The first phase of the remote work paradigm in the early days of the coronavirus pandemic entailed getting enough laptops and ensuring connectivity for all users. Then organizations began securing all work-from-home employees, which makes sense given the average cost of a breach is $8.64 million in the U.S., according to IBM’s 2020 Cost of Data Breach report. Now there is a common expectation, echoed in recent conversations I’ve had with CISOs, heads of IT, and infosec specialists across the globe, that there will be more teleworkers in the future, creating a greater need to protect endpoints for employees who are not on a VPN.
Indeed, a recent report from Cisco Systems finds that roughly 75% of organizations are expecting employees to increase remote work arrangements even after the pandemic. Additionally, several companies have deferred the decision of when to have employees return to the office well into 2021.
To protect users, services, and the overall business going forward, security leaders are currently assessing alternatives to some of common approaches taken thus far, as they have fallen short. First, let’s dispel some myths:
Myth #1: Get everyone on a VPN
Astute leaders quickly recognized the fallacy of this model. Don’t get me wrong; VPNs have been an important tool in safeguarding remote access and have been used for over two decades for secure access to data in on-premise data centers. But as services have moved to the cloud and users demand more productive remote work environments, VPNs introduce a scalability bottleneck because they create a circuitous route to cloud applications and have limited concentrator ports. Additionally, they do not protect against end-user attacks like ransomware or phishing, and instead rely on adjacent technologies in the network or endpoint.
Ensuring a strong user experience is one of the key challenges for IT professionals dealing with remote users, and some organizations resort to split tunneling to overcome this limitation. But this approach reintroduces security concerns from direct-to-internet connections. Also, traditional VPNs provide blanket network-level access to the data center to all users. This further increases risk, and when combined with logging and auditing, ups the IT overhead to manage these resources as well.
Myth #2: Train ’em
Security training indeed improves awareness; however, Verizon’s 2019 Data Breach Investigation Report shows that despite training, users will continue to click on malicious links, leading to successful breaches. In a recent survey by Cyberinc, three-quarters of security leaders and practitioners expressed concerns about users clicking on risky links in emails, documents, or the web. The challenge is that as attackers evolve their approaches, users struggle to differentiate good from bad—the determination of which should not be left to end users in the first place. Bottom line: Training is important, but attacks still succeed.
Myth #3: Manage risk with content filters
While content filtering is a valuable tool that enables organizations to enforce acceptable use policies and also reduces the attack surface, users still face challenges. Policy management with content filtering can be difficult, especially with more services moving to the cloud and more users needing access. What should be allowed and what should be blocked? For how long should access be allowed? Who manages policies and compliance? Content filtering is also ineffective when attackers use “allowed” domains to deliver threats, as was the case with the recent Garmin breach that occurred via malware delivered from compromised news sites. Malvertising attacks use well-known sites to deliver malware as well, especially during the busy holiday online shopping season.
Myth #4: Endpoint protection can stop threats
Although anti-virus solutions protect endpoints against file-based malware, file-less malware is able to bypass these protections because there is no signature to detect. Additionally, with the frequency with which new threats emerge, anti-virus/malware solutions fail to keep pace. Endpoint detection and response (EDR) solutions do look for file-less malware, however they need to be supported with an appropriate security team to ensure the alerts (and false positives) are handled in a timely fashion.