What security risks are associated with agile working? How can IT teams protect agile working from attacks? And what is the modern approach to security to take?
Agile working is a necessity for companies: employees must be able to access apps and company data from any device, anywhere, anytime.
In recent months we have witnessed a race to set up the most remote workstations, to ensure the continuity of operations of all employees. What appeared to be an emergency way of working actually has many advantages and several companies are choosing to continue on this path.
New Normal, however, has its counterpart, the New Cyber Normal: the more the number of remotely connected devices grows, the more the number of cyber attacks increases exponentially.
According to the Clusit Report 2021 on ICT security in Italy, they have increased by 12 per cent and not a day goes by without newspapers reporting news of companies that have fallen victim to malware, ransomware or other cyber-attacks.
From our observatory, we have identified the causes for which attacks threaten agile working:
With employees working remotely, the attack surface has widened. Many more backdoors - i.e. ports of entry - to protect: hackers have realised that the weakest point in the chain are employee's personal devices.
Unable to equip all employees with properly configured and protected company laptops, BYOD (Bring You Own Device) have taken over the corporate infrastructure. It is one thing to defend a defined corporate perimeter, it is quite another to defend an extended perimeter consisting of different tools and information systems.
The traditional approach to ICT security that focuses on protecting the corporate perimeter is outdated. 82 per cent of CISOs surveyed by the EMEA CISO survey agree that agile working has accelerated the disappearance of the traditional perimeter they used to defend.
The vast majority of companies configure remote access to company data with a password: all the user has to do is identify himself. But this is far too fragile a barrier to the entry of threats that, once circumvented, leaves the field open to hackers.
According to a report by Verizon, 81 per cent of breaches occur due to weak or compromised passwords. Huge files with billions of stolen usernames, e-mail addresses and passwords can easily be found on the dark web (see the RockYou2021 collection).
No one is safe, plus if users use unsecured wi-fi networks (cafes, squares, airports, etc.) or access data from unauthorised apps, they make life much easier for hackers. Then the damage spreads like wildfire, because users are used to using the same password on multiple websites and apps.
4 out of 5 of the CISOs surveyed stated that passwords are no longer an effective means of protection.
The third cause is attributable to the human factor.
However much security technologies and strategies are increasingly being adopted, human behaviour is fallible. Superficiality, lack of knowledge, approximation characterise security management. Especially with regard to BYOD, where updates and threat protection are the responsibility of the user.
We have already mentioned that the vast majority of attacks nowadays are not hacking attacks, but exploit vulnerabilities in the human factor. Passwords come under this heading, but there are many other attacks that target user habits. We are talking about phising and social engineering.
See e-mails that appear to come from trusted sources but are actually a way of obtaining personal or corporate data. Or attachments that once opened infect computers with malware (malicious software) or open links to infected sites. By the term social engineering, we refer to the set of techniques that induce unsuspecting users to release their data or perform actions that are dangerous to the hygiene of the PC and the network.
With mobile, the probability of success increases. The convenience of mobile devices provides an incentive to take quick decisions and in the case of smartphones, the small interfaces make it difficult to verify the authenticity of links and the vision of key informations.
The aforementioned Clusit report states that in 2020, there were over 3 trillion euro in damages, almost twice Italy's GDP. They can be of many kinds:
These can be the costs of business interruption or loss of productivity generated by cyber attacks.
This was the case at Geox last year: pirates hacked into the company's operating system, stole all the data and locked it. A week stopped, because Geox wanted to restart the data back up, without giving in to ransomware.
Think of the interception of sensitive documents, theft of patents, industrial espionage that can put a company at a disadvantage.
If the data theft concerns customers, their personal data or secreted conversations, we understand that the reputational damage is very high.
But there is a fourth, not unimportant reason: with the edge and 5G there will be huge flows of data that will be processed in real time. Smart applications and devices (the so-called IoT - Internet of Things) will be fully included in the tools that fall within the computer perimeter to be protected.
This means that hackers could sabotage the physical world as well: think of a factory with computer-controlled machinery and what a disaster it would be to lose control even of the production chain and logistics.
In the Everywhere Workplace, where perimeter defence is no longer sufficient, new models of cyber-security are needed.
The answer comes to us from the Zero Trust security model, a framework coined by Forrester, which is based on the realisation that not even within one's own corporate network is safe. Traditional approaches - based on user identification - take it for granted that everything within the corporate network is trusted.
It is a "zero" trust approach and its assumption is "never trust, always verify": any user, device, application that attempts to access the corporate network must be verified and so must its context (e.g. the network from which it connects).
Zero Trust combines multiple technologies that ensure secure access to corporate resources from mobile devices. These include user validation tools (e.g. multi-factor authentication), password elimination (Zero Sign-On), device reliability verification, network micro-segmentation, etc., all with the aim of mitigating as far as possible the risks arising from cyber-attacks.
All with the aim of mitigating risks from cyber-attacks as much as possible. The result is edge-to-edge security for any connected device.
The latest in Zero Trust involves the application of Artificial Intelligence: thanks to deep learning and its automated learning capabilities, technologies can detect vulnerabilities in systems and automatically remediate them. Thus preventing any kind of attack or disruption.
Insights
OUR OFFICES
OUR OFFICES
PADUA
Via Arnaldo Fusinato 42, 35137
MILAN
Viale Enrico Forlanini 23, 20134
ROME
Viale Giorgio Ribotta 11, 00144
Copyright © 2022 WEGG S.r.l. • P.I 03447430285 • C.F. 02371140233 • REA 311023
Certified company ISO 9001:2015
