While it is no longer surprising that almost half of the business leaders will allow their staff to work from home (WFH) at least part of the time after the lockdown, the truth is: IT administrators are unable to manage their remote employees’ own devices and this leaves corporate networks vulnerable, raising doubts about the bring your own device (BYOD) policy. The question therefore remains: Are BYOD and WFH compatible?
Why focus on end-user protection?
Broadly speaking, endpoint devices are the gadgets that can access the network. Laptops, tablets, mobile phones, printers, and many more fall into this category. However, when it comes to corporate endpoints, the situation can get tricky: not only is the number of business’ devices greater, but servers also come into play.
“Protecting the servers is challenging as they constantly receive numerous inbound requests and have to process all of them. Given this, corporate security systems have to be far bolder, and able to protect diverse endpoints. However, when companies have been operating within the office perimeter, all the traffic was being inspected by a common security stack. With the shift to remote workplaces, companies are focusing on end-user protection,” NordVPN Teams’ CTO Juta Gurinaviciute tells CXOToday.
Studies have shown that last year, each person had nearly seven network-connected devices on average, and the connectivity grows exponentially. Deloitte’s security experts estimate that the cost of a successful endpoint attack is over $5 million in lost productivity and remediation.
Needless to say that the overnight decision of moving to a WFH setup during the pandemic wasn’t smooth – at least in the initial phases – and many exposures remain even up to this day. To ensure a swift and efficient transition, some managers suggested employees use their own laptops, monitors, and smartphones to work from home. These devices can’t be remotely managed by system administrators, opening up a plethora of potential vulnerabilities. In fact, 85% of chief information security officers (CISOs) admitted having sacrificed cybersecurity in an effort to establish a remote workplace for employees.
“The majority of the enterprise endpoints, such as laptops, PCs, or servers, can be supervised remotely. Security officers and IT admins can easily log into every device, make alterations, change users’ permissions and track their activity. Their hands, however, are tied when employees’ own machines are concerned, and the resilience lies only in the user’s consciousness,” says Gurinaviciute.
In addition to remote management, IT teams can effortlessly patch the vulnerabilities in corporate machines. Individual endpoint devices can also be updated automatically, but it lacks the finesse of patching in the corporate environment.
In this case, patches are downloaded once and deployed to all relevant machines via a centralized system. The latter can also fix vulnerabilities within servers, and the patching process is overseen and managed by professionals. They, for example, can run tests before putting updates into action and push them into every business device connected to the internal network.
“Among other precautions, work computers do not grant the administrator rights to the end-user. This prevents them from installing irrelevant programs and, in some cases, malware. Home devices are more susceptible as every user controls them without any limitations. If this type of device is used for work, classified information might be leaked in a data breach, caused by negligence,” comments Gurinaviciute.
The company perimeter has been changing in recent years. It is no longer sufficient to talk about the secure connection to the office, and telecommuters have to be protected no less than the HQ office perimeter itself.
One way to mitigate risk is to implement zero-trust restrictions and security professionals now implement Zero Trust Access (ZTA) to limit the employees’ access to the corporate data. There are various types of zero-trust—network, transport, session, application, or data, to mention a few,—but the biggest focus is on the device and user area. It shouldn’t be surprising as cybersecurity today is mostly approached from an identity and authentication perspective.
“With ZTA, users can only reach information needed to complete the task, and for a limited time only. However, with systems being increasingly complex, information security teams have to focus on app and data levels, as it is important to monitor which applications invoke suspicious queries. With this information, security officers can identify hackers trying to leverage open ports or services for an attack,” says Gurinaviciute.
While robust software is necessary, numerous cybersecurity solutions can cause confusion. Today, endpoints are protected by 10.2 security agents on average, but they create conflicts and might leave the vulnerabilities exposed. This is also the case in an emergency, as organizations using more cybersecurity tools ranked 8% lower in their ability to detect attacks.
“Before implementing ZTA and rethinking your data breach containment plan, make sure to cut the deadweight of unused devices and user accounts. Unpatched and forgotten mobile phones or the software that some of your employees never use can broaden the surface area for a cyberattack. Apply a minimalist approach, but resort to trusted and effective protection measures,” recommends Gurinaviciute.