s systems via VPN and consider internal access attempts as suspicious ones; now, they need to establish baselines for both types of activity as employees combine working in the office and remotely.
Best practices to secure digital access for a “hybrid organization”
A good recommendation to ensure an organization is prepared for opportunistic attacks is to implement multi-factor authentication (MFA) for all employee accounts. However, Multi-Factor-Authentication is easy to say but often hard to complete. According to a recent survey, SMBs are still unable to implement this technology organization-wide as companies with 26 to 100 workers have only 34 percent of employees who use MFA; for businesses with up to 25 workers, only 27 percent use MFA. Yet, the following set of basic measures may help an organization of any size, if not to completely eliminate the threat of intrusion, but to terminate it at the early stage before it leads to a data breach.
1. Know your data. The bigger the IT infrastructure is, the more important it is for an organization to gain visibility into sensitive data on-premises and in the cloud, and to be able to secure it consistently. For that, it is necessary to establish a process to identify sensitive data and its types as well as to separate it from non-sensitive one; to define secure locations where it should be stored; as well as to discover any types of sensitive data outside of expected locations.
2. Enhance your detection capabilities. Intrusions are typically accompanied with anomalies in user behavior. For example, when hackers break into an organization’s Active Directory (AD) system, they escalate privileges, so they have access to all of the resources they need so that they may download or modify large amount of data at the short time. It is important that an organization has technologies that are able to develop baselines of normal user behavior as well as to flag anomalies.
It is also important that these baselines are revised when organizations begin to implement hybrid working models which will lead to changes in typical user behavior and will otherwise generate a large number of false positives. Unfortunately, these technologies may be expensive so SMBs should look for more affordable managed detection and response services.
3. Continuously educate your employees on cyber hygiene. It is important that cyber security awareness training is regular. Such training sessions might vary from virtually free tools such as a newsletter from the IT Security Team, to advanced training programs. The key to success is to make education relevant. IT teams should come up with recommendations that are tailored to an employee’s everyday job and are based on real threats that organizations face.
4. Establish secure VPN connection and regularly patch your network devices. As there still remains a significant proportion of remote workers in most organizations, having a secure VPN is fundamental. For that, an important step is to restrict the VPN to a particular host or subnet. One of these hosts can be a secured employee’s corporate device that is being monitored by the IT team or a terminal server. In this case, if hackers access the employee’s device, they will get to a subnet with limited access rather than into the whole corporate network with critical servers, and will have to make further efforts to break into the rest of the company. Patching is another critical step that organizations should not forget when they quickly change their working policies in line with constantly changing public health advice.
5. Review configurations for cloud services in use and tighten security controls. Cloud services providers are constantly evolving protection and detection capabilities of their platforms and applications in response to the new threats. Often, you need to explicitly turn on or configure the new functionality. Staying aware of the new controls available from providers and review configurations periodically is crucial for data security.
Given the complexity of the challenges IT teams face today, the best recommendation is to embrace a Zero trust model, which is based on the principle of maintaining strict access controls and not trusting anyone by default, even those already inside the network perimeter. With all the uncertainty the world is facing today, continuous vigilance is the only way to manage risk of unauthorized access to an organization’s systems.
Ilia Sotnikov, VP of Product Management, Netwrix