Organisations were uprooted in 2020, adjusting to a new way of working that required a fully remote model. Consequently, IT was put under pressure to enable employees across the country to continue working productively. With corporate data now in more places than ever, ensuring networks and devices are secure has never been more important.
Every year, Wandera publishes its Cloud Security Report. The 2021 Cloud Security Report examines threats being posed to an organisation’s data via endpoints, users, and remote access tools.
To read the full report, download it here.
Introduction
2020 was a very different year for many, with businesses globally tasked with unexpectedly moving to a fully remote model, whilst still retaining their previous levels of productivity before the pandemic. A broad range of company policies are no longer as relevant in 2021’s working environment, and IT policy is one of them. Consequently, IT policy is being revised to accommodate more devices, networks, and apps, in more places than ever before.
Tried and tested security practices are no longer relevant in 2021. Old security assumptions no longer stand up to the test of the ‘new normal’. The most successful IT operations are focusing on enabling users to work from home – this requires an agile and flexible approach to security.
Risk Factor 1 – Endpoints
With employees no longer chained to their desk by cumbersome desktops; portable devices such as mobile phones, tablets and laptops have greatly enhanced user’s ability to collaborate and share information, no matter where they are.
Although many businesses provided corporate mobile phones and laptops to staff, having 100% of employees working remotely so quickly was not anticipated. When the first UK lockdown began, IT was often tasked with making some quick decisions on what devices should be allowed or denied access to sensitive business data. The speed of this mass shift to remote working has led to major inconsistencies.
In 2020, 28% of organisations were impacted by an operating system with a known vulnerability
More Devices + More Device Types = More Attack Vectors
Users are relying on their smartphones like never before and this is no longer just confined to personal use. There’s been a sharp increase in work-related internet data going through smartphones, as the rise of mobile SaaS applications (such as Microsoft Office 365 and Salesforce) ensures that employees can work whenever, wherever.
In a typical organisation, 60% of devices containing or accessing enterprise data are mobile.
Before 2020, corporate mobile phones were fairly limited to employees who needed to stay connected on the move. However, since 2020, users are working from home with whatever devices they have access to.
The devices in question vary hugely. Many organisations lack the budget or supply chain to supply all of their employees with sanctioned devices with little warning. Some IT teams are allowing employees to purchase and/or choose their own computing equipment – resulting in a huge variety of devices in use. Some employees are also purchasing a second smartphone, in place of their traditional office landline, in order to retain a separate line for work and business.
This isn’t where the inconsistencies end, as users struggle with home network connectivity. As a result, employees are turning to Mi-Fi (mobile broadband routers) and mobile hotspots in an attempt to maintain a reliable internet connection.
As an increasing amount of hardware is introduced, so is a wider variety of software. Many organisations are now supporting devices that run Android, iOS, Mac, and Windows 10. An increased variety of software can introduce more security vulnerabilities. IT teams tasked with supporting a wide variety of operating systems are trying to standardise a consistent policy across these platforms; no mean feat given each platform offers differing levels of control and functionality as well as different ways of issuing security patches.
Average OS versions, OSs and Device Models
On average, companies with less than 500 devices run 11.3 different OS versions, on 1.4 different OSs, across 1.8 different device models.
Comparatively, companies with more than 500 devices run 39.4 different OS versions, on 1.6 different OSs, across 2.6 different device models.
Lack of Device Standardisation is Now Standard
When IT teams only had Windows desktops to deal with, there was only one type of OS to worry about. Those dedicated to Apple Macs only had to deal with MacOS. At the beginning of 2020, the biggest headache many IT teams had to deal with was that a few of these devices might be running older OS versions. In 2021, with multiple platforms now as standard, and with the expectation that some devices on each platform would be running older OS’, IT is now having to deal with a huge number of OS versions, all with their own complexities and vulnerabilities.
If you give employees the ability to choose, organisations must be prepared to scale up support to be able to deal with those choices.
How Do You Deal With Endpoint Security Now?
Strong endpoint security is the goal for organisations, but this is often plagued with problems. Issues arise in everything from temporarily providing contractor devices with the ability to access sensitive corporate data to walking the fine line between respecting employee privacy in BYOD devices whilst still enforcing a degree of security.
Remote working is here to stay, even post-COVID-19. As a result, IT teams must ensure that they have established practices that can fit the requirements of the wide variety of both managed and unmanaged devices and networks that are now part of the corporate ecosystem. Remote devices must no longer be managed at the periphery of security operations.
Risk Factor 2 – Users
The likes of Apple and Google create their operating systems and app stores with the ability to mitigate the vast majority of security threats. However, risks are commonly being introduced by unwitting user behaviour.
Targeting Users – Phishing
Phishing is the biggest threat impacting users on portable devices. They are often influenced by trends – such as an influx of attacks posing as HMRC during tax season. 2020 saw a huge uptake in traffic going to COVID-19 related phishing sites as attackers tried to profit from people’s fear.
Phishing attacks in 2020 peaked on a weekend, suggesting that employees are more susceptible to attacks on corporate devices when they aren’t in ‘work mode’, with a more relaxed state of mind leading them to fall victim.
Targeting Users – Man-in-the-Middle Attacks on Wi-FI
There are two main types of Man-in-the-Middle (MitM) attacks impacting mobile users:
- Attackers gain physical control of network infrastructure, such as fake Wi-Fi access points, enabling them to snoop on traffic.
- Attackers tamper with the network protocol that offers encryption, exposing data that’s meant to be protected.
Remote working helped reduce employee exposure to MitM attacks. In 2020, 4% of users connected to a risky hotspot each week, down from 7% in 2019.
Targeting Users – Apps
Malicious apps have become increasingly sophisticated, with malware using clever techniques to evade detection. Some malware may wait until certain actions have been taken before activating malicious behaviour, such as waiting until they are connected to a specific network. Other apps may contain command-and-control code that is activated by hackers. Although app stores conduct basic checks, sophisticated apps often evade detection and are also becoming more common.
In 2020, 52% of organisations experienced a malware incident on a remote device, up from 37% in 2019
Apps don’t have to contain malware to be considered dangerous. Many apps are also poorly built, secured or maintained, resulting in them being susceptible to dangerous vulnerabilities. They can also contain scams or fraudulent ads. Adware is extremely common, with apps approved by official app store checks, containing pop up ads that take over a device screen, rendering the app unusable. 1 in every 200 devices has such an app installed.
In 2020, Android devices were 5.3x more likely to have a vulnerable app installed than iOS devices
15% of organisations had at least one device using an app that leaked password data, up from 11% in 2019
iOS devices were 3.2x more likely to be impacted by leaky applications than Android devices
Risky apps don’t just pose a headache to individual users. Wandera’s analysis found that once a company has at least one device compromised by malware, they are subsequently 4.4 times more likely to be impacted by a password leak than other companies.
Although independently vetting the security of each application in use within an organisation is a laborious task, it is a necessary one. As users become more comfortable with the devices they use, they are also more likely to explore the world of applications.
Rather than implementing a total ban on apps, IT must take steps to be aware of, and understand the apps employees are using. These apps can then be audited for risk and assessed for their productivity benefits. If an app can be proven to be safe and enhances productivity, there’s no reason for it not to be embraced and monitored.
User-Initiated Risk – Inappropriate Content
Inappropriate content refers to adult, gambling, extreme and illegal content categories. This content is far more likely to leak data, as well as use unencrypted technologies.
Since users began working from home in 2020, there’s been an increase of up to 100% in connections to inappropriate content during office hours. This highlights the need for IT to ensure that acceptable usage policies are being adhered to on remote devices. Content filtering is an effective tool to enforce corporate acceptable usage policy, reducing security, compliance and legal risks.
User-Initiated Risk – Circumventing Security Measures
1. Jailbreaking
Jailbreaking and device rooting are risky configurations, allowing users to gain access to the operating system of a device and enable the installation of unauthorised software functions and applications. These tactics are also used by those trying to unlock their device from their carrier.
- In 2020, the number of jailbroken iOS devices increased by 50%, while the number of rooted Android devices increased by 20%.
- Jailbroken devices are 28x more likely to encounter malicious network traffic than non-jailbroken devices.
- Companies who have at least one jailbroken device in their fleet are 31.6x more likely to have devices encountering malicious network traffic than other companies.
- Jailbroken devices are 33x more likely than non-jailbroken devices to have an application with a known vulnerability installed.
2. Sideloaded Apps
Sideloaded apps are apps that users install away from their official app store. Devices that sideload apps don’t even need to be jailbroken – certain settings can be configured to allow apps from third-party sources. Sideloading apps is easier on Android OS than Apple iOS – as a result, one in five Android users have their devices configured to allow third-party apps.
Without Apple and Google’s app store reviews, sideloaded apps pose a much greater risk.
- In the legal sector, users are 2.5x more likely to have sideloaded applications installed on their devices than in other industries.
3. Disabled lock screens
Lock screens are a simple security measure that helps protect device contents and a default on the majority of devices. However, some users go out of their way to disable the lock screen, leaving them vulnerable to theft.
- In 2020, 3% of devices used for work had the lock screen disabled, down from 6% in 2019
- Users who disabled their lock screen are 16x more likely than other users to be running an OS with a known vulnerability
- Users with their lock screen disabled are 2.4x more likely to have their email address leaked than other users
Risk Factor 3 – Remote Access
As of 2020, 39% of organisations are using a combination of public and private cloud deployments in a hybrid model, with more organisations expected to begin cloud migration projects in the near future.
As businesses move apps to the cloud and expand the number of SaaS apps in use, IT is managing more apps than ever, in more places than before.
Remote Access Is A Must
Remote access is now an established feature for many businesses. Establishing trust within corporate networks has never been more important, as verifying a remote user’s identity or checking device security can make the difference between remaining secure or a malicious actor accessing the network.
Why should continuous risk assessments be an essential part of a remote access strategy?
Of the devices running a vulnerable operating system in 2020, 1 in 83 were accessing their emails and 1 in 6 were accessing cloud storage at the time of the vulnerability
Of the devices compromised by mobile malware in 2020, 37% continued accessing corporate emails after being compromised and 11% continued accessing cloud storage
42% of companies who have devices compromised by malware have at least one of those compromised devices accessing productivity tools.
By implementing a zero-trust network access platform, risk assessments can be done in the background, checking everything from network, location, device vulnerabilities and more, ensuring that only an authorised user is truly given access.
Recommendations
Despite decades spent trying to define corporate IT standards, many businesses have reached a point where a lack of standardisation is now the standard. Everything from the huge range of OS’ in use to user location being scattered across the UK and beyond, has led to an immense disparity across almost every area. As a result, secure remote access solutions must be flexible and agile, to ensure that they are enabling the right apps and not unnecessarily halting productivity.
1. Outline the requirements based on the new use cases that remote work is creating.
- What do you want employees to do on their devices—access email or access sensitive data?
- Evaluate use cases and define requirements for your remote workforce.
- The above requirements will inform your device ownership model—which device types will you support, who owns them, and how are they managed?
2. Connectivity
- When it comes to connectivity and cloud applications, find out what you need to know about users, devices, networks and apps before granting access to corporate resources.
- Limit users to only the business tools they need – this prevents over-privileged accounts from being exploited.
3. Define Acceptable Use
- Review existing acceptable use policies and ensure all types of endpoints are incorporated.
- Implement an acceptable use policy for each appropriate subset of devices to control shadow IT and unwanted usage and to ensure regulatory compliance.
4. Expand access management policies to incorporate device risk posture
- Implement a user-friendly Identity & Access Management (IAM) solution for authentication to corporate apps on all devices, including mobile.
- Incorporate device risk assessments into IAM policies to ensure device risk posture is considered.
- Ensure risk posture is continuously evaluated for the duration of a session.
5. Deploy endpoint protection across all devices
- Ensure that your security solution has a strong endpoint detection capability and an in-network architecture to prevent attacks before they get to a device.
- Ensure your security solution can address both external cyber threats (such as phishing, man-in-the-middle attacks, malware) and usage behaviour risks (sideloaded apps, etc)
- For all security tools, ensure appropriate configurations are made to address appropriate threat vectors while respecting the privacy of end-users.
- Evaluate the security solution’s machine-learning capability to understand how the threat engine identifies and protects against new threats.
How Can We Help?
Whether it’s ensuring you have all endpoints protected or ensuring that Shadow IT isn’t plaguing your business, Mobliciti is ideally placed to help. To find out more, get in touch.
