In recent years, the modern office has evolved rapidly, with workforces becoming more mobile and geographically dispersed than ever before. Even before COVID-19, modern businesses were embracing the remote working model, and the average Fortune 500 company had over 300 offices around the world. In recent years – to attract and retain top talent who often see hybrid working as a priority – innovative companies have placed even greater emphasis on flexible workplaces. As we move past the worst of COVID-19, it doesn’t look like we’ll ever see a return to the pre-pandemic office. In fact, it’s estimated that by 2025, 70% of the workforce will be working remotely at least five days a month.
To stay productive while working remotely, employees use many different cloud-based apps, such as Microsoft Teams and Monday.com. While these apps are a boon to employee efficiency, their use has created challenges for IT departments and opened up new security vulnerabilities. To better understand what is happening in their networks, IT professionals often rely on an increasing number of monitoring and management tools. Simultaneously, they must defend themselves against pirates who relentlessly pursue dangerous new attacks.
Even before the rapid global adoption of remote working, businesses faced a rapid increase in cyber threats, including the professionalization of hacking groups and the rise of ransomware and phishing attacks. Today, dispersed workforces have expanded threat surfaces, with highly sophisticated threat actors constantly exploiting the challenges posed by remote work for financial gain, such as stealing intellectual property, carrying out attacks on the supply chain, etc.
Five ways to reduce vulnerabilities
At SolarWinds, we’ve seen the threat landscape evolve. Below are five steps we’ve taken as an organization that we hope can help other IT departments reduce vulnerabilities and become secure by design:
1. Limit Shadow IT
Having control and visibility over all parts of a network is essential. This means understanding what employees are doing and what data and resources they are accessing. Unfortunately, the dispersed modern workforce makes this a particular challenge due to “shadow IT”. Shadow IT primarily concerns employees who use technologies or services, such as Dropbox or Google Workspace, that the company’s IT department has not approved. While using productivity apps like these may seem like a harmless practice at first glance, shadow IT inherently prevents teams from having control and visibility over their systems, which can lead to data loss. and an increase in applications and services that attackers can target.
2. Embrace Zero Trust
As companies adopt long-term hybrid and remote work policies, it is essential to monitor and secure not only a company’s workforce, but also its resources and data. At its core, the zero-trust security model tightly protects corporate resources while operating under the “presumed breach” mentality. This means that every request to access company information or services is checked to prevent unauthorized access to the network. With policy management, multi-factor authentication, and consistent network monitoring, enterprises can leverage zero-trust principles to prevent or report unusual or unauthorized access to corporate resources based on the user identity, location and other key criteria. At a time when more employees are accessing more information in more geographies than ever before, zero trust is a powerful tool to help improve visibility, effectively identify threats, and mitigate vulnerabilities.
3. Strengthen software development processes
While the majority of cyberattacks aim to steal data, money, or intellectual property, software development companies must also defend against another unique threat: supply chain attacks. These attacks occur when hackers access and manipulate code that could impact users of the affected software. To help prevent and ensure resilience against attacks, the integrity of the software building process and environment should be of utmost importance to software development companies.
At SolarWinds, we have prioritized upgrading and strengthening our own software creation process. One thing we’ve learned that we think other companies should adopt is to develop pieces of software in multiple separate environments, each requiring different security credentials to access them. Creating code in these parallel, secure environments makes it harder for hackers to obtain or corrupt a complete product. Companies can further strengthen their software development process by implementing dynamic environments, which are build locations that are automatically destroyed when they are finished using them. These dynamic environments are critical because they eliminate the ability for attackers to infiltrate and stay inside a network.
4. Take advantage of red teams
Identifying vulnerabilities and assessing threats doesn’t have to be a tedious practice. One strategy companies can adopt to reduce the need for IT departments to identify every threat is to use red teams, which scan a network for vulnerabilities and simulate attacks in real time. Some of these simulations include phishing campaigns or brute force attacks. These red teams help keep IT employees’ skills sharp, ensuring they’re ready to adapt, stay ahead of bad actors, and thwart attempted breaches. In addition to attempting intrusions, red teams also document every step of their process to break down attack methods and implement prevention techniques.
5. Make your staff part of your defense
There is no doubt that the technology and automated processes that a company employs play an important role in security and preventing hacks and breaches. The many proven solutions that security experts have developed to stop hackers are simply amazing, but regardless of the available technology, a large amount of risk is always produced by humans and our behavior. To create a truly secure network environment, companies must treat every employee as part of the security team. Companies should hold regular training sessions to ensure that employees practice good cyber hygiene and keep up to date with the latest hacking methods.
Becoming “secure by design” is now a C-level priority and no longer just an IT responsibility. With the rapidly changing threat landscape and the new reality that any business – large or small – can and will face sophisticated new threats, community vigilance across the organization and industry as a whole is needed to defend against these challenges.