W H I T E P A P E R
| 2WHITEPAPER | THE BIGGEST SECURITY RISKS FACING THE REMOTE
WORKFORCE
Contents
Introduction
.......................................................................................3
Making Remote Workers the Front Line of Defense
.....................9
Building a Fail-Safe Into Remote Work Technology
......................11
Thriving in the New Normal
............................................................13
About Morphisec
...............................................................................13
Introduction
Although remote work is high on everyone’s minds right now, the
trend started long before the outbreak of COVID-19 forced companies
to abandon their office buildings. Between 2005 and 2017, the
number of people working remotely increased by 159%. Burgeoning
technologies like cloud computing and remote collaboration apps
facilitated this employment evolution – and then a global pandemic
sent it into overdrive.
Since the outbreak of COVID-19 in Spring 2020, as many as 50% of
all employees have worked remotely at some point. Shutdown orders
made it mandatory in some cases, and public health guidance made it
prudent in all cases. By October 2020, companies started to return
to the office, entirely or just partially. Regardless, few would
say that things had returned to normal.
Some things are unlikely to ever return to normal, such as spending
40 hours a week at an assigned desk.
It’s still too early to predict how many traditional office jobs
will go remote and to what extent. What seems irrefutable, though,
is that remote work will become the norm, not the exception.
Companies are already planning for that inevitability in major
ways. Microsoft is developing an infrastructure to let all of its
roughly 155,000 employees work from home up to 50% of the time,
transforming the character and culture of the workforce in the
process. REI even abandoned plans to move into a custom-built new
headquarters after deciding it didn’t need so much office space
(even if that space was perfect for its needs). Moves like these
demonstrate that remote employment isn’t a passing trend; it’s the
future of work.
Technology makes remote work possible, and the pandemic makes it
necessary, but the force really driving adoption is the fact that
remote work benefits employers and employees alike. Companies cut
their overhead
50% of all employees have worked remotely since the outbreak of
COVID-19 in Spring 2020.
AS MANY AS
159% in the number of people working remotely between 2005 and
2017.
In one survey, 25% of respondents worked from home before the
pandemic, yet 34% will now permanently work remotely at least one
day per week.
INTRODUCTION
costs significantly, adapt to changing circumstances during and
after the pandemic, and tap into a national or international talent
pool. For employees, working from home lets them eliminate their
commute, avoid their cubicle, and work more autonomously. Not
everyone wants to work entirely from home, and there’s still a
place for the office – but there’s also little resistance to trying
something new.
This shift is exciting and overdue. But it’s also risky to a
greater degree than companies realize, and in ways they don’t
anticipate. That risk increases the more companies go remote,
meaning they could be speeding towards disaster right now without
any warning signs.
In this whitepaper, we will show you why remote work creates as
many risks as it does rewards, and how that puts your entire agenda
in jeopardy. Then we will propose a solution: an actionable plan
for keeping the remote workforce productive, efficient, and engaged
using a framework of proactive cybersecurity.
In our opinion, reduced expenditure on cybersecurity isn’t an
entirely negative development. While tackling a fast-growing
cybersecurity threat level with stagnant or reduced budgets may
seem like an insurmountable obstacle, past experiences show that it
doesn’t have to be. This is because, up until now, more expenditure
has not necessarily resulted in better cybersecurity. Propagated by
market trends and overhyped products, cybersecurity investment has
often meant adding layers of complex AV products that did little to
increase safety but undoubtedly added complexity. The average
organization already has too many security tools, a situation that
leaves IT teams with complex security stacks in place of effective
cybersecurity.
CISOs can create effective security postures by reducing rather
than increasing dependency on third-party tools. In doing so,
organizations will also need to consider how they can balance
increased protection with data privacy for their employees.
Otherwise, as organizations store more of their employees’ personal
information, the potential liability from a data breach will
grow.
In this guide, we look at four key areas where COVID-19 impacts
cybersecurity planning for the year ahead.
155K Microsoft employees should be able to work from home for up to
50% of the time if Microsoft completes its infrastructure
development.
| 5WHITEPAPER | THE BIGGEST SECURITY RISKS FACING THE REMOTE
WORKFORCE
The paradox of remote work is that it’s positive for the same
reason it’s problematic: the opportunity to work from anywhere and
everywhere. A suite of modern technologies makes it relatively
seamless to manage complex projects among far-flung collaborators,
meaning that teams can remain constructive and creative even if
they’re never in the same place. Those same technologies, however,
make every aspect of remote work vulnerable to cyber attack.
Virtual desktop infrastructure (VDI) provides a good example.
Virtual desktops equip remote workers with the data and apps they
need within a consistent, controllable IT environment. VDIs are so
well suited for the moment that predictions suggest the market for
them will triple between 2019 and 2027. They’ll be a feature of
most if not all remote workforces. They’ll also be a liability
across the board.
Although threat actors have occasionally targeted VDIs and remote
collaboration apps like Slack or Zoom in the past, these tools
remained historically under-exploited because they had lower
adoption rates overall. The rise of remote work has forced these
platforms into the spotlight and resulted in many more security
flaws coming out and being used as threat vectors. This is to be
expected, as the simple fact is that it takes time, staff, trial,
and error to systematically root out all the weaknesses in a
product – and those are each in short supply at many companies.
Consequently, security flaws are common, extensive, and slow to
receive patches. Plus, those flaws grow more pronounced as the user
base surges upward (look at Zoom’s trouble keeping video
conferences secure).
Remote work puts companies into a precarious position because it’s
highly vulnerable to attack. Compounding the problem is the reality
that any successful attack has outsize consequences for tech-driven
workloads. If a critical app or data source went offline, for
example, projects (or whole companies) may grind to a halt as teams
flounder without the necessary tools.
VDI market will triple.
2019 TO 2027 PREDICTION
| 6WHITEPAPER | THE BIGGEST SECURITY RISKS FACING THE REMOTE
WORKFORCE
Successful attacks aren’t just possible – they’re probable. Cyber
attacks surged by 800% at the start of the pandemic, and for a
fairly obvious reason: hackers saw an easy target. With tens of
millions of users flocking to use insecure apps to handle their
most sensitive data and mission- critical workloads, hackers
recognized a golden opportunity before them. Making these apps the
centerpiece of operations only makes a hacker’s nefarious efforts
easier to carry out. The era of remote work plays right into their
agenda.
Hackers have already adjusted their attack strategies to seize on
the moment. Between January and June of 2020, two-thirds of all
malware attacks originated in cloud-based applications like Google
Drive, Amazon S3, and Microsoft Office 365. In Q1 of that year, the
United States faced more confirmed cyber incidents than any other
major country. Far from being an anomaly, this is a vision of the
new normal: where the technical infrastructure of remote work gives
hackers endless opportunities to launch attacks with a high
probability of success.
In this context, remote work starts to look a lot different. It may
be an obligation in some cases and an advantage in others. But it’s
also an existential threat on a scale rarely seen before. For a
variety of reasons, it isn’t feasible to stop the momentum towards
working outside the office. Therefore, it’s essential to understand
and address the resulting security issues head-on.
From here forward, securing remote workers and cloud workloads will
be some of the most important work a company undertakes. Success or
failure in this area will define the fate of everything else.
800% surge of cyber attacks at the start of the pandemic.
66.67% two-thirds of all malware attacks originated in cloud- based
applications like Google Drive, Amazon S3, and Microsoft Office
365.
JANUARY TO JUNE 2020
| 7WHITEPAPER | THE BIGGEST SECURITY RISKS FACING THE REMOTE
WORKFORCE
Getting serious about securing the remote workforce is an important
first step, but it’s an uphill climb from there. It represents an
entirely new challenge for security professionals because a remote
workforce expands the area they have to secure, and makes doing so
vastly more complicated than it was before. Some of the specific
(and overlooked) risks include:
• Insecure Home Networks: Enterprises go to great lengths to secure
their IT infrastructure, using comprehensive controls and
networking monitoring tools to halt threats at the perimeter among
other solutions designed to limit approach vectors. Contrast this
with the average home computer, which is probably running a
consumer-grade firewall and antivirus software that is not reliably
kept up-to-date. It’s no surprise that 73 percent of IT leaders
surveyed think that remote workers are a bigger threat than on-site
workers. Home computers aren’t the same as work computers in terms
of security – or in terms of performance. Unreliable home networks
may cause data, applications, or conferences to go offline and
bring business to a halt.
• Expanded Attack Vectors: When the vast majority of work happens
over the internet, remote employees are constantly exposed to
threats that target web services and applications. In addition to
being aggressive, these threats can be invisible to signature and
machine-learning-based antivirus if they utilize techniques
designed to evade detection. They’re also creative. With millions
more people attending video conferences, hackers have devised ways
to hijack the administrative privileges granted to conferences to
remotely execute malicious code. Bogus conference invites are also
ideal cover for phishing schemes. In fact, between March and April,
Morphisec observed phishing and adware attacks jump from just 2,000
per week to more than 90,000 per week. Hackers exploit uncertainty
– something in abundant supply in today’s remote offices.
Obstacles to a Secure Remote Workforce
73% of IT leaders surveyed think that remote workers are a bigger
threat than on-site workers.
4400% jump in phishing and adware attacks between March and April
2020.
| 8WHITEPAPER | THE BIGGEST SECURITY RISKS FACING THE REMOTE
WORKFORCE
• Limited Remediation Opportunities: Infected machines usually
require the direct attention of technicians. That’s easy to
accomplish in an office environment but functionally impossible
with a remote workforce practicing social distancing. If a remote
employee’s computer becomes infected, the IT department has few, if
any, means to respond. As a result, attacks last for longer and the
damage tends to be worse. The average breach already costs
companies $8.94 million – assuming IT can get to the machines
involved. Cut off from the normal response and remediation
resources, though, who knows how much that total could
multiply.
• Strained Security Resources: Lacking the cybersecurity resources
that the average enterprise supplies in-house, remote computers are
on their own in the wild. Each one is a mostly isolated endpoint
that must bear the full responsibility for safeguarding company
data, applications, and networks. That’s a lot to ask of
consumer-grade firewalls and client-based antivirus software,
especially when they’re defending against novel attacks and
high-volume offensives. Antivirus software missed 60 percent of
attacks in 2019, which doesn’t promote confidence when that same
software is suddenly the foundation of the cybersecurity
infrastructure.
• Isolated IT Assets: Companies can manage remote work as long as
everyone uses a specifically-calibrated computer that the IT
department has already hardened. The problem is that would require
going back in time and preparing for the pandemic early. With many
employees using personal devices some or all of the time, IT can’t
access those devices to harden cybersecurity or standardize
settings. Each machine contains vulnerabilities that can’t be
addressed and liabilities that can’t be understood. VPNs and VDIs
alleviate some of these concerns, but ultimately still need
additional protection against cyberthreats.
For all these reasons and more, securing the remote workforce
doesn’t fall within a typical cybersecurity framework. It requires
new approaches, extra urgency, and outside-the-box thinking.
Otherwise, disaster seems inevitable.
$8.94 million
– assuming IT can get to the machines involved).
60% of attacks in 2019 were missed by antivirus software.
OBSTACLES TO A SECURE REMOTE WORKFORCE
Making Remote Workers the Front Line of Defense
Remote workers are the first (and best) line of defense because
they’re also the most likely to accidentally enable attacks.
Outside the office, they’re exposed to more threats (some novel,
others sophisticated), and they have fewer institutional
protections to rely on. Under these high-risk circumstances,
companies need to make an immediate effort to keep remote workers
safe. Here’s what that includes:
• Security Awareness Training: Untrained workers are more likely to
make mistakes that lead to security breaches. While it’s impossible
to eliminate mistakes completely, security awareness training can
help equip remote workers with knowledge on how to avoid threats.
The National Institute of Standards and Technology (NIST) has a
useful framework on how to build this type of training program.
NIST suggests educating remote users on how to identify social
engineering scams and spot spam websites (both on the rise
recently), among other things.
• Regularly Updating Applications: Software updates are critical
because they often patch security weaknesses uncovered since the
previous iteration of the software was released. About 80 percent
of organizations that experienced a data breach or a failed audit
in 2016 could have prevented the incident with a patch or a
configuration change. Even worse, 20 percent of all vulnerabilities
discovered are usually “High” or “Critical Risk,” while a quarter
of vulnerabilities take more than 90 days to fix.
• Limiting User Roles and Permissions: Granting users unnecessary
system permissions can lead to misuse of privileges (either
accidental or deliberate) and increased attacker capability. By
implementing the principle of least privilege, which is based on
the idea of giving just enough access to users to do their job,
organizations can minimize damage if and when a user account is
compromised. Even when managers grant users certain privileges,
they should monitor user activity closely for unusual actions, like
accessing sensitive information after working hours.
~80% that experienced a data breach or a failed audit in 2016 could
have prevented the incident with a patch or a configuration
change.
20% of all vulnerabilities discovered are usually “High” or
“Critical Risk.”
vulnerabilities take more than 90 days to fix.
1 OF 4
MAKING REMOTE WORKERS THE FRONT LINE OF DEFENSE
• Leverage OS-Native Security Controls: The native Windows 10
security controls have improved dramatically over the past few
years. Microsoft Defender Antivirus, the native antivirus product,
has proved itself to be effective and reliable while also being
user-friendly and customizable. Since these security controls are
built-in and cost-free, it makes sense to leverage them to wrap
remote workers in yet another layer of cybersecurity.
• Using Multi-Factor Authentication for User Passwords: Globally,
57 percent of companies use multi-factor authentication (MFA) for
their passwords. Yet in the U.S., only 28 percent of organizations
secure their accounts with MFA. This is a major issue. According to
the Third Annual Global Password Security Report, employees reuse
one password about 13 times. It comes as no surprise, then, that
stolen and reused credentials contribute to 80 percent of
hacking-related breaches. Using MFA, or at the very least
two-factor authentication (2FA), adds an additional layer of
security and reduces the risk of cybercriminals using stolen
credentials to move an attack further.
With each of these measures in place, remote workers reduce their
exposure to an onslaught of attacks. However, these workers can’t
be the first and last line of defense: a strategy doomed to fail.
Instead, companies need to take the extra step to ensure that even
if attacks hit their initial target, they can’t reach their
intended destination.
57% of companies use multi- factor authentication for their
passwords.
GLOBALLY
80% of hacking-related breaches are a result of stolen and reused
credentials.
ONLY 28% of organizations secure their accounts with MFA.
IN THE U.S.
Building a Fail-Safe Into Remote Work Technology
Securing remote workers takes a two-pronged approach: making those
workers smarter about cybersecurity while also strengthening the
technologies that facilitate their work. The second effort often
suffers because of long-standing misconceptions about native
security, particularly when it comes to virtual machines.
Contrary to popular opinion, virtual machines are not immune or
even particularly insulated from attacks simply because they’re
untethered to physical machines. Hackers can compromise a virtual
session in all the same ways they can comprise a traditional
desktop environment, which is to say they have decades of attacks
and strategies to choose from.
They also have zero-day attacks in their arsenal. Traditional
antivirus protections aren’t much help either since they’re only
designed to catch known or easily-identifiable threats, not
something appearing for the first time. Even NGAV solutions based
on machine learning aren’t always effective at catching attacks
that are dissimilar from what came before.
Some people assume that if a virtual session did become
compromised, ending the session would cut the attack off at the
knees. Others think virtual machines are a low-value target for
hackers; if hackers broke into a virtual session they would find
little to steal, the logic goes. But this is just wishful
thinking.
And once hackers breach a virtual machine, they can move laterally
into servers full of sensitive data and applications. Virtual
machines don’t, despite the myths, make it harder to attack
critical systems.
Make no mistake: virtual machines are just as vulnerable (if not
more so) than physical desktops.
| 12WHITEPAPER | THE BIGGEST SECURITY RISKS FACING THE REMOTE
WORKFORCE
BUILDING A FAIL-SAFE INTO REMOTE WORK TECHNOLOGY
If employees and antivirus software were the only defenses in
place, attackers would potentially have an easier time of attacking
remote workers. Preventing remote work from becoming a disaster
waiting to happen requires a second line of defense – one set up to
block the attacks that (inevitably) make it past the perimeter.
That’s where moving target defense (MTD) comes in.
In simplified terms, MTD morphs the application memory so that when
hackers try to launch an attack, they target what they think is an
important asset when in fact they’re falling into a trap designed
to capture and neutralize the threat. In that way, moving target
defense technology empowers organizations to start preventing
attacks instead of minimizing or mitigating them. It operates from
the premise that evasive attacks can be interrupted and stopped if
they’re unable to accurately identify the target.
Unlike other defensive strategies, MTD addresses unique
vulnerabilities within remote collaboration apps. For instance, it
can secure remote endpoints on unreliable home networks and protect
browsers against attacks so SaaS applications can be reliably
accessed. Fundamentally, MTD guards against the security flaws that
developers don’t address and the threats that antivirus can’t
identify, becoming a fail-safe against attacks that companies would
be unlikely to stop otherwise.
In addition to providing reliable security in the face of
unpredictable threats, MTD has a lightweight footprint that won’t
cause a video conference to lag or create any other performance
issues. For the same reason, it doesn’t take significant time,
staff, or technical resources to get this defensive asset up and
running.
MTD delivers the rare asset that companies need in response to the
rapid shift towards remote work: A capstone to a cybersecurity
strategy that rises to the occasion when all other measures
fail.
| 13WHITEPAPER | THE BIGGEST SECURITY RISKS FACING THE REMOTE
WORKFORCE
Thriving in the New Normal
Remote work doesn’t just transform a company’s relationship with
employees; it transforms the relationship with technology, too.
Everything takes on a digital component. As a result, cybersecurity
becomes an even greater priority than it was before: something
intrinsically linked to productivity, compliance, innovation, and
competitiveness on all levels. Companies embarking on a remote work
experiment must be aware of exactly what that entails and prepare
themselves accordingly.
Those that make cybersecurity a priority from the start lay the
groundwork for stability and long-term success in whatever the new
normal looks like. Those that don’t leave their remote workforce
(and all the productivity they account for) exposed to attacks
which we know are coming in higher volume, leveraging new tricks,
doing newsworthy damage, and unlikely to abate soon...or
ever.
At Morphisec, we understand what’s at stake in a work-from-home
world. That’s why we’re pioneering the practice of proactive
cybersecurity – where you stay one step ahead of hackers rather
than trying to block each one of their attacks. Moving target
defense is the centerpiece of a proactive cybersecurity strategy
because it prevents zero-day attacks as capably as it stops known
threats. In the process, MTD keeps the wild frontier of remote work
from becoming an unsustainable risk.
If your office is changing, your cybersecurity strategy must
follow. Otherwise, remote work will never be reliable.
About Morphisec
Morphisec delivers an entirely new level of endpoint security for
any business with its Moving Target Defense-powered Guard and
Shield products. Moving Target Defense places defenders in a
prevent-first posture against the most advanced threats to the
enterprise, including APTs, zero-days, ransomware, evasive fileless
attacks, and web-borne exploits. Morphisec provides a crucial,
small-footprint memory-defense layer that easily deploys into a
company’s existing security infrastructure to form a simple, highly
effective, cost-efficient prevention stack that is truly disruptive
to today’s existing cybersecurity model.
INTRODUCTION
Making Remote Workers the Front Line of Defense
Building a Fail-Safe Into Remote Work Technology
Thriving in the New Normal
About Morphisec