Written by Ofir Israel, VP of Threat Prevention at Check Point Software Technologies.
From a time when businesses were essentially static entities, and employees worked from within the confines of offices, we have now moved into an age of almost complete diffusion. The rise in digital nomads means business can be conducted wherever employees happen to be, whether that be at home, in the coffee shop, on the road, at customer’s premises, or hot-desking around any number of corporate locations. So, in security terms, the idea that a business can be protected by a monolithic digital wall is a completely redundant concept.
Now, the frontline in the war on corporate security is the endpoint: any device that employees use to access the company’s network and software resources, with each one being a potential gateway for bad actors eager to exploit the vulnerabilities inside. Make no mistake, every company has unsecured doors and open windows in its systems ready to be taken advantage of, whether they know it or not. Even with the strictest corporate security policies, it has become impossible to identify and patch every vulnerability that might exist.
For the most part, security teams have woken up to the threat that endpoints represent, but effectively controlling them in a fast-moving and ever more complex IT environment is a headache that gets more intense every day. Not only is the proliferation of devices, and the locations they are used in, a major problem – it is also the increasing volume and sophistication of the attacks being launched.
User policies are no longer effective
According to the World Economic Forum, 95% of cybersecurity breaches are caused by human error, while Gartner says that “phishing continues to be the primary source of infiltration for ransomware.” It has long been recognised that employees are the weakest link in the security chain, and security teams have tried to address this by enforcing user policies designed to engender a ‘threat adverse’ mindset. In other words, training employees not to click on anything that looks suspicious and helping them to recognise when somebody might be trying to scam them, whether over the phone or online. Yet these policies are increasingly ineffective.
Quite simply, businesses can no longer expect their employees to be the first line of corporate defence, nor should they expect them to be. There are three main reasons for this.
The first is that phishing and scams have become much more sophisticated – what were once relatively crude attempts to trick and deceive employees are now much more convincing. Deception via social engineering remains a big problem, but phishing sites are now able to mimic reality to the point of being practically identical to real sites. And this threat is only going to get worse with the arrival of Generative AI, which can quickly reproduce legitimate sites and pages with a frightening degree of accuracy.
The second reason is that phishing and ransomware attacks are no longer reserved to some shadowy cabal of master hackers operating on the dark web. Instead, there are ransomware-as-a-service sites accessible to any criminal who wants to try them. The same goes for sites for phishing tools. From only being available in specialist stores, these weapons of mass disruption can now be purchased over virtual counters by anyone who can afford them. As such, attacks are taking place with greater regularity, testing employee vigilance and increasing their chances of success.
And the third reason comes back to the proliferation of employees using endpoint devices to access corporate services and work, wherever they are located. It may well be that these devices lack the proper protection to alert users to suspicious activity and requests, but it is also a psychological issue, with employees less likely to strictly adhere to security rules once outside of the corporate aegis. This is particularly true if they regard those rules as interfering with their ability to effectively work remotely.
Protecting the digital nomads
This last point is pertinent to a general loss of control over employees’ IT use in the last few years. Whereas remote working was previously subject to strict policies over what devices and software could be used, now businesses need to prioritise a ‘work from anywhere’ model rather than protect the integrity of the network. Many companies are resigned to a hybrid working strategy where BYOD (bring-your-own-device) is common. As a consequence, employees are using a variety of operating systems and apps that neither IT nor security teams have full visibility of.
This has profound implications for corporate threat protection. Without proper version control or standardisation of apps, it is entirely possible for an employee to unwittingly download software with known vulnerabilities and then plug it into the network. In fact, the majority of successful attacks in recent years have been based around known vulnerabilities introduced into corporate systems that hackers have exploited once they have breached its defences via a phishing scam or ID theft.
The sheer complexity of today’s IT environment means that it is impossible for security teams to have manual oversight of every potential vulnerability in the corporate network. A patch might be applied to a discovered weakness in the system, only for the same vulnerability to be re-introduced by an employee a week later without the team’s knowledge. When working at this level of complexity, it is almost certain that the IT team itself will have left open windows and unlocked doors in the network, because it is simply impossible to stay on top of every point of weakness when the devices connecting to it are so diverse.
Shifting from education to automation
Ultimately, it is the human factor that poses the biggest threat to corporate security, whether via the exploitation of the end user or the over-reliance by IT teams on manual patching and threat detection. However, we cannot place sole responsibility on them to keep networks secure. There needs to be a shift in focus from relying on educating users and staff to providing robust automated endpoint security.
Just as AI-powered, automatic tools are being used by bad actors to attack us, security practitioners must respond in kind to mitigate the human factor. In a constantly shifting IT environment, the only hope of keeping on top of both endpoint devices and protecting the network is via automated solutions that can stop attacks from happening while detecting and patching vulnerabilities by priority.
For better or worse, hybrid working is the new normal that security has to accept and adapt to. A diffusion of devices and apps, in tandem with the increased sophistication of attacks, means that employees can no longer be regarded as sentries at the corporate gate. It is up to security leaders to develop strategies to protect the network, IT assets and users, and prevent threats on a 24/7 basis – and that has to mean the application of intelligent automated solutions capable of winning the battle of the endpoint.