Support 100 years of independent journalism.

Sponsored by Citrix

How do we secure the hybrid office?

The key to overcoming new threats is to develop a comprehensive security policy, encompassing both remote access and application protection.

As the pandemic has transformed how, when and where we work, banks have successfully capitalised on the opportunities hybrid working presents. But the rise of remote work has also introduced new risks. Businesses, however, can minimise these risks if they take time to understand them.

Remote working creates four major security challenges. First, employees are likely to access corporate data from unprotected devices; more than 40 per cent of remote workers have admitted to doing so. Second, workers are free to access these networks while using potentially compromised apps. Third, the home networks and remote wi-fi hotspots they use to access corporate networks are less likely to be secure. And fourth, while working in public spaces, employees are more likely to expose corporate data, such as by losing devices or displaying poor security etiquette. Speaking too loudly and allowing “shoulder surfing” can put sensitive data at risk.  

But remote access isn’t the only relevant security consideration. During the pandemic, a dramatic expansion of app deployment to the cloud has increased the cyber risk to companies further still. Many businesses that were already planning cloud migrations accelerated their plans, in order to take advantage of the increased flexibility cloud hosting can offer. It quickly gave companies the resources they needed, at a predictable price, to rapidly respond to the demands of homeworking. It also made it easier for remote IT teams to deploy new apps and to offer more functionality to employees and customers, as retail moved online.

However, pushing customer relationship management (CRM), enterprise resource planning (ERP) and other apps to the cloud significantly increases the attack surface that hackers can exploit. Communication pathways can be more difficult to secure, because businesses are reliant on public networks. This means there is a higher risk of third-party snooping, man-in-the-middle attacks and domain name system (DNS) spoofing. Further, web app developers also reuse significant amounts of code, from HTML to JavaScript, that may contain vulnerabilities.

Free White Paper

Top three IT must-haves for remote work in 2022

By Citrix
Enter your details to receive the free white paper:

 

Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications.  Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Unlike applications hosted in data centres, you can’t simply firewall cloud-hosted apps and assume they are safe. The patch level of the underlying operating system of cloud-hosted apps may also be beyond the company’s control. And multiple deployment environments often have different security tools with different features, functionality and management systems, which leads to fragmentation and gaps in a company’s security posture. According to a survey by KPMG, three-quarters of companies use 50 or more security tools.

When viewed in their totality, these threats might seem overwhelming – but there are steps businesses can take to minimise the risks. This goes beyond simply providing employees with access to virtual private networks (VPNs) – the key to overcoming the threat is to develop a comprehensive security policy, encompassing both remote access and application protection. The best solution is to design for the most insecure access – remote working – and then when people are in the office, they can be protected by the same mechanism.

To do this, businesses need to defend their digital assets from being taken offline, defending against data exposure and data manipulation.

Distributed denial of service (DDoS) attacks are the number one reason businesses are taken offline, leading to lost business, customer dissatisfaction and even legal exposure. DDoS attacks cost small and medium-sized businesses an average of approximately $120,000 and enterprise-sized companies $2m on average. Given the potential consequences, it is no surprise that businesses increasingly require DDoS mitigation services to protect their applications and digital infrastructure.

IT teams must also think carefully about restricting data access. VPNs are very binary – a user is either on the network or not – and this can lead to excessive access. A zero trust network access (ZTNA) approach is inherently more secure because it gives companies the ability to exert granular control over network access. Citrix’s Secure Private Access (SPA) allows IT teams to enforce the access policies they create and provide contextual access on a per user, per device, per application or environment basis.

Multi-factor authentication (MFA) is key to the zero-trust approach and prevents the reuse of compromised credentials. The Lapsus$ hacking group recently issued an appeal for insider usernames and passwords, in a bid to infiltrate corporate networks. MFA pre-empts such threats by requiring an extra form of verification before providing access to business-critical data.

Rigorous end point analysis is essential too. Citrix SPA ensures devices are correctly configured by asking the key questions for you. Does the device have a firewall? Is the antivirus software up to date? Is it a corporate device? Are you confident that no malware has been installed on it? SPA continuously monitors the status of the user and their device, and will take remedial action if an issue arises, killing the session and notifying administrators.

Protecting applications is equally important. Even the most considered and well-executed access policy can leave apps vulnerable to attack. Protecting internal apps is particularly important, because they contain the most sensitive data, from confidential commercial documents to intellectual property and personally identifiable information. However, such apps are often written internally and not designed with the same security rigour, or they are contracted out to developers who are not necessarily concerned with security. Can you trust them not to leave back doors?

As well as having the golden access to the data on which a business depends, apps are the currency of productivity in any modern business and the key point of engagement with customers. Citrix ADC’s web application firewall ensures that all input to apps is validated, while mitigating data exfiltration by employees and bad actors.

Ultimately, protecting the hybrid office with a comprehensive security policy is one of the most important tasks facing IT teams today. It is about maintaining uptime, controlling access and safeguarding applications from sophisticated attacks. Businesses are rapidly realising that VPNs are no longer secure enough; instead, they require myriad intelligent tools to support a zero-trust approach and protect their most critical data, apps and services.

Topics in this article: , ,