Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/10/2017
10:30 AM
Matthew Gyde
Matthew Gyde
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Keep Employees Secure, Wherever They Are

As workers grow more dispersed, organizations need to focus on three areas to maintain security.

Nearly 80% of professionals work remotely at least one day a week, and 1.55 billion others are expected to work outside the boundaries of the corporate office by 2020, according to Frost & Sullivan research. This shift to a mobile workforce is causing technology disruption because remote workers require different solutions and infrastructure, which can increase vulnerabilities. 

The security challenges aren't only the result of more employees working outside of the corporate office, but also the number of devices used by each individual. The same Frost & Sullivan report forecasts that more than 80 billion connected devices will be in use globally by 2025 — a staggering figure! Work has shifted from a place people go to daily to something people do, and as such, businesses need to be flexible, but not so flexible that their data and devices become security risks.

Cyberattacks have shifted as well, becoming less detectable by exploiting encryption and commonly used files. Malicious traffic is sent through encrypted HTTPS protocols, and malware increasingly uses transport layer security. Offices that don't upgrade their security tools and perform deep packet inspection on corporate Internet traffic will become a handy target for stealthy attacks. New attack methods are becoming progressively more common — such as pharming, in which links redirect users to fraudulent sites; vishing, the collection of personal information during a call; and smishing, where users receive texts with fraudulent links.

3 Areas to Focus Security Efforts
To properly secure the distributed workforce, it's best to focus on multiple areas. This allows organizations to place requirements around devices, applications, and network.

1. Devices are more than just laptops. Keeping employees efficient means the use of multiple devices — up to four tools each day, including cellphones, laptops, and wearables. And the rise of wearables opens a new enterprise security frontier. IT must secure these newer devices, especially because analysts predict that smart glasses and smart watches will see a high rate of enterprise adoption in the coming years. For these newer gadgets, IT can look to dynamic technologies, such as biometrics and GPS, and the type of information being accessed to authenticate the user rather than relying on static passwords.

Additionally, "bring your own device" (BYOD) policies continue to be a problem when it comes to data leaks. A well-designed BYOD plan that includes wireless LAN controllers and access points, a lightweight security mobility client, and robust identity services will help minimize device risks. Today's lightweight agile identity technologies use sophisticated cryptographic algorithms to locate security threats. As these solutions evolve to include geolocation and geosensing programs, identity management will become an important part of the security framework.

2. Newer generations demand flexibility. Generation X and millennial employees grew up with mobility solutions such as broadband, Wi-Fi, laptops, social media, and smartphones. They expect instant access to information from anywhere. The result is a new corporate structure rooted in flexibility and a dispersed workforce that demands collaboration software solutions and secure network connections.

The problem arises as remote access across unsecured wireless or LTE networks opens companies up to man-in-the-middle attacks, malicious apps, corporate espionage, and more. Even traditional applications such as Word and PDF documents create havoc when malicious codes are scripted into these files and then downloaded by unsuspecting users, ultimately launching a ransomware virus.

Cloud-based applications provide flexibility for mobile workers but also create issues because cyberattackers can hack in to steal user credentials, intercept data in transmission to the cloud, or access unencrypted files. An ideal way to protect against these threats is to extend security to the DNS through a cloud-delivered network security service. Predictive cybersecurity intelligence with live graphs of global DNS requests, along with other relevant information, can protect enterprises from attacks and assist in predicting future threats. This type of protection should also cover any off-VPN device and block the additional threat of malware, phishing, and other cyberthreats. Implementing cybersecurity operation centers for real-time monitoring of threats and security solutions can be useful, especially for remote workers.

3. Social media security education needed. LinkedIn, Twitter, Facebook, and other social media sites are very popular, especially among younger employees. And these platforms are also popular among cyberattackers. All employees need to be educated regarding personal information, such as birthdates, email addresses, and company names, that should and shouldn't be divulged online. Cyberattackers troll these sites to collect data and create targeted phishing attacks or use it to stalk or bully victims.

The best line of defense against cyberattacks for the mobile workforce is to take a more predictive stance. For instance, enterprises can create a "red team" — a group that challenges organizations to become more effective — to proactively hunt cyberthreats, improve security strategy, and train analysts with regular cyberdrills. And when was the last time your company ran a vulnerability assessment on its larger network and VPN,or a penetration test across its cloud solutions? Both evaluations can be used to identify critical gaps in the IT and operational technology environments. Finally, educating the mobile workforce about the dangers of unsecured wireless networks, social media hacking, and device usage will be the best line of defense for all companies.

Related Content:

Matthew Gyde is a group executive for the security business unit at Dimension Data, an ICT solutions and services provider. He joined Dimension Data in 2005, having been in the security industry for the previous 10 years in various roles across clients and service providers. ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
John_Cheek
50%
50%
John_Cheek,
User Rank: Apprentice
4/4/2017 | 9:22:41 AM
Pitfalls of Working Remotely
I believe that the number of people who work remotely is growing rapidly, and employers should pay more attention to the security of these colleagues. While it's hard to track someone's private computers, companies should know that their secret info won't be revealed for sure. Thus, there are some pitfalls for companies that should be overcome
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11931
PUBLISHED: 2019-11-14
A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE. This affects Android versions prior to 2.19.274, iOS versions prio...
CVE-2019-18980
PUBLISHED: 2019-11-14
On Signify Philips Taolight Smart Wi-Fi Wiz Connected LED Bulb 9290022656 devices, an unprotected API lets remote users control the bulb's operation. Anyone can turn the bulb on or off, or change its color or brightness remotely. There is no authentication or encryption to use the control API. The o...
CVE-2019-17391
PUBLISHED: 2019-11-14
An issue was discovered in the Espressif ESP32 mask ROM code 2016-06-08 0 through 2. Lack of anti-glitch mitigations in the first stage bootloader of the ESP32 chip allows an attacker (with physical access to the device) to read the contents of read-protected eFuses, such as flash encryption and sec...
CVE-2019-18651
PUBLISHED: 2019-11-14
A cross-site request forgery (CSRF) vulnerability in 3xLogic Infinias Access Control through 6.6.9586.0 allows remote attackers to execute malicious and unauthorized actions (e.g., delete application users) by sending a crafted HTML document to a user that the website trusts. The user needs to have ...
CVE-2019-18978
PUBLISHED: 2019-11-14
An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem before 1.0.4 for Ruby. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.