David Cummins discusses the increasing cyberthreat that businesses face in the 'new-normal' of remote and hybrid work following new research conducted by Forrester Consulting on behalf of Tenable.
In September 2022, the U.K. government announced plans that will grant all employees the right to request flexible working using their first day's work. This cements the duty organisations have to permanently adopt hybrid and remote working. This ” new world ” of work, however, introduces new, and largely unmanaged, cyber risk, developing a dispersed and engaging attack surface for threat actors to take advantage of. This is what you should know.
In the 18 months since work-from-home mandates were enacted because of the pandemic, many U.K. organizations have now use long-term hybrid and remote work models. The upcoming law change will mean more people are likely to opt to work at home, as the waiting period to request flexible work red carpet months inside a role disappears. Because the home network morphs in to the corporate network, greater risks of cyberattacks and business impacts are imminent.
At present, 70% of U.K. organizations have employees working remotely, compared to 30% before the pandemic, with 86% either planning to adopt an online working policy long-term or have already done so. This information is sucked from a study1, conducted by Forrester Consulting on behalf of Tenable, that surveyed a lot more than 1,300 security leaders, corporate executives, and remote employees worldwide. The research, Beyond Boundaries: The way forward for Cybersecurity within the ” new world ” of Work, was conducted in April 2022 and also included 168 respondents in the UK.
Introducing a hybrid working model is complex
Switching to a flexible work model requires three significant shifts, which serve to atomise the attack surface:
- The elimination of traditional workplace perimeters because of the introduction of technologies that allow employees to work from anywhere.
- The movement of business-critical functions to the cloud.
- The vast expansion of the software logistics and implementation of new tools for enhanced collaboration, communication and productivity.
These new working practices have caused the organization attack surface to blow up, with lots of organizations left struggling to process and address the new risks introduced.
A hybrid worker might be in the office eventually and the next they might connect remotely via home routers or Wi-Fi hotspots in third workspaces, such as coffee houses or hotels. The study also found that 33% of U.K. security leaders have high or complete visibility into personal devices remote employees might be using for work.
In the aftermath from the pandemic and its ongoing effects, 46% of U.K. organizations transitioned business-critical functions to the cloud to enable accessibility at home – this included accounting and finance and human resources . When inquired about the increased risks, 80% of U.K. respondents believe their organization is much more exposed as a result of moving business-critical functions to cloud systems. Just as concerning, 58% of U.K. respondents attributed a minumum of one business-impacting cyberattack2 to some third-party software vendor compromise within the last year.
Despite the increasing popularity and acceptance of remote working, half of U.K. security and business leaders feel they are not well equipped or ready to support the new world of work securely.
Attackers take advantage
The concern from corporate executives is certainly understandable based on the evidence. The research discovered that 90% of U.K. organizations experienced a business-impacting cyberattack within the last year, with 51% falling victim to 3 or even more. When focusing on the main of those attacks:
- 72% resulted from vulnerabilities in systems and/or applications put in place in reaction towards the pandemic
- 68% targeted remote workers or those working from home
- 63% involved an unmanaged personal device used in a remote work environment
- 51% resulted from VPN flaws or misconfigurations
- 51% involved cloud assets
We have to alter the approach we take to think about risk
This change has highlighted that cyber risk is a business risk, and as such ought to be viewed and prioritised as other threats facing the organisation.
One benefit, if we can call it such, in the future from hybrid work models and a digital-first economy is the fact that together they have catapulted cybersecurity towards the forefront of organisational concerns and priorities. Security now warrants the necessary purchase of order to ensure protection to employees, customers and full organisations. It's comforting, then, to understand that, to deal with the problem, 75% of U.K. security leaders intend to increase their network security investments within the next 12 to 24months – with 73% likely to increase spend on cloud security, while 66% plan to spend more on vulnerability management.
The new mode of working is responsible for ripple effects in the corporate network, creating a change from perimeter-based security architectures. Businesses require visibility in to the entirety of the attack surface so that you can manage and measure cyber risk across operational technology and IT systems on one platform on-premises as well as in the cloud. Jointly, they have to determine where vulnerabilities exist in by doing this and the potential impact if exploited.
In tandem, another key focus is Active Directory, developed by Microsoft for Windows domain networks that helps organise a company’s users, computers and more. Given the disbanding of traditional perimeters, the configuration and management of user access is more important than ever. Building user risk profiles according to changing conditions, behaviours or locations, means that the organisation can continuously monitor and verify every make an effort to access data before granting or revoking the request. This gives the safety team with clear visibility of their entire threat landscape, the intelligence to foresee which cyberthreats will have the greatest business impact and controls to deal with cyber risks.
If staff continue to treat cybersecurity as an afterthought and fail to stay up to date with business changes, threat actors have a field day. It's imperative that organisations find methods to protect sensitive data within the ” new world ” of labor.
________________________________________________________________________________
- The information is drawn from 'Beyond Boundaries: The Future of Cybersecurity in the New World of Work,' a commissioned study of more than 1,300 security leaders, business executives and remote employees, including 168 respondents in the U.K., conducted by Forrester Consulting with respect to Tenable
- A business-impacting cyberattack is one which leads to a number of the following outcomes: lack of customer, employee, or any other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft; and/or theft of intellectual property