Distributed workforces make organizations
particularly vulnerable to hacking.
An approach called zero trust
may just be the solution.
On the morning of June 15, 2020, several employees at one of the world’s largest social networking companies received a call from a colleague in the IT department asking them to provide credentials to an internal customer service portal. A handful of them offered the information and went on with their day.
That seemingly routine call from the IT department, however, was actually a spear-phishing attack by a Florida teenager. By late afternoon, the company was under attack. The teen and two accomplices had taken over some of the platform’s most prominent user accounts, including politicians and billionaire CEOs, and used them to bilk platform users out of roughly $120,000 through a bitcoin scheme.
The attack was only the most public example of a deeply troubling trend: Hackers—from teenagers to foreign governments—are exploiting vulnerabilities created in organizations by the move to remote work in response to the pandemic. As early as April, the government reported a 400 percent increase in cyberattacks compared to before the covid-19 crisis. According to experts, one key issue is that organizations simply aren’t set up to protect themselves when their employees are geographically distributed. “With remote work, traditional control policies that expect people to only be connecting to their applications or their data sources from within the enterprise are now gone,” explained Jason Keenaghan, zero trust strategy leader at IBM Security. “And it’s opened up an exposure to enterprises.”
daily cyberattacks immediately
after the covid-19 crisis began.
The attack was only the most public example of a deeply troubling trend: Hackers—from teenagers to foreign governments—are exploiting vulnerabilities created in organizations by the move to remote work in response to the pandemic. As early as April, the government reported a 400 percent increase in cyberattacks compared to before the covid-19 crisis. According to experts, one key issue is that organizations simply aren’t set up to protect themselves when their employees are geographically distributed. “With remote work, traditional control policies that expect people to only be connecting to their applications or their data sources from within the enterprise are now gone,” explained Jason Keenaghan, zero trust strategy leader at IBM Security. “And it’s opened up an exposure to enterprises.”
Organizations aren’t defenseless, however. In response to this new threat environment, institutions are turning to a security approach first conceptualized a decade ago and which has become increasingly popular in recent years. The approach relies on a simple premise: trust no one.
Cybercrime in the era of covid-19
These vulnerabilities didn’t begin with the pandemic. Over the past decade, there has been a steady rise in the adoption of cloud technologies, with an acceleration over the past few years. According to a 2020 study, in 2011, 51 percent of organizations had part of their computing infrastructure or one application in the cloud. By last year, that number was up to 81 percent. When data is moved to the cloud, it becomes democratized and modularized; it’s scattered and used by a wide array of users on different devices and for different applications. This increases the chance for compromise.
“You have so many people working from home...they're inadvertently causing a security vulnerability...”
“As the workforce has become vastly more spread out technologically and migration to cloud computing has accelerated, many organizations fail to adjust for the new security reality,” explained cybersecurity expert John Sileo. “They continue to view data protection from a fortress-like perspective where all of the “Crown Jewels” are protected by castle walls. But the traditional perimeters of protection are eroding, and cyber criminals are exploiting honest mistakes made during cloud migration.”
These issues are magnified with distributed workforces because employees are often working from personal computers on unsecured wifi networks. This leaves them open to straight-forward hacking as well as more sophisticated social engineering schemes, where hackers trick or manipulate a person into divulging a security password.
With large sectors of the economy’s workers now logging in from home, evidence of the challenge is manifold. By July 2020, nearly half of companies had experienced a security incident or data breach since March, according to one survey. A whopping 78 percent of employees said they’d received a phishing email while working on a personal laptop and 68 percent admitted clicking on the link or downloading an attachment.
“You have so many people working from home—working from different devices—who aren't necessarily technically savvy, who aren't running the right updates on their computer systems or who don’t even know they have to. They're inadvertently causing a security vulnerability,” explained Keenaghan.
Organizations need to take heed, as the end of the pandemic will unlikely bring a return to full on-premise work. In fact, numerous studies indicate that the future of work in a post-pandemic world is hybrid, with the vast majority of white-collar workers splitting their time between home and the office. This makes tackling the cybersecurity challenges posed by the move to the cloud and remote work critical across industries.
Zero Trust as a solution—and a mindset
After the June breach at the tech giant, one former security employee told a reporter that the company’s “culture of trust” was a factor in the attack. That changed on June 15. Before the day was over, everyone from the CEO on down had to change their passwords in front of their supervisor on a video conference. The CTO also called a meeting with his executive team with the sole purpose of verifying everyone’s identity.
“You have so many people working from home...they're inadvertently causing a security vulnerability...”
The culture of trust was gone. In response to the crisis, the company did a 180 and instituted what’s known as a zero trust policy. For over a decade, the strategy—which simply means to never trust and always verify—has been gaining traction among security professionals, but the adoption rate has accelerated due to new threats posed by the pandemic environment.
“As the effectiveness of firewalls and endpoint protection diminishes due to the work-from-home shift, verifying the legitimacy of a user before allowing them access is paramount. Zero trust architecture is becoming the holy grail of scalable and secure cloud computing,” Sileo said.
IBM Security's Keenaghan said that to understand zero trust, it’s necessary to look at the traditional model, which organizes networks into segmented safe zones. Entry may be heavily fortified, but once users have access to a zone, they can access everything in it.
“The concept of zero trust is really that there are no safe zones anymore,” Keenaghan said.
With the more secure approach, as a user accesses sensitive information, there’s a process to ensure the authenticity of the user, the device they’re on and other kinds of contextual information to validate at that point in time that this really is the right user, accessing the right information for the right purposes.
The challenge with zero trust
is how to shift from viewing security as something that
can be achieved with a tool
to viewing it as an organization-wide philosophy...
The challenge with zero trust is how to shift from viewing security as something that can be achieved with a tool to viewing it as an organization-wide philosophy. Keenaghan said that many of his clients are keen to adopt the strategy, but don’t know where to start.
The challenge with zero trust is how to shift from viewing security as something that can be achieved with a tool to viewing it as an organization-wide philosophy.
IBM Security’s Zero Trust Acceleration Service works with clients across all of their cross-functional teams and their stakeholders to understand where their biggest business priorities are, and then makes an assessment of what tools, technologies and processes they have in place today and how they need to mature that over time. “The output of that is actually an executable road map,” Keenaghan explained.
The road map is just the first step. Instituting zero trust will take a strong commitment, but the rewards go beyond security. With the right controls in place for securing internal and customer data, organizations can then use that data to gain more insights and deliver better experiences to customers and employees alike.
“Once businesses have more confidence in their controls, it'll help unlock a lot of potential,” Keenaghan said.
