Before the COVID-19 crisis, remote work was considered a luxury option for a relatively lucky few workers in select industries such as technology companies and startups.
Oftentimes, there was even a stigma associated with working from home.
Now, that stigma has totally disappeared.
By Stephen Wright, President, CEO – Wright Business Technologies
Remote work has become a key strategy for businesses to protect their employees’ health and safety while still participating in the larger economy.
However, the mass shift to remote working has exposed many companies to a new generation of organized cybercrime and sophisticated hacking operations.
With so many employees remotely connecting to and accessing valuable company data, including sensitive consumer information and financial records, cybercriminals now have manifold more potential vectors (employees themselves) through which to compromise vulnerable systems.
Increased Reliance On Remote Workforce Leads to More Attacks
The portion of the U.S. workforce pivoting to a remote work arrangement is staggering.
According to Gallup, the percentage of full-time employees working remotely increased to 61% from 33% through the second half of March.
Working remotely is the new norm for many service sector workers, and it’s likely a trend that is not going away even when the COVID-19 pandemic subsides.
Companies such as Microsoft and Facebook have already announced that many of their employees will be working from home indefinitely. Microsoft is even letting employees relocate to other parts of the country.
This sudden shift from working on-site to working from home also means companies and organizations are struggling to strike a balance in providing flexibility for their employees while maintaining information security.
The hard truth is that an employee’s home office will likely not be as secure as a closely-monitored and regularly audited office environment. Even companies that utilized Managed IT Services will not set up and monitor every worker’s individual home office setup.
This struggle is real and can be evidenced by the dramatic increase in cybersecurity threats. According to a Malwarebytes Lab report Enduring from Home: COVID-19’s Impact on Business Security, the data shows that 20% of respondents faced a security breach due to their remote workforce. The results from the Global Threat Report from VMware Carbon Black is also shocking – 91% of over 3,000 globally surveyed companies had seen an increase in overall cyberattacks due to employees working remotely due to COVID-19.
How do companies deal with this massive uptick in cyberattacks and breaches in a work-from-home era?
Most companies are cash-strapped, so the question becomes, how do we prioritize limited resources to best secure and protect critical data?
The following discussion distinguishes between two schools of thought – directing your resources towards protecting a company’s network vs. directing your resources towards directly protecting your company’s data.
Protect the Perimeter: The Old School Approach
Network protection, also known as perimeter security, protects network traffic by controlling incoming and outgoing connections.
The theory is that if hackers and malware are prevented from entering and spreading through a network, the network assets are protected and secured.
This is done using a combination of tools such as firewalls, scanning, patching, the use of virtual private networks (VPNs), and access management to secure the boundaries of a company’s private network from the rest of the Internet, apart from key applications that reside outside of a company’s private network.
This approach is suitable when there are clear physical and digital boundaries. It is equivalent to putting up a fence to secure the perimeters and placing guards at the entrances. But that is not the world anymore. Boundaries are no longer static and manageable.
The following are some of the reasons why the perimeter is vanishing:
- Entry points are no longer finite. Data traffic can bypass perimeter security and flow directly from devices to applications on the cloud.
- Employees can log-on from anywhere. To collaborate and work productively, employees not only access a company’s internal network, but also access applications on the cloud.
- Work is done across an expanded set of devices, from company-issued laptops to personal laptops, mobile phones, and tablets. Devices are at risk of being comprised off-site and then brought onsite when they connect to an organization’s internal network, where infections can spread.
Protect the Data: The New Approach
Let’s now distinguish data protection from network protection.
Data protection adopts a zero-trust approach, which means no one should be trusted, even users inside or within a secured network. Credentials can be hacked, and cybercriminals can virtually tailgate authorized users to bypass network security and then move laterally within to wreak havoc.
With a data protection paradigm, protection starts by securing the data itself, first. Even if the network or perimeter is breached, cybercriminals would have limited access to the data. On the other hand, the network approach focuses resources on protecting the perimeter first and leaving valuable data open to attack.
The data protection approach recognizes that data itself is the ultimate asset and the organization’s heartbeat. When cybercriminals make a move to attack or infiltrate your business, their ultimate target is your company’s data. Therefore, it stands to reason that instead of protecting the devices and the networks that contain the data, the best approach is to protect the data itself no matter where the data resides.
The following are four guiding principles to a data-centric approach:
- Data discovery and classification
There must be measures first to identify personal identifiable information (PII) and other sensitive and/or critical information as it is stored, accessed, and used across your company. Companies often overlook this principle because while it is the first logical step, it is more difficult than it seems. Companies must be able to sort through a vast volume of data and identify what needs to be secured.
- Data transformation
Once data is discovered and classified, critical data should be masked or anonymized using encryption, redaction, or other techniques to prevent exposing its contents. Encryption is the most effective way to protect critical data against theft and breaches by transforming data into an unreadable form (ciphertext). Only users with the right credentials can decrypt it and then transform it back to something comprehensive (plaintext). Complex mathematical algorithms are used to scramble the data, whether it is stored or being transmitted across a network.
- Identity and Access Management
Only the right people should have access to the right information at the right time and for the right reasons. This means trusting no one and improving authentication. One of the simplest and most effective ways to achieve access authentication is to use multifactor authentication. But verifying identity is not effective without assigning roles to users and grant specific access permissions. Always follow the principle of giving the fewest people access to data and information (i.e., least privilege access). By limiting users’ access, you reduce the likelihood of cyber attackers gaining access to large volumes of data with a single comprised account.
- Monitoring and logging
Analytics must be in place 24/7, so you can tell the difference between a normal login and suspicious logins or behaviors. Once suspicious traffic or behavior is detected, procedures must be put in place to suspend access privileges quickly and investigate the incident. This sort of automated analytics is not your basic security technique and can be difficult to achieve — but detecting anomalies in real-time is a key component in your defense strategy.
A Case Study
Recently, a Russian hacking group known as Evil Corp. launched ransomware attacks against 31 major U.S. companies by targeting employees working remotely due to COVID-19.
Evil Corp. leveraged remote workers by deploying sophisticated malware on common websites (e.g., news sites or blogs) that employees visited on a device they also use for work.
The malware infected the device, and as soon as the remote employee connected to their company’s network via VPN, the malware released a ransomware program that locked the company’s systems and data to extract a ransom payment.
Using this real-life example, let’s see how the consequences may differ depending on which approach is taken.
Network Protection Approach
- A company with this approach would have directed its resources to patrol its network perimeter. Thus, it is ill-equipped once the malware bypasses the perimeter by tailgating an authorized user’s connection to a VPN.
- The company would end up coughing up between $500,000 to a million dollars to access their own data and systems.
- The damage would not only be limited to financial loss, but it would also impact productivity, revenues, and brand credibility.
Data Protection Approach
- A company with this approach would know to encrypt their critical and sensitive data, so even if the malware gained access, it would not understand the data and release it to unintended parties (e.g., to the public).
- Resources may also be spent on monitoring technology that can block suspicious applications from gaining access to data or block ransomware from encrypting data and systems.
- Even if the malware successfully locks up a company’s systems and data, a company with a data-centric focus would have contingency plans such as backups in an off-site location. With backups, the company could easily restore critical data and systems with minimal recovery time.
A data-centric approach may not prevent ransomware attacks. Still, companies can maintain control of their data without the financial loss of paying the ransom and suffer any other detrimental consequences.
The Perfect Time to Protect What Really Matters
The difference between network protection and data protection is not the technology or tools per se. The difference is acknowledging that data is what really matters. That realization will help direct your finite resources to protect data first and then build layers of additional network security.
With malicious actors taking advantage of the work-from-home era to launch sophisticated cyberattacks, the old school approach of focusing on network and perimeter security is no longer sufficient, just like castles and moats are strategies of the past.
This is the perfect time to shift focus from protecting networks to protecting the data itself. After all, losing data is not just an IT matter; it is a business matter.
About the Author
Stephen Wright is the founder and CEO of Wright Business Technologies. He is responsible for the overall success of the company, clients, employees, and vendor partners who support the business. Stephen graduated from Texas Tech University with a degree in business management and established Wright Business Technologies in 1992. He later earned his MBA, also from Texas Tech University, and established Wright Business Technologies in 1992. He later earned his MBA, also from Texas Tech University.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.