In recent times, the nature and composition of the workplace have changed significantly. The prevailing trend, acutely accelerated by recent events, sees workforces operating more remotely than ever.
However, how has this unprecedented re-calibration of the typical office environment impacted security considerations? In a nutshell, vastly. Nevertheless, an overwhelming number of corporate enterprises are yet to adjust their security postures accordingly. The traditional threats which could be fielded at the gateposts of corporate networks have given way to superior models. Now, elusive, evolving, and more intelligible attacks target the hardware of devices and the user. If businesses are to prosper in this new, more sinister landscape, they must be equipped with appropriate defence securities.
A Comprehensive Insight Into Dominant Patterns Across The Marketplace
Each year, Jamf pulls together an extensive analysis of current IT risks posed to commercial sectors. Their statistical review encompasses data gleaned from over half a million devices in ninety jurisdictions. It also probes into the performance, reliability, and breaches observed in all functioning operating systems. These elements conspire to make Jamf’s ‘Annual Trends Report’ one of the most insightful device risk studies available.
This report ruthlessly highlights the gaps and inefficiencies in corporate defence strategies. Incredibly, last year, over a third of businesses knowingly permitted vulnerable devices to be tethered to their internal network. This was a staggering 11% uplift on figures for the same metric reported in 2020. Furthermore, a significant 7% of initially compromised devices were able to continue their connection to cloud services unchallenged. The right level of access on even a single device could unearth the most confidentially sensitive business data possible. Moreover, one in ten employees were subjected to phishing attacks, the currently favoured methodology for hackers and fraudsters.
Clearly, the requirement for action is inarguable. However, where do these risks originate from, and what can companies do to mitigate against falling victim to their attacks? The Annual Trend Reports offers five key market themes, perfectly capturing the nature, extent, and format of dominant threats. Moreover, the analysis also produces a raft of recommendations assembled to help companies orchestrate an appropriately agile security agenda.
Trend 1: Making Security Systems Fit For Purpose
As alluded to already, static, conventional anti-virus software designed to fight actors at the network perimeter is no longer relevant. As workforces become distributed, security defence programmes must account for increased accessibility from many network points. No longer are employees hardwired to a desktop in the relative security of conventional office spaces. Now, they demand solutions which accommodate increasingly portable working approaches. This requires not only greater location flexibility but also the ability to access more data on mobile devices.
As security systems need to exist outside the comfortable confines of internal networks, they must be self-sufficient and self-evolving. They must also be braced to respond to ‘live’ breaches and risk narratives swiftly. Businesses must determine the types of threats posing the most risk to the productivity of their organisations. Defence programmes can then be installed with appropriate risk indicators and ‘trigger’ into action when a device may be compromised. These levers are often set in motion by attempted jailbreaking and unauthorised malware installations.
However, research conducted by Jamf’s Threat Labs also emphasises the need to take action during phases of vulnerability. This produces a proactive defence to potential future issues, capturing the aforementioned necessity for security systems to be self-sufficient. In actuality, they must also be self-repairing, self-persistent, and self-aware.
This cautious approach is augmented by the rigorous scrutiny procedures of ZNTA security. These defence mechanisms ensure that device and user verification is only granted when safe credentials can be demonstrated. However, ZNTAs can also promote the protection of personal data, which is integral in a business where BYOD campaigns are in play.
Trend 2: Acknowledging The Evolving Capabilities Of Threats And Attackers
Employees are reaping the benefits of a more relaxed working framework. However, with this increased flexibility comes an increased desire to access preferred tools and software. This requires users to be entrusted to safely navigate corporate platforms remotely and take heed of any warning signs. Unfortunately, many businesses leave workforces ill-equipped to identify potential security hazards. Attackers, increasingly more sophisticated in their methods, are aware of this shortfall and resolve to target these users directly.
Buoyed by this vulnerability in a company’s security posture, phishers place traps in typical workplace applications. Office365 is often routinely targeted, whilst payment platforms such as Apple, PayPal, and Amazon are phishing destination hotspots. However, ever-more layered assaults on security, such as ‘smishing’, where compelling text message templates impersonate legitimate actors, are emerging. These risks are consolidated by the nature of smartphones, which now clearly command the bulk of user online activity. A smaller screen, traditional trust in mobile device management systems, and concealed URLs all contribute to heightening vulnerabilities.
Trend 3: Offsetting The Security Needs Of The Business Against Protecting User Privacy
The relentless presence of smartphones in all aspects of society has concentrated huge amounts of data into a single device estate. As of this year, 89.8% of the global population regularly engages with a smartphone device. Therefore, as ownership proliferates, so does a device’s volume of capabilities, as technology seeks to keep pace with demand.
Consequently, employers have exploited mobile devices to drive business operational capacities and productivity. For various reasons, corporate firms sponsor several methods for equipping users with work-ready devices. These include permitting ‘BYOD’ solutions, providing corporate-owned but personally accessible smartphones, and facilitating business-exclusive devices. How businesses manage their fleet is inscribed in their security strategies and the reactivity of their integrated defence systems.
However, when do security measures become overly intrusive? And how do companies monitor real-time employee practices without undermining user privacy?
Unfortunately, there’s no silver bullet for addressing these questions; this is more about continuously walking a tightrope between business and private interests. However, in their self-evolving capacity, Mobile Threat Defence systems are growing more competent in facilitating a stronger balancing act. They achieve this by ringfencing private data generated by personal application usage whilst allowing an element of user autonomy.
The result? Hopefully, safe, secure systems that protect user productivity, preserve employee trust in the brand, and ward-off illicit actors.
Trend 4: The End-User Paradigm
Despite the pressing need to protect user privacy and avoid shackling employees to obtrusive security policies, an uncomfortable truth remains. The reality is that end-users are ultimately the weakest link in the corporate defence chain. The statistics support this notion, with successful phishing and man-in-the-middle attacks disproportionately elevated versus other threat campaigns.
Last year, phishing activities, which are solely reliant on the interactivity of users, accounted for a colossal 36% of data breaches. The year prior, the FBI Internet Crime Report declared over $54bn worth of losses linked to phishing scams alone. This doesn’t necessarily cast blame directly on the consumer, some devices are compromised more by the dynamism of modern hackers, as opposed to the negligence of end-users.
Nevertheless, some entirely avoidable scenarios still facilitate a device becoming compromised. Shockingly, figures released by Jamf Threat Labs show that over 2% of corporate employees disabled their device lock screens last year. This offers front-door entry should a device land in the hands of an unsavoury actor.
Trend 5: Addressing The Risks Presented By Applications Is Becoming An Increasingly Challenging Endeavour
Applications play an integral role in device usage, with platforms assisting a range of workplace and social functions. However, this repeated interaction makes applications a favourable targeting point, with attackers consistently exploiting frequently presented opportunities. Malicious applications can infiltrate a device’s operating system and extract PII (personally identifiable information). This situation is often caused by ‘sideloading’, whereby users install unofficial app store content.
Jailbreaking, used to override default operating systems, can also facilitate the acquisition of these unwanted applications. These so-called ‘cracked’ apps, produced by unlicensed developers, are far more readily available to a device whose OS has been circumnavigated. From here, the device relies on user discretion instead of properly managed security defence mechanisms. In this scenario, businesses depend on IT and security teams to perform regular deep dives on application authenticity. Through this action, it’s hoped that sophisticated threats, such as those using trojan horse tactics, can be stopped at the source.
Pipeline attacks, which strike at a device estate’s pivot point, must be appropriately counter-measured. Given that these efforts seek to infiltrate a manufacturer’s resilience, corporate enterprises can protect themselves by only using reputable developers. It’s also worth developers testing apps in synthetic, realistic environments before business handover. For those constructing in-house applications, it’s vital to minimise permissions in the development stage to only those requiring compulsory access. This will mitigate against the risk of unwanted third parties undermining the future integrity of defence structures.
Creating A Solid Strategy For Managing Contemporary Security Threats
Although these five trends are prevalent in security discourses, only a handful of businesses are fully equipped with relevant defence strategies. In order to future-proof their success, companies must implement self-sufficient securities, with self-evolving, strong defences integrated into device chipsets. But, how do companies mobilise in this regard?
This seven-point plan illustrates the questions businesses must ask and the key steps that must be taken:
- What are the business’ requirements? How will end-users interact with authentication systems? Set parameters for access needs and understand productivity vs security balance.
- Constantly vet employee usage and permissions. What did they originally need, and what do they need now? This ensures that security narratives move with the needs of the business.
- What will the business’ acceptable usage policy look like? To what extent will employees be able to engage in personal device activity? Agree and establish an estate device ownership model (BOYD, COBO, COYD, COPE?)
- Establish a programme of non-obtrusive security checks to preserve the device’s health and not infiltrate the user’s data.
- Address and constantly re-evaluate risk posture. Ensure management policies are complemented by regularly reviewed risk assessments to accommodate changes in the environment.
- Create a multi-dimensional defence system which protects end-users, quells zero-day attacks, and reduces the impact of undesirable user behaviour. As a result, risks are detected at the source, preparations made for ambiguous/potential threats, and sideloading/jailbreaking are discouraged.
- These steps should be routinely scrutinised in the spirit of continuous improvement. Wholesale security reviews should take place when material changes are made to environmental influencers. For example, where:
- Data privacy regulations are altered
- Operational scope substantially grows or reduces
- IT kit changeovers are implemented
- New best practice emerges for managing risks
Next Steps
Recent events have undoubtedly served to accelerate the movement toward remote working solutions. However, the ascent to a more hybrid environment, and the associated security implications that come with it, have been in motion for some time.
Attacks no longer set up shop on the edge of relatively secure internal networks, now hell-bent on infiltrating the shell of a device. Malicious actors manipulate anything and everything in their bid to gain access to operating systems. Indeed, end-point user authentication systems, Wi-Fi networks, payment platforms, and workplace software channels are all susceptible to attack.
Therefore, companies must develop self-sufficient, self-repairing, and self-evolving defence mechanisms to protect their vital information. However, this must be done without undermining the user privacy of employees and the operational capability of the business environment. If they haven’t done so, companies must re-assess their security postures and re-align corporate defences to address contemporary threats.
For tailored advice about how your company can appropriately re-align its security agenda, speak to a dedicated Mobliciti strategist today.