There’s probably never been a time in business computing history when the enterprise attack surface has changed and grown so much as in the past few years.
Think about it: in the 70s, 80s, and 90s, it seemed easier to trust our computing systems. Maybe it’s naive to think so, but generally it was a simpler time. Users typically had a single desktop computer to conduct their work, or if they were in sales or worked on-site with customers, they had a notebook. They accessed their work applications and data from one network. Life today is considerably more complicated – and riskier.
Back then, all that was required to secure data and systems was a handful of usernames and passwords to access applications and other networked resources. Network firewalls, endpoint antivirus, and VPNs protected the corporate perimeters. Users had a few passwords to memorize, or (as 53% of people alarmingly still do) used just one password across most of their applications.
The current attack surface is broader and growing exponentially. Threat actors are smarter, becoming more inventive and arguably more callous every day. This has a profound impact on the nature of trust between users and the resources — networks, devices, apps, and data — they're accessing. It calls for an entirely new approach to security.
User Endpoint Security is Enterprise Security
Today, a staffer will access corporate resources from their laptop and perhaps a desktop, as well as their tablet and smartphone. And they will do so from any number of networks, including those in their home, a restaurant, or other public locations. The applications they access are now on-premises and available across dozens of cloud service providers. This alone is a substantial increase in the enterprise attack surface, but it's not the only one enterprises face.
Staff — especially those who work remotely — are connected to all types of devices that increase risk, from smartwatches to Internet of Things (IoT) devices on home networks such as smart speakers, TVs, lights, doorbells, baby monitors, and other equipment. If left unsecured, all of these 'connected things' put their network at risk.
Is this a big deal? What’s the worst that could happen if an employee’s IoT device becomes compromised? What does it have to do with the security of their endpoints and the resources of the business?
Unfortunately, quite a bit. When IoT devices are breached, and an attacker manages to gain a foothold on an employee’s personal device, they can monitor traffic on the network and work to gain access to any computing device that resides on it. Attackers can steal saved passwords and gain access to the user’s work endpoint, and from there eventually anywhere and anything that the device connects to – including the enterprise network.
This is not theory. We have witnessed many attacks on IoT devices, from small building devices, smart cars, smart home hubs, baby monitors, and even Internet-connected fish tanks. All the tactics attackers once used on enterprise computers and networks they can now use on IoT devices and home networks.
Despite the security concerns associated with IoT devices, they are here to stay. Working from home is also here to stay, and the number of devices on our networks, whether entertainment, work, or personal, will continue to grow.
Organizations have tried to protect their remote workers by installing anti-malware software on home-use laptops, forcing users to rely on VPNs and other defensive measures. According to a recent report from Microsoft, one of IT professionals’ critical concerns is that staffers may be accessing work resources from their home networks – networks that are not so well guarded as their corporate perimeters.
Success is a Matter of Zero Trust
To avoid costly and embarrassing data breaches, enterprises need to find new ways to protect their systems. Consider what happens when an attacker infiltrates an IoT device attached to a network and manages to steal credentials associated with the computer endpoint. It’s only a matter of time before the attacker makes it into the corporate internal network to access and download anything and everything they find there.
This situation is not going to change, and the enterprise attack surface will continue to expand. Staffers will remain working from home as the pandemic wanes, at least part of the time, and they’re going to continue to want all the benefits associated with their IoT devices.
To protect themselves, enterprises must increasingly adopt Zero Trust measures. Instead of trusting entities by default — or by a one-time authentication — users are vetted continuously.
No device on the network should be trusted, whether it belongs to staff, other internal or external users such as contractors or agencies, and all the networks, applications, and devices those users access.
Zero Trust Meet Zero Touch
As security teams work to protect their network environments from threats and vulnerabilities, they must ensure continuous, proper authentication of users and devices. They also face the ongoing challenge of finding a balance between the level of risk management implemented against the ease of use, on and off premises, by network users.
Employees will often seek workarounds to avoid intrusive or disruptive verification processes and may introduce new vulnerabilities when attempting to create shortcuts. Creating a minimally intrusive, or zero touch experience for users, is a key component of a robust Zero Trust framework.
Zero Trust means users can’t access anything on any device until they prove who they are, their access is authorized, and they’re not acting maliciously. Zero Touch means authentication processes are transparent and effortless for users. BlackBerry Spark Zero Trust security solutions continuously protect endpoints while delivering a zero touch experience.
To learn more about Zero Trust, read the BlackBerry report, The Inevitable Ascent of Zero Trust.