By David Cummins, VP of EMEA, Tenable
David Cummins discusses the rising cyberthreat that businesses face from the ‘new-normal’ of remote and hybrid work following new research conducted by Forrester Consulting on behalf of Tenable.
In September 2021, the U.K. government announced plans that will grant all employees the right to request flexible working from their first day of work. This cements the obligation organisations have to permanently adopt hybrid and remote working. This new world of work, however, introduces new, and largely unmanaged, cyber risk, creating a dispersed and attractive attack surface for threat actors to exploit. Here’s what you need to know.
In the 18 months since work-from-home mandates were enacted as a result of the pandemic, many U.K. organizations have shifted to long-term hybrid and remote work models. The upcoming law change will mean more people are likely to opt to work from home, as the waiting period to request flexible work after six months in a role disappears. As the home network morphs into the corporate network, greater risks of cyberattacks and business impacts are imminent.
At present, 70% of U.K. organizations have employees working remotely, compared to 30% prior to the pandemic, with 86% either planning to adopt a remote working policy long-term or have already done so. This data is drawn from a study1, conducted by Forrester Consulting on behalf of Tenable, that surveyed more than 1,300 security leaders, business executives, and remote employees worldwide. The study, Beyond Boundaries: The Future of Cybersecurity in the New World of Work, was conducted in April 2021 and also included 168 respondents in the UK.
Introducing a hybrid working model is complex
Switching to a flexible work model calls for three significant shifts, all of which serve to atomise the attack surface:
- The removal of traditional workplace perimeters given the introduction of technologies that allow employees to work from anywhere.
- The movement of business-critical functions to the cloud.
- The vast expansion of the software supply chain and implementation of new tools for enhanced collaboration, communication and productivity.
These new working practices have caused the corporate attack surface to explode, with many organizations left struggling to process and address the new risks introduced.
A hybrid worker could be in the office one day and the next they could connect remotely via home routers or Wi-Fi hotspots in third workspaces, such as coffee shops or hotels. The study also found that 33% of U.K. security leaders have high or complete visibility into personal devices remote employees may be using for work.
In the aftermath of the pandemic and its ongoing effects, 46% of U.K. organizations transitioned business-critical functions to the cloud to enable accessibility from home — this included accounting and finance (42%) and human resources (33%). When asked about the increased risks, 80% of U.K. respondents believe their organization is more exposed as a result of moving business-critical functions to cloud systems. Just as concerning, 58% of U.K. respondents attributed at least one business-impacting cyberattack2 to a third-party software vendor compromise within the last year.
Despite the rising popularity and acceptance of remote working, half (51%) of U.K. security and business leaders feel they are not well equipped or prepared to support the new world of work securely.
Attackers are taking advantage
The concern from business executives is certainly understandable based on the evidence. The research found that 90% of U.K. organizations experienced a business-impacting cyberattack in the last year, with 51% falling victim to three or more. When focusing on the root of these attacks:
- 72% resulted from vulnerabilities in systems and/or applications put in place in response to the pandemic
- 68% targeted remote workers or those working from home
- 63% involved an unmanaged personal device used in a remote work environment
- 51% resulted from VPN flaws or misconfigurations
- 51% involved cloud assets
We need to change the way we think about risk
This change has highlighted that cyber risk is a business risk, and as such should be viewed and prioritised as other threats facing the organisation.
One benefit, if we can call it such, to come from hybrid work models and a digital-first economy is that together they have catapulted cybersecurity to the forefront of organisational concerns and priorities. Security now warrants the necessary investment in order to ensure protection to employees, customers and entire organisations. It’s comforting, then, to know that, to address the issue, 75% of U.K. security leaders plan to increase their network security investments over the next 12 to 24months — with 73% planning to increase spend on cloud security, while 66% plan to spend more on vulnerability management.
The new mode of working has caused ripple effects in the corporate network, causing a move from perimeter-based security architectures. Businesses require visibility into the entirety of the attack surface to be able to manage and measure cyber risk across operational technology (OT) and IT systems on a single platform on-premises and in the cloud. Jointly, they need to determine where vulnerabilities exist in this way and the potential impact if exploited.
In tandem, another key focus is Active Directory, developed by Microsoft for Windows domain networks that helps organise a company’s users, computers and more. Given the disbanding of traditional perimeters, the configuration and management of user access is more important than ever. Building user risk profiles based on changing conditions, behaviours or locations, means that the organisation can continuously monitor and verify every attempt to access data before granting or revoking the request. This provides the security team with clear visibility of their entire threat landscape, the intelligence to foresee which cyberthreats will have the greatest business impact and controls to address cyber risks.
If staff continue to treat cybersecurity as an afterthought and fail to stay up to date with business changes, threat actors will have a field day. It’s imperative that organisations find ways to protect sensitive data in the new world of work.
- The data is drawn from ‘Beyond Boundaries: The Future of Cybersecurity in the New World of Work,’ a commissioned study of more than 1,300 security leaders, business executives and remote employees, including 168 respondents in the U.K., conducted by Forrester Consulting on behalf of Tenable
- A business-impacting cyberattack is one which results in one or more of the following outcomes: loss of customer, employee, or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft; and/or theft of intellectual property