As the world is starting to move out of lockdown, businesses are moving some of their workforce back into the office environment. Whilst their focus may be on the logistics of this and making the office environment ‘Covid-Safe’ for their employees, they also need to be cognisant of the potential security challenges facing them. Some areas that businesses should start to focus on are:
- Currency of critical security patches
- Any relaxation of endpoint administrative rights
- Identification of unauthorised network scans
The problem
During the pandemic, most corporate assets (laptops) have in effect been residing on home office networks, those being home or public Wi-Fi, with only their EDR solution and VPN protecting them from attack. For the last 18 months or so, these assets have been sharing their local network with potentially un-patched devices, being operated by individuals who may have been more concerned with the latency of MineCraft and downloading the latest gaming ‘feature packs’ from non-salubrious websites, than good cybersecurity hygiene.
Combine this with the necessity of some IT Depts having had to relax their Corporate Policy on Remote Patching (due to bandwidth limitations of VPN) and Administration Rights on local assets (in order to install ‘that home printer driver’), if not revisited and reverted, can leave a significant exposure.
Early stakeholder buy-in
This is essential, as without stakeholder support, any efforts to address these challenges will stall very quickly. The pandemic has put constraints on operating budgets for many businesses, so it is essential to be able to articulate these security challenges and ways in which to mitigate, clearly to stakeholders. Without this insight, it will be an uphill struggle to focus on these additional security requirements and obtain the budget to support them.
Hopefully this article will provide the narrative to assist with that dialogue and highlight some of the concerns that pose a real threat to businesses.
The human element
Moving away from technology for a moment, and an area that is often overlooked by businesses, is how the employee has been managing their security hygiene, in the absence of localised IT support.
In effect, they could have been making security decisions for over a year, as remote workforce. They have lacked the ability to prevent potential ‘odd behaviour on endpoints’ with peers. That ‘security pop-up’ message that they just clicked ‘yes’ to, or the attachment they opened, that appeared to ‘do nothing’, all of which can be the precursor activity of an attack.
Threat actors have taken full advantage of this exposure, and there has been a marked increase in attacks focussed on Business Email Compromise (BEC) and phishing scams to name a few.
A recent report by Gartner talks about how these threat actors have taken advantage of the changing working environments, both during and post pandemic, targeting the remote workforce with email and SMS campaigns pertaining to be from their local IT Support.
Any breach in endpoint security of your remote workforce may be amplified exponentially once they return to the office and the threat actors are then able to get a foothold on the corporate network and start profiling internal architecture, in advance of for example, ransomware deployment.
Businesses can start to address these risks as part of their return to office planning by taking a number of tactical steps.
Controlled introduction
Just like the way a business would rollout a new technology, it is always advisable to address any outstanding security issues in bite-sized-chunks. Look to update endpoint patching before a return to office, based on, for example, geography. And for businesses that only operate in one country, this could be broken down into business function. Ask users to keep their endpoints connected overnight to make best use of VPN bandwidth. For any users unaware of this activity or where their VPN failed during updates, use validation technology, as explained in the following section.
Evolve current security tools and look at additional complementary technologies
The majority of what is required to address some of these security challenges can be achieved by increasing the functionality of existing security tools. Taking EDR as an example, look to enable file integrity checks to spot any alterations to the standard endpoint build levels.
Network access control can be achieved by evolving the current switch fabric, and used to address edge cases, as mentioned above, as they appear on the corporate LAN – Quarantining them until OS and EDR updates have been applied.
Finally, take the opportunity to perform an asset discovery to identify additional unclassified compute and to help support vulnerability scans to confirm patching validity.
Time to update…
Taking time to revisit access control policies is always good practice, especially as part of your workforce returning to the office, as the lack of enforcement for Least Privilege Access is a main contributor to the majority of breaches and malware outbreaks. A robust Access Control policy helps to identify unauthorised activity and elevated privilege trying to access infrastructure they would normally not have access to.
Turning up the brightness…
A large part of being able to react to any incident is having tooling in place that not only gives you the visibility of the IT (and OT) landscape but also provides actionable intelligence by means of Indicators of Compromise. Focussing on the detective controls more closely allows your Operations Teams to pick out anomalous activity based this new Hybrid Workforce operating model.
Increasing the sensitivity of any SIEM solution for a controlled period of time can help the Operations Team spot any changes in endpoint and/or user habits.
Prevent – Detect – Respond
Pressure testing your Incident Response Plan as part of the return to office planning not only allows a business to simulate the types of incidents and the visibility required to address anomalous behaviour, but also highlight any latent polices that require adjustment to embrace the new method of working practice we are seeing, post pandemic.
Having a robust incident response plan in place takes the pressure off the Operation Team, allowing them to focus on the critical events and sequence through remediation steps to eradicate the threat.
Call to action
In summary, the intention of this article is to stimulate discussion internally to your business on some of the security challenges you’re likely to be facing as your workforce returns back into the office environment.
Most recommendations can be achieved with minimal effort and cost, and if done correctly, can help to mitigate against the increased levels of threat we are seeing post pandemic.
Don’t stop with your own organisation, start asking what your suppliers and partners are doing in this space. And if you have cyber insurance…GREAT…this may assist with your recovery; however it doesn’t address any damage to your brand…. Food for thought.