Protecting a distributed workforce
In recent years, enterprise leaders have found themselves frequently debating the merits of remote working. Doing their job remotely has, for some, been the norm for a while. Technology’s certainly blurred the line between professional life and home life. But the majority of employees have still used – and embraced – offices and working spaces.
Since the outbreak of the coronavirus, that normality has been shattered. Government measures in affected countries have led to the temporary shutdown of offices, resulting in millions of people forming possibly the largest distributed workforce we will ever see. Almost overnight, the “working from home” movement has had its revolution. There’s a school of thought that says the way we work has changed forever.
But with such sudden disruption come daunting challenges. Companies of all sizes are scrambling to facilitate remote working for nearly all of their employees all of the time, rather than for some employees some of the time. And in IT and technology, one of the hottest topics of the COVID-19 era is security. Releasing workers and their devices from the safe haven of a core network raises obvious security concerns.
Chris Hodson is a published author on cyber risk management and has occupied both the end-user and vendor security worlds. As Chief Information Security Officer (CISO) for security and IT management firm Tanium, Hodson is well aware of the issues confronting his industry as businesses do whatever it takes to maintain operational continuity while protecting their workers.
“It’s a real dichotomy, it’s a real challenge for CISOs at the moment,” he tells Digital Bulletin in an exclusive interview.
“If you think about what we do, CISOs aren’t there to implement malware sandboxes, antivirus software and patching solutions – we’re there to give visibility of risk, to be able to advise leaders of potential upcoming incidents that could affect their ability to execute on business strategy. Now we’re working remotely, all we can do in many situations is provide guidance to business leaders on how amending your security posture could have negative repercussions.”
Hodson is referring to the temptation for business leaders to put security low among their priorities as they instead focus on keeping their workforce engaged and the cogs of business turning.
He continues: “The CISO is left in this really uncomfortable situation where: do I tell my business that we’re not going to allow a concession in security posture to facilitate business operations? I don’t know any CISO who wants to be in that situation. You don’t want to say no, all you can really do is advise of the challenges and the increased risk of not having visibility of all your assets.
“The CISO is having to think incredibly quickly. Do we make time-bound, risk-based calls on reducing or amending security postures? Or do we have to shift from a preventative model to focusing more on detection and response?”
The main challenges arise from taking devices out of the network, along with employees using their own devices when working from home. A recent study from Tanium revealed that 93% of IT leaders had discovered devices within their organisation’s IT environment that they previously didn’t know about.
In this scenario, teams lose visibility and control of all their IT assets, creating vulnerabilities that can be exploited. And it is not a problem that can be resolved quickly, with coronavirus-related logistics constraints preventing businesses from swiftly issuing secure devices to its workforce.
Hodson delves into other difficulties currently being faced around mass remote working, adding: “Another one I see is compliance. Organisations in heavily-regulated industries – healthcare is one great example, financial services is another – have a legal obligation to ensure that certain environments adhere to rules and regulations.
“That’s something that becomes rather onerous if either you’re not in control of the device that’s processing data and information, and if you can’t provide any form of update to those devices.
“More in the Tanium wheelhouse, there’s the issue of patching. Lots of organisations have a tonne of data centre dependencies to distribute patches. And that’s just on the tech side – then there are the people challenges. Some CISOs are having calls with their suppliers and saying that SLAs are going to have to change because they don’t have the staff. All of this is compounding the problem of an increased set of threat events.”
As a consequence of these remote working challenges, enterprise security – normally a subject reserved for specialist industry coverage – has become a mainstream talking point during the coronavirus pandemic.
Much of this reportage centres around collaborative working software, which has very quickly turned from a handy add-on for employees to a critical tool for business continuity as we all work from home. Naturally, the security postures of these platforms have come under unprecedented security – not least in the case of video conferencing application Zoom.
During the month of March, Zoom saw an astonishing 535% rise in daily traffic to its download page. Yet security concerns around the platform quickly hit the headlines; there was a surge in hackers “Zoombombing” meetings, the company was criticised for falsely claiming to use end-to-end encryption and a number of other minor security flaws were exposed.
In normal times, such an exponential growth in users would be nothing other than positive for a business like Zoom. You certainly wouldn’t expect its CEO to have to pen a grovelling apology to its community, as Eric Yuan did at the beginning of April. But Hodson adopts a balanced view when the question of Zoom’s high-profile failings was put to him.
“I think the challenge you have with applications, with operating systems, whatever it is, is that as something gains popularity, it gains attraction to cybercriminals,” he explains.
“I think the reason the Zoom vulnerability gained so much notoriety is that it was in the news every day. I couldn’t go to a mainstream newspaper without people talking about Zoom. Whenever anything has that level of exposure, any form of negative press is going to be newsworthy.
“One thing I will say in Zoom’s defence is that there was a software update within 24 hours – some will say that the damage was done, but it raises the more philosophical question of what happens if there’s an exposure in another provider soon? I know CISOs who’ve removed Zoom from their environment, but the conversation I’m having with them is are they doing similar things if vulnerabilities are reported in other products? The answer varies.”
Tanium’s CISO hits on the key point of cybercriminals ramping up their efforts, which is another theme to have emerged from COVID-19. Hackers haven’t just targeted collaboration platforms but the global healthcare sector has also been subjected to an array of attacks as it deals with the pandemic, according to multiple data sources.
Hodson has also observed this development and believes a general increase in attacks during the coronavirus is down to the “opportunistic” and “entrepreneurial” instincts of cybercriminals.
“I think it’s a fairly realistic picture. I was running a webinar recently where this subject came up, and we spoke about how there are various types of threat actors out there at the moment who are entrepreneurial and opportunistic,” he explains.
“For example we are seeing, as an industry, an increase in targeted phishing. Phishing always needs some form of pretext to get the end user to essentially click on links and be redirected to somewhere malicious. The challenge you have with a pandemic is there are so many personal issues that are brought into the melting pot.
“The pretext we’re seeing from cybercriminals is one that’s particularly visceral to people. If you’ve got relatives who are unwell from COVID-19, or you’re frequently turning to the likes of the World Health Organization and updates around numbers, mitigation and containment plans – that’s an absolute goldmine of pretext for a cybercriminal to start sending out very authentic-looking communications.”
He also brings the point back round to remote working, and how a sudden change from normality can lead to less vigilance when dealing with phishing scams and other malware distribution.
“When we talk about phishing generally and malware distribution, we usually talk about whether we have the right technical controls in an organisation – well at this time, people are operating in different working environments. It does change your ability to focus and it does introduce a different stress into your day.
“If you bring that into a phishing scenario, where that degree of necessary vigilance perhaps isn’t there because people are working too hard and trying to manage their families as well, I think it creates an additional factor.”
To combat these threats, Hodson believes organisations must take extra responsibility around security technology and communications – but approach that challenge in a way that will strike a tone with employees who are struggling for order and normality as a global pandemic unfolds around them.
“Security professionals must provide guidance on the threat landscape, but in human-speak rather than the technical cyber-babble that we’re sometimes guilty of,” he concludes.
“Users need to be able to contact the company if they’re stressed or they’re not coping. Changing your way of working so quickly is hard. If people become stressed and have burnout, that has a material impact not only on their lives and health, but also from a cybersecurity perspective with their ability to make reasonable and sensible decisions.”