According to the Office of National Statistics in 2019, more than 50 per cent of the UK workforce will be working remotely this year. With remote working now essential for many businesses to maintain operations, this is likely to be a considerable underestimate. Unfortunately, it’s a fact of life that wherever any businesses travels, cyber-threats follow. The sudden move to a predominantly remote working profile has introduced several new attack surfaces and a new threat landscape for most organisations. Strengthening an organisation’s security posture to mitigate these threats will demand a holistic approach to cybersecurity within the key disciplines of technology, processes and people.
A world of opportunity
The current situation provides a fertile ground for attackers, as previously hardened attack surfaces have evolved almost overnight combined with attempts to take advantage of the general population’s areas of concern and an appetite for more information. On one hand, many businesses have had to adopt new products and services without the time to fully test their capabilities and limitations, or compile best practice guides. This could leave a number of weaknesses and potential hazards undetected. On the other, employees working from home are now operating as the organisation’s front line of security – with the stress and chaos of the current situation creating many more susceptible targets for phishing, Mobile Device interception and other forms of social engineering.
The move to remote working, and need to share data online, also means that previously reliable airgaps may have eroded or been compromised. For now the balance of power has shifted in favour of attackers, and there is no single silver bullet that will protect the organisation. Instead security demands a top-down approach, involving the entire business.
Going beyond technology
For most organisations, selecting and deploying the most effective and efficient security controls and technology has been a top priority. However, an investment in technology also means investing in the policies, processes and skills needed to harden security posture. For instance, SIEM technology and event management dashboards identify and interrogate potential threats via external sources and across the entire organisation, so that security teams can contain and mitigate threats or lateral movement with prompt action. However, without processes in place to identify what constitutes an actionable threat and what actions to take, alongside skilled analysts, security teams will either miss potential threats or find themselves overwhelmed by alerts.
Implementing technology still takes time, even in a situation where there is huge pressure from across the business to act quickly. Organisations are already making mistakes – for example, we have seen some organisations spin up virtual firewalls to facilitate secure remote access and route a new wave of remote communication traffic. However, pressure to focus on immediate business continuity needs means organisations often have failed to ensure that existing security solutions address the new infrastructure operating profile, or that they are configured and patched correctly. Similarly, implementing a technology without assessing and situationally stress testing the wider implications across an IT estate can result in an erosion of the overall security posture.
For instance, implementing Security Incident and Event Management solutions to improve organisational security posture makes perfect sense. But this must be balanced with the correct managed service needs to ensure that these solutions deliver value without the need for significant resource investments. Without selecting the correct tools and supporting services, inexperienced organisations could be subject to vast fluctuations in their security budget to maintain security within an incident scenario. This in turn can lead to an inability to uplift resources to manage associated alert fatigue, and an overall reduction in their security investment’s performance as budgetary reduction options focus on data ingestion. Ultimately, this harms the resulting security posture.
Due diligence in processes
Many organisations have been caught off guard by the current situation because business continuity and disaster recovery plans and processes didn’t take into account such a sudden need for home working. Indeed, in January Forrester suggested that current business continuity planning didn’t go far enough, instead tending to only focus on a limited number of common scenarios, such as IT failure or extreme weather. As a result, processes have often been updated after the fact instead of already being in place.
With the initial shockwave and emergency recovery efforts complete, there should now be time for a more in-depth review of processes to ensure they match security policies with the reality of working from home. For example, if the organisational policy is no internet access from unsecured connections, processes need to reflect this – such as mandating that employees must always connect to a secure VPN before accessing the internet.
Finally, the organisation needs the skills and understanding to recognise and act against the new threats remote working has introduced. This doesn’t only apply to the security team, but to every employee who may now face the pressure of being a potential attack point. For instance, if it wasn’t already, educating employees on the danger of phishing and ransomware attacks, and how to identify a potentially dangerous message, has to be a priority. Similarly, if the organisation’s SIEM is now identifying and reporting different threats because of an increase in home working, security teams need to know how to identify and triage these.
At the same time, even the most security-conscious employees need to understand how the risks they face, and processes they have to follow, have changed. If senior members of staff can no longer easily share confidential documents over a secure network, they need to be made aware of this – and to be quickly given other ways of sharing information so that the business can still operate.
Building a strong ecosystem
Technology cannot operate without the right processes and skills. Following processes demands the right skills and technology. And skills need to operate in a framework of technology and processes. Acting to maintain the balance between all three isn’t only essential in the immediate situation. As Forrester notes, it will also help organisations prepare for equally serious events in the future. Organisations should look at every means – including managed services or outsourcing – to maintain this balance, and make sure that whatever partners they choose have the experience and certifications the business needs. Otherwise there is a real risk of being unable to maintain security posture during business-as-usual, let alone when extreme events or critical incident response scenarios strike.
Charlotte Davis, Cyber Security Practice Lead UK & EMEA, Insight