Remote work has disrupted office work but it has disrupted enterprise security too

By Richard Melick, Director, Product Marketing for Endpoint Security at Zimperium.

  • 1 year ago Posted in

Mass Remote work is here and it's not going anywhere. While that might have seemed unthinkable only a few years ago - it looks as though what was a fringe benefit for some is becoming a daily reality for many.

How we all became remote workers

When the world locked down, workforces were sent home and ordered to stay there until further notice. During these trying times, many businesses were forced to shutter, being unable to sustain themselves under the strictures of the pandemic. Those that did manage to successfully enable and secure mass remote work capacity for their tens, hundreds, and sometimes thousands of employees.

This went along with a whole series of digital transformations that fundamentally changed businesses worldwide. As CEO of Microsoft Satya Nadella said early in the pandemic, “We’ve seen two years’ worth of digital transformation in two months."

In this herculean effort of mass-bootstrapping, enterprises started rapidly moving to the cloud, implementing BYOD schemes, and trucked in Virtual Private Networks (VPN) to help secure connections between workplaces and their quarantined workforces.

Now, as the pandemic recedes - remote work is solidifying itself as a fixture of modern business. Still, these rushed short-term measures are ultimately insufficient to protect remote work in the long term.

The explosion of mass remote work has meant that workers are now accessing corporate data outside of the traditionally office-bound network perimeter. As a result, they’re working without the benefit of enterprise-grade security controls which could otherwise protect them.

It’s of no particular surprise that in our 2022 Global Mobile Threat Report, nearly 50 percent of security professionals said that their work from the home strategy was a significant part of their cybersecurity incidents.

Instead, they’re using home endpoints, networks, and personal mobile devices. This, in turn, can lead to exposure and potential theft of data by malicious actors as they penetrate the often pitiful protections that non-enterprise networks and endpoints maintain.

While remote work might be a stubborn reality, secure remote work seems harder to achieve. We also found that 61 percent of security professionals believe that applying corporate cybersecurity policies in the age of mass remote work is nearly impossible.

Mobile devices are central to remote work

Remote work has thrust mobile devices right into the centre of modern working. They capture the flexibility and geographic neutrality that many now expect of their jobs. Now, it's quite normal to answer emails, attend meetings and collaborate on documents via a mobile device.

Now that so many of us are remote workers, those mobile endpoints are becoming more and more critical to our everyday jobs. As a result, the line between personal security and enterprise security is blurring. Personal devices can become corporate espionage devices, and remote workers can become insider threats without them ever knowing about it.

Cybercriminals are seizing the opportunity. In 2021, Zero Day exploits against mobile endpoints skyrocketed by 466 percent year over year. Over the same time period, mobile-specific phishing websites grew by 50 percent.

However, many of the attempts to enable mobile computing in a remote work setting don’t get to the heart of the problem and in some cases, actually, introduce risks.

Productivity apps

One of the ways in which companies enable remote work is through productivity apps. These are the applications - like Slack or - that allow workers to collaborate, communicate and remain productive, whatever the geographical distance between them.

Our survey showed that 56% of technology leaders use between four and eight enterprise applications on their mobile devices. A further 17% use over eight.

Cybercriminals know that and these kinds of applications have become a key attack vector for mobile threats. Office 365 is just such an example. The app is the cornerstone of many workplaces, hosting a whole suite of Microsoft applications including Word, Excel, and Teams. In fact, a recent Zimperium poll found that 84% of security professionals had enabled it on their phones.

It also appears to be a cornerstone for cybercriminals too. One report says that this software suite alone accounts for more than 72% of exploits, compared to browsers which account for just 13%.

It’s the very popularity of this particular application that makes it such a popular target for mobile threats too - the broader the attack surface, the more chances to infiltrate the target.

Securing mobile devices

Along with the introduction of various productivity tools, companies have also tried to secure remote work with a range of measures.

VPNs have become a critically important part of remote work, allowing secure connections between mobile devices and their workplaces. BYOD uptake has been healthy and it appears as though the pandemic has forced many enterprises to get serious about personal mobile devices. This is especially important, considering that most mobile devices - 66% according to our survey - used in

an enterprise setting are personal devices. Others are using Mobile Device Management to give them some form of control over the mobile devices that make up so much of their attack surface and have encouraged their workforces to start using MFA on their devices.

The truth is that BYOD schemes, MFA, or VPNs are useful but ultimately insufficient to protect against mobile threats and fall short when it comes to phishing, network vulnerabilities, mobile application vulnerabilities, or zero-day threats.

Protecting the mobile endpoint

On an office computer, you might have been able to turn it off and walk away when the day ends but mobile devices are ever-present parts of our work and private lives. The problem with many of these attempts to secure and uphold remote work is that they don’t account for the fact that the mere presence of personal mobile devices in enterprise work, takes visibility and control out of security teams’ hands.

To protect against the mobile threats to remote work, security needs to go where the work is actually being done: Mobile devices. With that in mind, organisations must build on their new security measures by introducing Mobile Threat Defence (MTD) capabilities which can assess device security posture continuously, detect threats as they arise, and block access when they do.

Furthermore, any attempt to secure remote mobile endpoints must be always-on and on-device. It can’t call back to the cloud and must continually protect the device even when it's not connected to the internet.

Remote work is a reality. Whether or not that’s good for security is beyond the question. Security teams need to adapt to and protect this new reality, wherever it lies.

By Faye Ellis, Principal Training Architect at Pluralsight.
By Brett Raybould, EMEA Solutions Architect, Menlo Security.
By Ash Patel, General Manager, EMEA - Zimperium.
By Andy Swift, Cyber Security Assurance Technical Director at Six Degrees.
By Simon Godfrey, VP Sales Europe for Secureworks.
By Antonio Sanchez, Principal Cybersecurity Evangelist, Fortra.
By Emma Lowe, Director International Field Marketing, Virtru.