Ensure the first device to get infected is your last.

Back in the distant days of 2019, organisations treated working from home as an exception. While a few firms were taking advantage of affordable cloud solutions for a more flexible approach to work, they were ahead of the curve. Most of the day to day was still being done in the office.

The COVID pandemic catalysed a shift towards more flexible working, and the workplace has changed forever as a result. Research indicates that 76 per cent of employees feel they can perform their role just as successfully remotely as in the office. Further, 63 per cent of high-growth companies use a “productivity anywhere” model
in 2022. 

But alongside benefits like increased flexibility and greater work-life balance, the distributed hybrid work model has also increased organisations’ cyber

risk exposure. As hybrid work remains the norm, it is essential that organisations prioritise a security strategy that remains robust wherever employees work – at home, in a coffee shop, or at the office. As cyber attacks increase in frequency and severity, today resilience is about securing the entire hybrid work estate to ensure that when breaches happen, the first device or network infected is also the last.

HOW ARE THREAT ACTORS EXPLOITING REMOTE WORK TO INFILTRATE AN ORGANISATION’S IT?

Between cloud migration and widespread remote working, most organisations have a more dispersed infrastructure than a few years ago. There are more moving parts to manage and secure, and complexity continues to

threaten security. Threat actors were quick to take advantage of unprepared organisations making the cumbersome move to support a fully remote workforce in the early days of the pandemic. And they’re continuing to target inherent vulnerabilities that come with a distributed employee base. 

The average home network is unlikely to match the security capabilities of a corporate network, for example. Employees are also likely to be using personal devices during their workday, with research finding that over a third of remote workers prefer to mix business and personal machines. Personnel are also more isolated against social engineering tactics. It’s easier to fall for a phishing email impersonating a colleague when they are not sitting across from you in the office, for example. 

Compromising a remote worker’s device provides an adversary with a powerful tool to further their attack. While they can begin by exploiting a single endpoint to gain access to the enterprise’s larger IT environment, they can then move laterally across networks, datacentres and 

the cloud to find privileged accounts and compromise sensitive business assets. 

It’s also easier for an attacker to hide in a remote environment. Employees are now logging on at different hours and from a variety of IP addresses, making it more difficult to keep track of normal workload communications and user behaviour. As a result, attacks on hybrid work environments are costing organisations around $600,000 more than the global average cost of cyber attacks. 

HOW WHY IT IS SO IMPORTANT TO LIMIT ACCESS TO THE ESSENTIALS? 

Without the right precautions in place, a single compromised endpoint can open up pathways for bad actors to access more sensitive data and mission critical business applications. If the organisation has not implemented effective identity-based security controls or applied frameworks such as Zero Trust, there will be few barriers standing in the way of lateral movement – essentially granting attackers carte blanche to the entire organisation following an initial compromise. 

Over-provisioned user accounts are a gift to a network intruder, so organisations need to deploy a strict least-privilege approach that limits system access proactively by only providing the access absolutely necessary – shrinking the attack surface from the start.  Further, ransomware attacks can now move quickly enough – from a single compromised endpoint to broader organisational IT – to cause serious damage and disruption before the security team has a chance to detect and respond to the threat. So firms must have the ability to detect and contain attacks quickly.

The best way to limit access to essentials and reduce breach risks is to operate under an ‘assume breach’ mentality. Assume that bad actors or threats are already lurking across your cloud environments, datacentres and laptop estates – because they likely already are. 

HOW CAN ORGANIZATIONS REDUCE RISK?

As IT sprawl continues to expand, visibility and containment are critical above all else. Security teams must be able to see and stop attacks from spreading across any device linked to their network, no matter the location. This means a single point of control for all connections, and end-to-end visibility across the entire hybrid
IT estate. 

Firms must be able to uniformly enforce Zero Trust access controls and segmentation policies so users can only access necessary applications from the endpoint, rather than the entire IT environment by default. This will mitigate the harm a compromised endpoint can cause – making moving throughout the network far more time and resource intensive for attackers. In the end, adversaries pass the enterprise up in favour of softer targets.

Finally, containment strategies such as Zero Trust Segmentation prevents fast-acting ransomware from easily spreading through the network or from compromising additional devices. To maintain the flexibility and agility afforded by remote working, security  must work in a way that restricts threats, but not legitimate users. With the right approach, organisations can reap the benefits of hybrid working While also reducing risk and strengthening cyber resilience.  And in the current economic climate, resilience is everything.

Raghu Nandakumara

Head of Industry Solutions at Illumio