BradEgeland.com
  • Welcome
  • Blog
  • Expertise
  • Resume
  • Software / Service Reviews
  • Contact
  • Videos
  • Books / White Papers
  • Mentoring Contact Form
  • Awards/Recognition
  • Templates & Downloads
  • Clients
  • Professional Services
  • Past Survey Results

Future of Hybrid Work and Cybersecurity Risks

9/20/2022

0 Comments

 
Picture
As a larger percentage of the U.S. workforce continues to take advantage of remote or hybrid working styles, many companies now face new cybersecurity risks and challenges as the world returns, reimagines and retools for the new normal. The tools companies put into place to engage with B2B and B2C customers during the pandemic are here to stay.


Consumers are increasingly wanting to engage with organizations using social media and SaaS tools. I love being able to order dinner for the family with a few taps using my nearby burger restaurant’s mobile app. My city government is using a SaaS web application to manage permits. These tools should, and likely will, become the norm for doing business. However, the downside of this is that, with the acceleration of digital transformation, threat actors have a rapidly expanded attack surface to exploit for espionage or profit.


Organizations have also added new office tools, like IoT devices to monitor for viruses and reporting tools to track vaccine status. Companies that were on legacy productivity applications have moved to cloud-based tools. While our business tools have also become more flexible, our intellectual property and customer data is in the cloud to stay. Organizations did not transfer all cybersecurity risk to the SaaS vendors; instead, we gained the insider threats and vulnerabilities of these vendors.


Many of us are relearning the skills we used to secure our devices at airports and coffee shops with resumed business travel. The complacency over our personal and corporate devices while working from home must be reversed.


Zero-Trust
How do we retain and enhance customer and employee experiences and manage the new cybersecurity risks? In short, zero-trust, threat intelligence and attack surface management are the keys to accomplishing those goals.


Zero-trust is more than a buzzword. It’s a policy in the U.S. federal government. Security and IT leaders see a lot of dollar signs when vendors start talking about zero-trust. You can start your zero-trust journey for relatively little investment—but it’s just a start, not your end state.


● Segregate privileged accounts. At a prior job in critical infrastructure, we had separate credentials for administering servers or ‘crown jewels.’ If you can’t afford a privileged access management tool, use a commercial password manager.

● Use modern password standards for little cost. Toss out the old password standards that used all character types, disallowed any words in the dictionary and mandated regular changes. Turns out we’ve been doing passwords wrong for decades. NIST updated its digital identity guidelines acknowledging these truths. My favorite XKCD comic explains how to create a memorable passphrase that is very hard to hack.

● Kill the VPN. Rather than requiring employee devices to connect via a corporate VPN, require authentication to all applications, preferably via SSO and MFA. Beware, though—threat actors regularly exploit vulnerabilities in VPN gateways and use compromised credentials sold by initial access brokers in the underground economy to log in remotely.

● Start from a ‘disallow all’ policy for servers and network appliances. All networks are untrusted in a zero-trust world. Allow communications to only the infrastructure needed for the server or tool to meet its business functionality. With such a strategy, you can avoid becoming a victim of a supply chain compromise, as the connections to an adversary’s infrastructure aren’t on the allow list.


Threat Intelligence
Threat intelligence is about supporting the tactical and operational decisions of security and risk leaders assessing the intent of threat actors in the physical world and cyberspace.


● Listen empathetically to your stakeholders to determine what business processes and technologies are most valuable to the company (if you don’t have priority intelligence requirements already).

● Support vulnerability management teams. Use the visibility from external attack surface management to prioritize assessment of risks from vulnerability exploitation.

● Support brand and executive protection. Not all impersonations or mentions of your brand and VIPs are significant. Use threat intelligence to assess the severity of the threat and provide recommendations to reduce risks to the brand’s reputation and the safety of people and property.


Attack surface management is the process of continuously discovering, identifying, inventorying and assessing the exposures of an entity’s IT asset estate. That attack surface includes all the mediums where your business works with customers, partners, and employees like social media, career sites, and cloud providers.


● Re-baseline your external and internal attack surface. Your baseline in January 2020 will look nothing like it does today. External attack surface management vendors report on average that prospects have 30% more assets in the cloud than they realized.

● Continually monitor your attack surface. Think like the threat and proactively find exposures. Accurate hardware and software inventories are critical to the success of every strategy, including zero-trust.

● Use external attack surface management tools to prioritize threat intelligence collection and analysis. Pay particular attention to any mentions of exploits to those technologies.

● Install and tune security controls on all employee devices. The fluid nature of businesses has placed additional pressure on the IT team to provide computers and software to the remote employee base. Use biometric authentication on user laptops to reduce the login burden; go passwordless.


Innovation is Not Without Cybersecurity Risks
I’m excited about all the innovation and digital transformation taking place. But all this new technology is not without cybersecurity risks. Security pros can enhance employee and customer experiences, maintain trust and reputation, reduce breaches and maintain compliance with smart strategies based on zero-trust, threat intelligence and attack surface management.

by Brian Kime on September 14, 2022


0 Comments



Leave a Reply.

    Author:

    Picture

    Brad Egeland


    Named the "#1 Provider of Project Management Content in the World," Brad Egeland has over 25 years of professional IT experience as a developer, manager, project manager, cybersecurity enthusiast, consultant and author.  He has written more than 8,000 expert online articles, eBooks, white papers and video articles for clients worldwide.  If you want Brad to write for your site, contact him. Want your content on this blog and promoted? Contact him. Looking for advice/menoring? Contact him.

    Picture
    Picture
    Picture
    Picture
    Picture
    Picture

    RSS Feed

    Archives

    December 2022
    November 2022
    October 2022
    September 2022
    August 2022
    July 2022
    June 2022
    May 2022
    April 2022
    March 2022
    February 2022
    January 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016
    June 2016
    May 2016
    April 2016
    March 2016
    February 2016
    January 2016
    December 2015
    November 2015
    October 2015
    September 2015
    August 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015
    February 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014
    August 2014
    July 2014
    June 2014
    May 2014
    April 2014
    March 2014
    February 2014
    January 2014
    December 2013
    November 2013
    October 2013
    September 2013
    August 2013
    July 2013
    June 2013
    May 2013
    April 2013
    March 2013
    February 2013
    January 2013
    December 2012
    November 2012
    October 2012
    September 2012
    August 2012
    July 2012
    June 2012
    May 2012
    April 2012
    March 2012
    February 2012
    January 2012
    December 2011
    November 2011
    October 2011
    September 2011
    August 2011
    July 2011
    June 2011
    May 2011
    March 2011
    January 2011
    December 2010
    November 2010
    October 2010
    September 2010
    August 2010
    June 2010
    May 2010
    April 2010
    March 2010
    November 2009

    RSS Feed

Powered by Create your own unique website with customizable templates.