It was no surprise that the gradual shift to remote work would ultimately expand the mobile attack surface: “Everyone was already on the path,” BlackBerry VP of Global Sales Engineering Alex Willis says during a recent video podcast. Yet, when COVID-19 hit and offices were shuttered in favor of home-based workers, IT teams were suddenly thrown into some deep, dark, and very cold waters. And many teams report they are still swimming hard, trying to keep their heads above the waves.
A recent study conducted by Pew Research reveals why: Nearly six-in-ten employees (59%) whose jobs can be done remotely continue to work from home. The pandemic has reshaped how the world works.
Along with this shift to remote work came explosive growth in cloud-based accounts from an expanding number of devices, adds BlackBerry Senior Director Baldeep Dogra. “We know they expose more resources that need that interconnectedness and that means more access points,” which can be compromised.
“You end up with what we call ‘endpoint chaos,’ which has increased the mobile attack surface,” says Dogra.
Exploring current endpoint security challenges often helps us map out a pathway to overcome them. This is the focus of Part One of our BlackBerry LIVE video podcast on mobile security, where I discuss this topic with BlackBerry experts Willis and Dogra to uncover more about the current mobility challenges that IT teams now have today. To learn more, watch the podcast, or read the excerpt below.
Thanks for joining this podcast. I've got some distinguished guests today and we're going to be talking about unified endpoint management and problems with mobility. These issues have been around for a long time, they affect the entire business, and their impact is only increasing.
There have always been three IT pillars for me: process, people, and technology. But a fourth one was added recently in a conversation that occurred at our BlackBerry Security Summit between our CEO John Chen and one of the leaders of Ukraine's cybersecurity forces. He calls that fourth pillar, cooperation, or collaboration.
So, we're going to talk about all four of those pillars today, and how they relate to mobility in the workplace. Now I will ask my guests to introduce themselves, starting with you, Baldeep.
Hi everyone, I'm Baldeep Dogra. I manage product marketing for cybersecurity and UEM within our cybersecurity division at BlackBerry. I've been at BlackBerry for almost 18 years, where I've held mainly management and leadership positions in technical sales and product marketing. Before BlackBerry, I was at Lotus, IBM, and IXOS/OpenText where I held positions in software consulting.
So glad to have you today. And Alex, would you introduce yourself?
I’m Alex Willis, I lead the SE (sales engineering) team for BlackBerry globally, and I also lead the ISV partner program. In my SE role, we spend a lot of time in the market talking to our customers, understanding what their needs are, and the challenges they are facing across many verticals in different segments. In that regard, I think we're close to what's happening in the market. We are in a position between our customers and our product management team.
My background is in consulting, so I spend a lot of time with customers and designing systems for them, aligning technology and services with an organization's goals. I've been at BlackBerry for 21 years.
Wow. That gives you an idea of the depth of expertise that we have here. And what a great perspective to share. Let's set the stage a little bit; Alex, let's start with you. Why is the mobile attack surface expanding right now?
It's a big question. I think with the advancement in devices and mobile network speeds over the last many years, people are starting to do more with their devices. The other thing is there's an obvious impact of the pandemic where people had to work remotely, but I would say that trend, remote work, had been started before the pandemic.
People want to be able to do their job, wherever they are. What the pandemic did was make the concept of remote working more urgent. Before the pandemic, an organization had an opportunity to dip its toes in and start making available additional data and applications. Once the pandemic hit, it was 'we need this tomorrow, or today.' They didn’t have a few months to deal with it.
I think a lot of us have talked about the time of the pandemic being almost like a pilot or a POC (“proof-of-concept”) for organizations to really see what it's like to allow work on mobile from various devices including many bring-your-own-devices. We always thought of BYOD as being limited to cellphones or iPads, but then it expanded quickly to include home computers and other devices. I think it was a good POC and that the industry responded well.
We worked with many customers through that early pandemic, helping them make that transition happen fast. And there were a lot of considerations there, not just the device itself, but network access and data leakage, and all that sort of stuff.
So, yeah, I'd say in terms of “why” the mobile attack surface has expanded, it's just that the pandemic made remote work happen super fast. But everyone was on that path to remote work anyway.
Yeah, usually a proof of concept isn't mandatory, and you don't do it on production systems, if you can avoid it. So, it's a little different, but I get your point. Baldeep, what are some of the things that companies discovered in this “mandatory POC”?
One thing I could look at is the growth and popularity of cloud-based accounts. We know they expose more resources that need that interconnectedness that Alex just spoke about, and that means more access points.
Another thing you have got to think about in a POC: When you log onto your laptop or your desktop, think about the number of accounts that are probably on there already. You could have an admin account, super-user account, the user account; these add up. And those are all access points, which could be used as points of entry for threats.
It also adds to the amount of choice out there — and the need for multiple devices, for many —and then you end up with what we call “endpoint chaos,” which has increased the mobile attack surface.
There might have been a bit of a catalyst with cloud-based accounts, as well. I think it's a good point. Now before, the proliferation of cloud accounts was not aligned with consumerization of IT. Business units were signing up for cloud accounts and services, and then security and IT teams were having to rein them in and manage them. But now, organizations themselves are formally adopting these cloud services.
People assume that you get away from that paradigm — where everything inside of the firewall is good, and everything outside is bad — when you're using stuff on the cloud anyway. It makes sense to everyone involved that you'd be able to access accounts and services while mobile and outside of the company network. But as we all know it’s not that simple.
Security teams have to take a good look at the landscape and do a risk assessment. And then how do you mitigate that risk? What processes and policies can you put in place that aren't going to lower adoption?
You want to get the return on the investment, you want productivity, so then you can't make it too onerous for users to use technology, or else it wasn't worth adopting it in the first place.
That really touches on the first pillar, which is people. For a lot of people in the workplace, the mobile platforms were secondary to their workstations. Their workstations were behind the firewall, (so) they were protected, and were that last bastion of the secured perimeter.
That went away. Now those backup devices — what they used when they couldn't get on their workstations — those became frontline, and their “workstations” became their home computers, or any number of computers. So, users certainly are affected. But also, you mentioned security teams, which is interesting because traditionally, I think mobility was handled more on the IT side of the house than security.
Good talk, gentlemen, I think we're going to stop right here. We'll be releasing these interviews in a series, so you can check out the rest of the conversation. Watch for episode 2 which is coming out next week. Thank you both for joining us.