Securing remote work

Nearly 80% of enterprise security officials said they encountered widening visibility gaps during the COVID-19 pandemic, as the rapid shift to work from home made it more difficult to monitor the security of remote workers, according to a study by Enterprise Strategy Group, commissioned by Axonius. The study included 500 IT and security decision makers across North America, Europe, the Middle East and Africa and the Asia-Pacific region. 

For 79% of respondents, there is a widening visibility gap in their cloud infrastructure, while 75% said the gaps had widened for end-user devices and IoT environments. Organizations, in some cases, reported 3.3 times more security incidents, according to the report. 

About three-quarters of organizations expect the number of remote workers at companies to increase, even after pandemic recovery begins and workers begin to return to the office. Four of every five respondents said their companies will invest more money into securing corporate assets.

Since the early days of the pandemic, companies have struggled to get a clear view into security threats and employee endpoints. Companies made immediate decisions about sending employees home from the office a year ago, and the environment became increasingly complex as companies in many cases had to move their various streams of data into multiple buckets. 

"The shift to remote happened overnight, and that's where we're seeing a lot of the visibility challenges," Nathan Burke, chief marketing officer at Axonius said. "Now you're using four or five or more cloud providers, rather than 'Am I cloud, am I on prem or am I hybrid,' it's how cloud am I?"

Companies have also had difficulties monitoring their systems for security threats, Burke said. Companies have security tools that scan for various vulnerabilities, however the tools that may work for on-premises environments may not be able to move at the speed required for a cloud environment, he said. 

The report echoes previous findings about the rapid shift to work from home, as companies rushed to keep the enterprise afloat at the start of the pandemic. Security considerations often became an afterthought. 

Research from Gartner shows that companies have struggled to manage security in an environment where you have to scale the number of remote workers over long periods of time. 

"It's essentially not a case of blind spots but a change in dynamic as to what to monitor," Pete Shoard, Gartner Research VP said via email. "As security professionals we have historically focused on what crosses the threshold. The remote work environment and the need for cross-platform compatibility has meant abandoning the perimeter as the primary focus and moving towards monitoring of behaviors of individuals (or their accounts) when interacting with systems and applications."

Over the past 18 months of the pandemic, there was a major shift in the job market. It went from shut down-induced, massive layoffs to the Great Resignation, with thousands of employees deciding to walk away from their careers.

Companies across industry verticals are scrambling to fill their vacancies.

"The pandemic has forced people across the country to rethink their careers," said Rob T. Lee, chief curriculum director and faculty lead at SANS Institute. "It has created a massive workforce gap, something cybersecurity was already facing before the start of the pandemic."

There are nearly half a million total cybersecurity job openings right now across all disciplines within the industry, according to Cyber Seek data. The skills gap has challenged the industry for years; however, one area where the talent gap is glaring today is the lack of availability for non-technical professionals to gain cybersecurity training for the first time. 

Not only are cyberthreats on the rise, they are evolving with technology. AI, for instance, is as likely to be used to launch attacks as to mitigate them, creating a high need for those tech skills. 

"Identifying talent gaps in an industry that's moving so fast is a challenge because it's hard to define the exact skills you need," said Chris Reffkin, CISO at HelpSystems. 

Think about an IT security role today and then look at how much that job role has expanded in the last two decades. The roles aren't the same. In fact, the landscape is moving so fast that a new college graduate's training is already behind.

However, cybersecurity is one of the few industries made stronger by the pandemic. The quick move to remote work put companies on high alert for increased cyber risk and the need to strengthen the cyber workforce.

"The rise of remote working has opened opportunities in the cybersecurity recruitment market. High performers can now look beyond their local market and work effectively from anywhere," said Reffkin. 

Attracting and retaining employees

Anyone with cybersecurity experience has a lot of options and will likely field a number of different offers. The challenge for organizations is to recruit the right talent for their needs. Once the new hire is onboarded, organizations need to keep them happy so they'll stay. 

Recruitment begins with expanding the idea of what cybersecurity professionals look like. The cybersecurity industry has not done a good job of addressing its "overwhelming white-ness and male-ness," according to the Aspen Institute. 

"A data repository containing sample profiles of successful hires from a wide diversity of experiential, educational, and cultural backgrounds could help hiring managers adjust job requirements and focus on the skills new hires actually need," the Institute said in its report, "Diversity, Equity and Inclusion in Cybersecurity." 

The Aspen Institute also suggested a shift in the narrative of who makes a good cybersecurity professional so people can picture themselves in the job. Organizations should write those job descriptions plainly so candidates know exactly what is expected and what the company is looking for.

Cybersecurity professionals expect to make a good salary, so the offer has to be attractive, but it isn't as much of a key factor as one might expect. Many enter the field because they enjoy the variety and the constant change. 

"If security professionals don't see a path to evolve their career or be continuously challenged, they'll start looking elsewhere," said Reffkin. 

That's when businesses might have to bump up the pay incentives, but in the long run, employees want to be in an organization that makes security a high priority and makes the necessary investments in staff and technology. Being on the cutting edge of new products and ideas will keep employees on staff for years. 

Beware of burnout

The Great Resignation happened because workers realized there is more to life than spending years at a company that doesn't appreciate its employees. Cybersecurity was suffering from career burnout long before the pandemic, and that added to the talent shortage. 

Burnout must be taken seriously. Having adequate staffing is just part of the solution. Automation tools play a big role in burnout prevention, too.

"So many tasks exist within cybersecurity that are very detailed and tedious. If you can create robust algorithms and code to handle a portion of these necessary tasks, you take a large burden off staff," said Emily Burke, HR director at Nuspire.

The pandemic can be a turning point for finding and retaining cybersecurity talent. Remote work offers flexibility for both sides that wasn't there before. And maybe leadership is learning how to better appreciate its staff. 

"If an organization can offer great team dynamics and people, competitive pay, creative benefits, ongoing cutting-edge tech training, and the ability to make an impact and get the 'bad guy,'" said Burke, "why leave?"

If there is one predictable constant in cybersecurity, it's the omnipresence of ransomware. As Mandiant put it best, "There's no end in sight for ransomware."

But don't expect ransomware to continue as we know it today. Mandiant predicts threat actors will develop new ways to gain a profit from ransomware, starting with a shift to globalized attacks.

"Indictments, arrests, seizures of funds, and cyber offensive operations against threat actors and their infrastructure by U.S. law enforcement will cause threat actors to reevaluate which countries they target," said Charles Carmakal, SVP and CTO with Mandiant.

The common thread around these trends is cybercriminals finding a way to manipulate corporate data, and for that problem, there really is no end in sight. As 2022 unfolds, here are four cyberthreat trends to watch: 

Paying ransom won't stop data publication

Paying a ransom probably won't stop threat actors from placing stolen data on the dark web or using it for extortion purposes, Mandiant warned. That's because of infighting in cybercriminal rings.

"Often, conflict arises within these groups as a specific actor may feel like they're not getting paid their fair share," said Carmakal. 

To retaliate, the disgruntled threat actor in the group could decide to publish some or all of the data after the ransom is paid. As greed around ransom grows, expect it to impact post paid-ransom behavior. Individuals could break away from the group and hold the data ransom multiple times. 

"The more this happens, the more it's going to affect the way organizations think about making ransom payments," said Carmakal.

Ransomware as espionage

There has been at least one international cyberattack conducted as an act of espionage in 2022. As tensions between countries escalate, Carmakal also anticipates governments will leverage ransomware in extortion operations.

Threat actors will use masquerading ransom or extortion operations to disguise the objectives of some intrusions, especially when there is conflict between nations.

Attacks on the software supply chain

This year, cybersecurity experts are sounding the alarm on attacks to the software supply chain, especially after 2021 ended with the Log4j flaw. 

"Log4j is not the first or last software supply chain vulnerability, but it is by far the most widespread and easy to exploit weakness that we've seen in many years — including SolarWinds," said Kumar Saurabh, CEO and co-founder of LogicHub. 

The Log4j vulnerability impacted the logging feature of Java, which runs on billions of devices, especially internet of things (IoT) devices, many of which have some form of logging enabled. Seeing how vulnerable these ubiquitous and often ignored codes are in open source software, threat actors will up the ante and go after other forgotten code to exploit.

"What's critical now is careful monitoring of logs from all possible security tools. Unfortunately, many security teams are already flooded with security alerts, and often don't monitor all logs because of excessive storage costs with many SIEM tools," Saurabh. 

It is another type of attack that could be attractive to nation-states looking to infiltrate governments or wreak havoc on the systems that control the critical infrastructure. A powerful zero-day exploit can fetch top dollar on the black market, but it might be worth even more if it remains closely guarded in the toolbox of a sophisticated APT team, including those sponsored by a nation-state, ready to be deployed surgically without attracting too much attention. 

SMBs lack the manpower for in-house monitoring or keeping track of the open source software supply chain. Nor can they analyze or reverse-engineer every software update a vendor sends them. Zero trust models may be the ultimate solution for this style of attack.

"Adopting the ‘assumption of breach' philosophy combined with an asset-based risk management and risk transfer program may be the only way to keep up with the bad guys," said Daniel Schwalbe, CISO at DomainTools.

Quiet attacks

While many cybercriminals tend to pursue high-profile attacks designed for financial gain, threat actors are increasingly trying to infiltrate companies and go unnoticed for a long period of time. These quiet attacks allow cybercriminals to exfiltrate data from servers and endpoints at a slow and steady pace.

In today's hybrid/remote work reality, the information on remote computers is typically less protected, putting it at higher risk for a stealth attack.

"Quiet threats are on the rise because cybercriminals are well aware of the value of data to business and other organizations," said Nigel Thorpe, technical director at SecureAge.

In 2022, expect email and other messaging systems to be the most popular point of entry for these quiet attacks, with the goal of compromising corporate communication systems. Cybercriminals can then infiltrate the corporate network and do damage from the inside without discovery. 

The majority (85%) of security operations centers (SOCs) increased their spending during the pandemic, according to the CyberRes 2021 State of Security Operations report. The report is based on a survey of 520 respondents within a database of IT decision-makers conducted by Dynata.

Almost 40% of respondents intend to invest in security solutions — including unified data lakes, attack surface management and red teaming — over the next 12 months. Nearly all of the respondents, 99%, already use the cloud for IT security operations. 

In addition to investment in security technologies, 97% of respondents are looking for more talent, particularly in attack detection and analysis, the survey found.

The COVID-19 pandemic placed pressure on SOCs — more than they were used to. The business continuity technologies companies were using could threaten security if deployed haphazardly. 

SOCs are the most successful when technology is routinely updated and the tech stack is effectively integrated, a 2020 Cisco survey found. The majority (71%) of respondents currently use security information and event management (SIEM) and log management (69%) as the foundation for other security technologies. 

While companies plan to acquire additional security solutions, they're less present in the technology stack. These secondary technologies include security orchestration, automation and response (SOAR), advanced threat hunting, and threat intelligence.

Given the remote work environment, only 52% of respondents said they are currently using attack surface management in the forms of endpoint detection and response (EDR) or endpoint threat detection and response (ETDR), according to the CyberRes report. 

More than one-third of respondents said they intend to acquire the solutions. But budgets that were once dedicated to EDR and SIEM may be redirected to extended detection and response (XDR) as it becomes more mainstream.

A company cannot adopt the tools it needs if it doesn't have the people necessary to run them. A SOC is incomplete with only technology. 

Cyberseek estimates there are more than 460,000 open cyber-related jobs in the U.S. Some of the largest talent gaps in cities "where cybersecurity is most needed," including Washington, Dallas and New York. 

For some CISOs, the onus to attract talent is on them and the standards they make. 

"There's definitely some elitism in the cybersecurity world," said Rebecca Harness, AVP and CISO of Saint Louis University, while speaking during a webcast hosted by Proofpoint Thursday. "Some of my best cybersecurity professionals in my organization are one to two years into their cybersecurity career."

Cybersecurity skills vary between hard and soft skills; it's unlimited to coding abilities, firewalls, risk analysis, or even computer skills. "We're setting the bar too high for entry-level positions. I think that's the biggest error in the cybersecurity security hiring process," said Aaron Baillio, CISO of the University of Oklahoma, during the webcast. 

SOCs would benefit most from onboarding talent skilled in attack detection and analysis, 72% of the CyberRes respondents said. Vulnerability assessment and patching, and security awareness training tied for second (62%), followed by incident response for 55% of respondents. 

Still, almost 10% of companies struggle with a lack of available skills in their SOCs this year — only 3% of respondents said they don't require any more staff. 

Any scarcity in skills could lead to a successful cyberattack, and security professionals know it. To compensate, SOCs are outsourcing, though even IT security managers can miss or ignore threat alerts if a queue is full. SOCs — whether internal or external — are overburdened. 

When devising an aligned cybersecurity and business strategy, companies should only identify their individual risks — not those of their industry or competitors, according to Jeffrey Wheatman, VP of advisory at Gartner, while speaking during the virtual Gartner Security & Risk Management Summit Tuesday. 

"How are we going to engage with our business stakeholders to strike the appropriate level of balance between running the business and protecting the business?" Wheatman said. Companies will be able to answer this once they've established overall business goals and identified risks.

The common issue security and business leaders run into is miscommunication, according to Wheatman. Either high-level business strategies are too vague for security leaders, or too much detail fails to resonate with business leaders. 

Companies need their security leaders to connect "what we know with what we feel" for stakeholders, Wheatman said. Oftentimes stakeholders will know cybersecurity is important for the business, but they don't exactly know why. 

Security executives cannot always present risks as negatives, sharing how a company will fail if a risk goes unaddressed. In some cases where risk is present, like IT modernization, taking the risk directly benefits overall business goals and competitiveness. 

The tactics and approaches to identifying risks that help move the business toward its goals will vary depending on the situation. "If you're very heavily in the cloud, you're going to need to think differently about how you're going to be implementing your controls," said Wheatman. 

Companies will have to develop metrics to track improvements over time. "These are the things that actually need to come after building this out and communicating," he said. 

Business goals will differ from company to company, and they all have to align with what the C-suite and board expects. Goals can range from growing revenue to creating more jobs or retaining customers. 

Leaders should not take goals unless it's specifically for their business, Wheatman said. "Don't make the mistake that folks make which is just to copy what comes in the toolkit or the template." 

Some stakeholders are concerned that their business goals are too "fluffy and abstract," but that is "actually better," said Wheatman. It's difficult for security and risk executives to connect "anything we do in security that's going to help raise revenue by 6% year over year," he said. "But you can talk about being the best, you can talk about reputation." For a quick win, executives can even refer to their company's website to find value statements, typically in the "about us" dropdown.  

When identifying risks, Wheatman advises leaders to stay away from too much technical jargon. "The phrase that I like to use is technology-related risks. These are risks that your organization faces, as a result of technology," including implementation, updates, the cloud and OT. The areas directly impacted by these technological risks include intellectual property protection, regulatory compliance or resilience. 

Companies can perform risk assessments or use peer support groups to find common risks, even though they should still be unique to an individual company. Companies can use audits, but Wheatman recommends staying aware of the checkbox nature of audits, and adding context. 

"Oftentimes, people have 20 to 30 risks — that is far, far too much," Wheatman said. Aim for between five and seven. 

In a global shift to remote work, more than three-quarters of IT decision-makers said their organizations were more vulnerable to cyberattacks against mobile devices compared with a year ago, according to a survey by Sapio Research commissioned by Menlo Security. The survey of more than 600 executives, including chief information officers and chief information security officers, included organizations based in the U.S., U.K. and Australia. 

Phishing has been the most common form of attack over the past 12 months, according to 71% of survey respondents. The survey showed 73% of IT decision-makers believe end-users are more susceptible to mobile attacks than they were five years ago.

More than half of participants said it's impossible for organizations to be ready for all the tactics used by malicious attackers targeting mobile devices. For 38% of respondents, it's impossible to keep up with the pace of cyberattacks targeting mobile.

The Menlo Security Mobile Risk 2021 report comes at a critical time both in the U.S. and abroad, as companies and other organizations are beginning to return to the office following the COVID-19 pandemic. 

Millions of workers in the U.S., U.K. and Australia have been working remotely since early 2020, with companies allowing employees and contractors to connect to the office using a variety of devices, including laptops, tablets and mobile phones. 

"Increasingly, workers are accessing their corporate applications and data from unmanaged devices," Mark Guntrip, senior director of cybersecurity strategy at Menlo Security, said via email. "This was clearly exacerbated by the enforced remote work policy in 2020 and the subsequent shortage of computing equipment available."

IT managers and CISOs have struggled to secure the perimeter at many organizations, due to a lack of endpoint visibility. Employees are also conducting work on a variety of operating systems using often insecure home Wi-Fi connections. 

Guntrip says mobile devices are less secure because of a combination of untrusted personal applications and data that are stored on the same device, as well as employees ignoring company security policies. 

Remote work has opened a number of attack vectors over the past year. VPN devices have become a major target of malicious attacks and APT actors have taken advantage of vulnerabilities in Pulse Secure, Fortinet and other VPNs in recent months, targeting government agencies, contractors and private companies. An old VPN profile was targeted in the May ransomware attack on Colonial Pipeline. 

Sapio Research conducted the survey, based on online interviews with 617 IT decision-makers, at companies with at least 1,000 employees. The survey respondents were invited by email and completed online surveys during April and May.

The majority of security professionals, 84%, are feeling burned out, according to a 1Password survey of 2,500 adults who work full-time primarily from a computer in North America. Five hundred respondents were security professionals in IT departments as managers or higher, and the remaining 2,000 respondents were from other departments in their respective companies. 

Of the significantly burned out security professionals, more than two in five said security rules and protocols are not "worth the hassle," the survey found. Only one in five somewhat burned out security experts feel the same.

Compared to other types of employees, twice as many security professionals (10%) are more likely to feel "completely checked out" of work. This leads the employees to perform the "bare minimum" of their job. 

The pandemic was a catalyst for the Great Resignation in the tech and security industries — adding to the existing skills gap in cybersecurity. Almost two-thirds of 1Password's respondents are actively looking for a new job, close to quitting their current job, or open to new opportunities. 

"Our findings show that 'ready to resign' employees are a significantly greater security risk for companies," the report said. Burned out security professionals are considered more of "flight risks" than those who are not burned out. 

The overall cybersecurity workforce grew to 4.2 million professionals in 2021, representing a 20% increase from 2020, a (ISC)² Cybersecurity Workforce Study found. Despite the increase in the workforce, the majority of respondents, 60%, said their organizations face risks directly related to staffing shortages. 

If existing security professionals are facing burnout, their effectiveness on the job will feel the impact. One in three 1Password respondents said burnout contributes to a decline in initiative and motivation, which also reduces compliance with security protocols. 

Threat actors leveraged human emotion throughout the pandemic, and burnout can lead to alert fatigue and analyst turnover. Skills in cybersecurity are already difficult to determine because of the rapid pace the industry and threats move in. 

"The biggest threat is internal apathy. When people don't use security protocols properly, they leave our company vulnerable," one survey respondent in security said. Nine in 10 security respondents choose security over convenience, yet they are still susceptible to shortcuts. 

Companies have high confidence in their cybersecurity because they can anticipate threats and plan a response. Individual security professionals have more confidence in their ability to find shortcuts than their non-security counterparts — and they try to resolve IT issues on their own, 1Password found. 

CISOs have become an integral part of the transition to hybrid work environments, as companies look to securely connect remote workers to sensitive corporate data while maintaining maximum productivity, according to a virtual panel of multinational CISO's hosted by Proofpoint.

The evolving threat of a criminal ransomware attack is a major concern, according to CISOs speaking on the panel. Two-thirds (64%) of CISOs fear their companies are at risk of a major cyberattack over the next 12 months, according to Proofpoint survey of 1,400 CISOs.

"What you're starting to see is the CISO is more and more part of the core business conversation and is seen as a business enabler," Paige Adams, global CISO at Zurich Insurance, said during the panel discussion. "As more and more companies are adopting cybersecurity as a core part of their strategy, the CISO is more often having a seat at the table."

Organizations ask their CISOs to secure a wide attack surface against some of the most advanced cyberthreats to ever face the enterprise, according to the panel. Corporate boards are demanding regular updates on the latest threats, while simultaneously asking CISOs to make sure workers meet business objectives in the most secure manner possible.

Prior to the pandemic, Zurich Insurance made investments in anticipation of a more collaborative work environment, including cloud-based VPN tools, according to Adams. Moving forward, CISOs will no longer be able to rely on traditional network protection mechanisms, but will have to make decisions based on the need to secure a mobile, remote workforce, Adams said.

The healthcare industry, for example, has seen explosive growth in the use of telehealth by physicians that were previously reluctant to use the technology, according to Martin Littmann, CTO and CISO at Houston-based Kelsey-Seybold Clinic, speaking on the panel.

The scale and operational changes in how to service patients opened new demands on both productivity as well as maintaining secure connections to protect confidential medical data.

"We had to quickly ramp up the need for more licenses and provide education around multifactor authentication for those who had not done it before," he said.

Littmann has grown increasingly concerned about the ransomware threat, citing a prior attack on a local hospital system in Houston. CISOs have worked to share information with each other about how to protect organizations against ransomware attacks, he said.

The focus over the past few months has been on how to backup data as a method of protecting against ransomware and extortion.

"We do multiple copies on multiple systems with multiple administrator accounts and multiple keys so no one piece of data, no one set of backup copies can be taken and ransomed by itself," Littmann said.