FEATURE
continue to become increasingly blurred , ensuring proper coverage of all corporate assets while not encroaching on users ’ personal behaviours is going to be more challenging .
2 . Best practice for a mobile workforce
After addressing visibility and device security , CISOs should focus on ensuring users are working to best practices . Office-based users who are not familiar with home or remote working may not be embracing it effectively , or in the way the organisation needs them to .
The shift to mobile working has also seen a move to co-working venues , which will likely become more frequent as permanent office spaces become less viable . While many of these venues take security seriously and have controls in place , the wider economic effect of COVID-19 has forced other businesses to provide co-working options as a new revenue stream . Whether this is a local pub , café or restaurant driving trade with free Wi-Fi or bottomless coffee offers , it is far less likely that these venues are as security conscious as dedicated co-working facilities . Employees working from these locations – often unbeknown to the IT security team – opens up yet another avenue for potential bad actors to compromise devices and services via man-in-the-middle ( MITM ) and similar style tactics . Going forward , this will force organisations to consider a much broader range of security tools and potential attack types .
The impact of mobile worker behaviour also bleeds into supply chain risk . CISOs will be tasked with providing a top-down view of organisational risk , inclusive of customers , third-parties and potential supply chain breaches . Reconciling a mobile workforce and mobile device estate – one that potentially mixes personal and work tasks into single workflows – significantly broadens this risk and dilutes visibility across the organisation .
CISOs are facing a dilemma . On the one hand , they can embrace mobile working – which likely means changing a variety of processes , policies and procedures , which will in turn affect compliances and accreditations . On the other , they can reject modern working practices and attempt to enforce legacy policy in a modern environment – in which case tools will likely need to change to accommodate this .
Whichever route a CISO chooses , if the correct tools are not adopted by the business , there will almost certainly be an increase in the security responsibilities placed on end-users . If adequate training is not provided , this may have a significant long-term impact on overall security .
3 . Widening the focus on mobile infrastructure
One of the more challenging changes facing CISOs in the shift to remote working is the potential impact of Internet of Things ( IoT ) devices on organisational security . Few CISOs will currently be able to say for certain which IoT devices are connected to their corporate data repositories and networks via employees ’ home networks , or whether any single employee has synced their digital assistant with their work calendar .
Modern authentication types such as security assertion markup language ( SAML ), oAuth and OpenID Connect ( OIDC ) make it very easy for end-users to enrol , connect and potentially leak data out of corporate cloud services without the security team ever knowing . These are also potentially ‘ one time ’ authentication types , making it even less obvious to an end-user that they have done something they shouldn ’ t have .
Organisations are taking longer to identify and contain a breach – now taking an average of 256 days .
Something as simple as connecting an Amazon Echo device to a corporate Office365 account is unlikely to be seen by an employee as anything more than an easy way of gaining a central view of their calendar or appointments . However , many employees may unknowingly be leaking corporate data and leaving yet another attack surface – completely unnoticed by IT – open to threat actors .
Consumer IoT devices are now a corporate security risk . If a remote worker has a poorly secured home network , with numerous IoT devices ( often with sceptical in-built security at best ) this now poses a risk to the overall corporate environment . The threat of threat actors easily gaining access to a poorly secured home network and using this to move laterally throughout the corporate network or cloud services is now far from academic . Any organisation is only as strong as its weakest link and CISOs need to be acutely aware of this new threat vector .
Conclusion
The environment CISOs are now faced with securing is changing rapidly and now more than ever , any data breach is likely to have far-reaching consequences . From the financial losses associated with downtime and regulatory fines , to long-term effects on the organisation ’ s operations , compliance , reputation and ability to remain competitive . Indeed , the IBM Security Cost of a Data Breach Report 2020 shows the average cost of a data breach in the United Kingdom is increasing year-on-year and has now reached US $ 3.90 million . What ’ s more , organisations are taking longer to identify and contain a breach – now taking an average of 256 days .
CISOs have done extraordinary things to ensure Business Continuity in recent months , overcoming operational challenges that many – if not most – organisations never once considered possible . But as we move into 2021 , CISOs will need to consider ‘ mobile security ’ on a much broader scale if they are to ensure their organisations are prepared for the challenges ahead . u
50 www . intelligentciso . com