Going into 2021, many businesses face the realization of permanent telework status for a certain percentage of their employees. Few are prepared as vaccine release timelines continue to change and uncertainty remains the only certainty. Even without the element of telework, attack vectors and legal regulations are changing. Therefore, annual budgets must shift greater resources towards cybersecurity and technology to combat both the anticipated and the unanticipated threats.
Emerging threats continue to focus heavily on healthcare, the financial sector, and local government entities. However, cybercriminals adapt their manner of approach towards the vulnerabilities of a transitioning workforce. Currently, there is a surge in “Shadow IoTs,” which are internet-connected devices or sensors connected to a network without the host’s knowledge such as laptops, smartphones, Bluetooth devices (like cars), and Fitbits – all of which may contain unsecured applications giving criminals an open door to sensitive corporate data.
Google and Android routinely identify and alert users of potentially dangerous applications, many of which are designed for children. Often overlooked, parents download child-friendly applications on smart phones to entertain their children at restaurants and other public places and then use those same devices at work. On October 23, 2020, three applications aimed at children (Princess Salon, Number Coloring and Cats & Cosplay) were removed from the Google Play Store for data leakage and unlawfully collecting excess data in breach of Google Play policies.
More commonly used adult applications such Pokémon Go, WhatsApp Messenger (currently at issue in federal court), WeChat, and Boyfriend Tracker were also blacklisted by Android and iOS operating systems. Allowing these and future unknown applications to access networks creates multiple vulnerabilities.
Therefore, and especially with growing numbers of teleworkers, Chief Security Officers and Chief Information Security Officers must have the financial resources to afford the following types of security mechanisms in 2021:
1. Endpoint Detection and Response Software: More than simple malware detection software, end point detection and response software or EDR, is often cloud-based and some vendors use artificial intelligence. Ideally, EDR systems should monitor all endpoints continuously and record all raw data for later investigations and analysis while actively engaged in threat hunting activities. In the event of malicious activity, EDR can provide real time alerts and pinpoint the origin, possibly segregating the threat from healthy portions of the network.
2. Multifactor Authentication VPNs: Virtual private networks (VPNs) allow employees remote access to their employers’ private servers by creating secure connections. However, they are historically only password protected and infiltration into the host computer itself can reveal saved passwords/credentials negating the purpose of the VPN itself. Accordingly, multi-factor authentication is imperative, which can be easily implemented with applications like Duo Security or Google Authenticator. The employee enters a password and is then prompted for a password that appears through a text message or an application on his/her smartphone that provides access to the VPN.
3. Network Access Control: Designed to handle large networks with a mix of devices, Network Access Controls or NACs log and monitor all activity coming through the company’s VPN. A NAC can set policies for resource, role, device, and location-based access and enforce security compliance with security and patch management policies, among other controls. It creates a security baselines for any endpoint attempting to connect and mandates access controls blocking, quarantining, and managing degrees of access for guests and certain employees. NACs also help eliminate the prohibition against “Bring your own device” policies, which are often required for multifactor authentications.