A little over a year ago, enterprises large and small rushed their employees into remote work as COVID-19 morphed into a full-blown pandemic. Now, a little past the one-year anniversary of the work-from-home experiment, companies and even government agencies are beckoning workers back to corporate offices. That's going to have a big and unpredictable effect on many things, including cybersecurity.
Analysts believe that many large organizations are likely to wait until later this year to require some, but not all workers, back into an office. Microsoft, however, took the lead in late March by opening its Redmond headquarters as well as some nearby campuses. Not long after, Amazon noted that it wanted to return to an “office-centric culture” with some employees returning by the summer.
It’s not only tech companies that are beginning to call workers back to physical offices. New York City Mayor Bill de Blasio wants municipal workers to return to physical offices by May 3 as the eligibility for COVID-19 vaccines expands, according to the New York Times.
Not all firms (tech or not) are eager to return to offices. The Wall Street Journal found that companies ranging from Salesforce to JPMorgan Chase are shedding office space as they see remote work continuing. And employees themselves are not eager to return full-time to offices either. In June 2020, a World Economic Forum study found that three out of four wanted to retain some flexibility over their schedule.
All these factors are leading to what many industry observers are calling a hybrid workforce, with a mix of employees working from home and corporate offices. And while this approach might help get enterprises back to normal after a year of COVID-19 trauma, some analysts worry that it could lead to other issues—namely, creating more cybersecurity headaches.
“There will surely be a surge in security-related issues as employees return to the office,” John Morgan, CEO of security firm Confluera, told Dice. “Organizations, however, need to be even more vigilant after the surge subsides as hackers have now gained a foothold in the corporate network and are traversing laterally under the covers.”
CISOs and their security teams are continuing to grapple with the shift to work-from-home environments; cybersecurity took a backseat to the overall push to get workers up and running as fast as possible. This included greater reliance on cloud-based and SaaS applications, especially collaboration tools, as well the rush to get devices, especially laptops, into the hands of workers without thinking of all the possible security shortfalls.
These devices are now returning to corporate networks after a year of unsecured or poorly secured work. At the same time, more data is uploaded to the cloud—and could be downloaded onto either a corporate or home network with weak security standards.
“As employees head back to the office, their way of accessing their data and corporate applications is going to change,” Charles Henderson, global head of IBM's X-Force Red, told Dice. “Also, employees have been away from centralized IT functions for quite some time and you don’t know what type of baggage they’re bringing back with them from their time at home—from malware to poor practices and poor security hygiene. It will be difficult for most security managers to predict how that will affect their organization.”
Here’s a look at some of the cybersecurity issues that organizations large and small face as corporate doors start to open once again.
Over the last year, phishing has become a growing concern for CISOs and their security teams, as fraudsters and cybercriminals have taken advantage of not only poorly secured home networks, but also the confusion and uncertainty raised by COVID-19. Those fears, in turn, lend themselves to malicious messages and domains disguised as important news updates, alerts or sites offering important information.
A report published by security firm Proofpoint found that 57 percent of organizations reported a successful phishing attack in 2020, an increase from the 55 percent that reported the same in 2019. During those successful attacks, 60 percent of organizations reported data loss, while 52 percent found a loss of credentials or account compromises.
Stephen Banda, a senior manager for security solutions at Lookout, believes that the increase in phishing will likely continue, especially when employees bounce between home and corporate networks and fraudsters take advantage of the new, hybridized environment.
“The hybrid work environment provides a new context for phishing attacks,” Banda told Dice. “Cybercriminals will exploit this hybrid workforce scenario in various ways. For example, by masquerading as a human resources manager, an attacker might launch a phishing campaign that includes a remote work policy document. The message could require that employees click a link to accept the policy or download the document, which could contain a virus.”
Part of the concern also comes with a resurgence of the BYOD movement, which now includes remote employees bringing both devices and apps back into corporate networks. This can create issues with CISOs and their security teams having to manage personal as well as corporate devices.
“The convenience of using the same set of devices to balance work and personal lives is too great to part with. This means CISOs will need to invest in cybersecurity that works across both managed and unmanaged personal devices. These solutions will need to respect user privacy while securing the organization's data,” Banda said. “CISOs will also need to manage security for a broader range of cloud applications that are in use. With the demand for BYOD, organizations now face the challenge of gaining visibility in the apps in use across their organization.”
He added: “From a mobile perspective, apps can have permissions and capabilities that do not comply with company compliance requirements. Solutions that can identify apps that contain vulnerabilities or present risk to an organization and apply policies to limit use will be essential.”
Some security analysts also believe that an emerging hybrid workforce is a time for businesses and other organizations to get a better handle on the development process by baking security into the DevOps cycle—DevSecOps, in other words.
While not directly related to COVID-19, the suspected nation-state attack that targeted SolarWinds and its customers (discovered in December 2020) showed how much the software development and update process can be corrupted. With developers expected to come into offices while also working from home, the hybrid work model could open a way for security professionals to get a seat at the application development table. In turn, this could lead to better security practices baked into the application development process.
“Security can help developers with more remediation insights into the quality of their code—Kubernetes and container security tools can highlight misconfigurations in those critical dev components, and API security tools can similarly highlight vulnerabilities in a company’s APIs,” Michelle McLean, vice president at Salt Security, told Dice.
“At the same time that security provides those posture insights, they should also be backing up the developer with runtime security, looking for malicious activity in production to spot attackers in action,” McLean continued. “Security’s mission should span both directly helping developers write more secure code and at the same time deploying active controls in runtime to prevent a developer’s mistake from costing the company in compromised availability or data theft.”
Identity Is the New Perimeter
For some, the coming hybrid workforce likely means the end of perimeter security. The focus now has to be on issues of identity, privileged access and knowing that no one person or application can be trusted. This opens the door for security pros who want to embrace new strategies such as zero trust architectures.
“Organizations must adapt and prioritize managing and securing access to the business applications and data, such as that similar to the BYOD types of devices, and that means further segregation networks for untrusted devices but secured with strong privileged access security controls to enable productivity and access,” Joseph Carson, chief security scientist and advisory CISO at security firm Thycotic, told Dice.
“Organizations are looking to a zero trust strategy to help reduce the risks resulting from a hybrid working environment. This means to achieve a zero trust strategy, organizations must adopt the principle of least privilege that enables organizations to better control user and application privileges elevating only authorized users,” Carson added.
IBM’s Henderson noted that, while businesses might be eager to adopt newer security methods and tools such as zero trust or secure access service edge (SASE), these are long-term security projects and fixes that will continue no matter what the workforce looks like next year and beyond.
“A shift to zero trust is probably going to be easier, but just saying you’re implementing zero trust won’t solve everything—this is a multifaceted solution,” Henderson said. “Organizations need to be running assessments to see what their exposure looks like—test, don’t guess. Once you realize there’s a problem, it’s too late to start doing assessments, so early detection is key. And since the return to a sense of normalcy in the workforce is inevitable, it’s time to start preparing now.”