Prior to the pandemic, experts estimated that 5.2% (1.7m) of UK employees worked from home for the majority of time. According to research from CIPD this is expected to rise to 22% (7.2m), post-pandemic (2021) and is only set to rise further and faster into the future.
Analysis of cyber claims data shows that 63% of cyber incidents are caused directly by employees, through accidental disclosure, social engineering scams, inadvertent ransomware infections, and malicious intentional behaviour. The lack of direct physical oversight of remote employees only compounds these problems.
As the attack can be just as much psychological as physical corporate IT security needs to account for any form of attack from any source in any way. Tools will need to be put into place that protect the information assets from access, corruption or misuse if the business is to be secured.
Security is only as good as the weakest link in the chain, which begins with the employee (or any user access) remote from the business and then:
- Facilities and function of the laptop, workstation, or mobile device
- Locally installed software and data
- Access to the Internet (home network or public/private WiFi & router)
- The Internet itself (as this is a public infrastructure)
- Host site, and corporate infrastructure or third party hosting infrastructure
- Servers, Applications and Data
Workstation and Installed Applications
End-to-End Encryption (E2EE) will not protect against someone inviting the threat onto their device through a rogue website or installing malware. The simplest method of avoiding these security breaches is to use a locked down ‘standard operating environment’ (SOE), but while this seems simple, many companies avoid this as it can increase support calls and prevents the end user changing their laptop in any way. A new feature of Windows 10 in partnership with device manufacturers have implemented ‘Secure-Core’ PCs, which will ensure that it is virtually impossible for malware to be active, or for the operating system to be corrupted.
Internet access to corporate/hosted infrastructure
Some of these issues can be solved by using E2EE, where between the encrypted end points it is virtually impossible to gain access. However most products only encrypt the transmission, and leave vulnerable the device, applications and data. Some applications, such as WhatsApp have in-built E2EE, which means the communication cannot be intercepted by other software on the device, before it starts to be transmitted. Therefore the boundary of the E2EE is critical to understanding what other security measures need to be in used.
Corporate & hosted servers, apps and data
Corporate assets have always been vulnerable to sophisticated hackers, because current security generally operates on a ‘Trust but verify’ approach with passwords, codes, and 2 factor authentication being prevalent verification methods but once inside the perimeter the crown jewels are then open and on offer.
Current core security needs to be augmented with a ‘Zero Trust Architecture’. Zero trust aims to remove all trust from any activity. Every device, user (including employees), and network flow (internal as well as external) is authenticated and authorised. Policies must be dynamic and calculated from as many sources of data as possible, which may include dongles, location services and network addresses in addition to usernames, passwords and 2 factor. Trust is now only policy based, and if the policy is set correctly, valid access is easy, and hostile access considerably more difficult.
Article by: Nigel Hughes