Last year was characterized by a collective, sudden shift to a remote workforce. 2021 is the year of the hybrid model. As some employees return to work safely, others may remain home or a mix of both.
Surprisingly, many organizations are discovering that concerns about potential lost productivity were exaggerated. It is now believed that one-quarter or more of all workers may become predominantly home-based. One of the many consequences of this change is an increase in cybersecurity risks. There is a complexity of implementing effective security to protect computing infrastructure.
As always, vigilance by the security professionals tasked with protecting networks from intrusion is the paramount defense. The basic formula is simple. Cybersecurity is based on defining what needs to be protected and at what points the protection is required. However, the explosive growth of remote workplaces has strained the information technology infrastructure of most organizations.
A basic defense tactic is to limit the number of potentially vulnerable attack surfaces accessible to a bad actor. With remote work, attack surfaces may be multiplied. A workforce that previously accessed organizational data and code within an organization’s well-protected networks now expect the same level of access from outside of those networks. The obvious counter to this is to require access through encrypted VPN (Virtual Private Network) connections.
Adding to the risk equation, many remote workers use personally-owned devices while “on the job.” An organization’s well-protected network is potentially compromised by insecure access from computers, smartphones, and tablets beyond the control of the IT security team. Remote workers also are likely to share their Internet access points with family and/or friends. This introduces still more non-secured devices to a shared connection.
Other pandemic-related challenges faced by security and IT professionals involve changes in supply chain relationships. The introduction of new business partners to fill gaps in a supplier network may inadvertently lead to oversights in vetting these partners and enabling secured communications links.
In manufacturing organizations, accelerating the digitalization of ICS (Industrial Control Systems) also is an issue. Remote management of ICS requires connectivity to many devices that previously were secured, in part, by isolation. However, improvements to operational agility realized as business models adapt to make it likely that they will become ingrained practices. Unless, of course, a future security failure causes a snapback.
With the trend clearly pointing to workplaces where remote access is the rule, how can organizations manage the increased threat level? Cybersecurity and IT professionals recommend starting with reinforcing basic security practices to adjust for a remote workforce. They note that workers should be wary of information requests and always verify the authenticity of the source. They should make sure that all devices with network access have up-to-date software and patches, and employ dual-factor authentication for devices whenever possible. Most importantly, experts note that even in a post-pandemic era, cybersecurity is shifting away from a perimeter-based model where all assets inside a network are trusted. Instead, zero-trust architectures. This is where individual, devices and applications are always authenticated and authorized before gaining access to a network, need to become the norm.
The recurring theme of these recommendations is authentication of sources, of users, and of devices. In the last decade, cybersecurity professionals have reached a consensus that authentication schemes should be based on a protected hardware element. The purpose of what is called a “secure element” is to provide a protected root-of-trust that can be embedded in each device capable of being connected to a network (whether a private network or the Internet).
The pandemic’s impact on remote work is an acceleration of a long-term trend that will continue for many years. The evolution of remote workplaces is one of many adaptions made possible by the emergence of connected, smart devices in nearly every aspect of people’s lives. The “Internet of Things,” which is likely to enter an even more dynamic stage of growth as 5G connectivity will make it even easier to link devices together, extends cybersecurity concerns for organizations and individuals alike.
Ultimately, the billions of connected devices in the Internet of Things also represent a multitude of potential attack surfaces. In the smart home of the future, remote workers may ask their smart speaker or smart TV to access files. It will be up to cybersecurity professionals to protect their networks from access by unsecured devices. A root of trust in every device will make what some might think an impossible task possible.