Carlos Morales is the CTO for Neustar Security Services.
getty
After nearly two years of pandemic-induced remote work, it would be natural to assume that organizations have buttoned down their security protocols and are operating with confidence. Unfortunately, that hasn’t necessarily been the case. In an April 2021 survey of U.S. and EMEA security professionals my company conducted, more than half (or 54%) reported that their organizations were still suffering downtime and disruption from network security issues — it was certainly an improvement from the 61% reporting issues in the first six months of the pandemic, but not as great a leap as expected.
Those survey results reflect a time when most firms still had the majority of their employees working remotely. Today, many organizations are gradually bringing their people back into offices, testing the waters and supporting hybrid models to balance employee readiness with business needs. At the same time, employees have been operating in a borderless working world for going on two years now, and organizations have been tasked with the daunting challenge of securing hundreds — or even thousands — of “micro-offices.” With varied standards for securing how users connect and limited control over user behavior, the attack surface has expanded exponentially. The sheer volume of potential exploitable vulnerabilities created by this dynamic is chum in the water for would-be attackers.
What does this mean for the IT professionals who are tasked with keeping the sharks at bay? It’s led to a near-total polarity shift for their strategy — from a focus on securing on-site networks to safeguarding remote employees operating in a borderless world of work. Security experts are facing new challenges as their mission now lands them somewhere in the middle. In addition to all the security projects they had already been planning on implementing, they have also had to fast track the implementation of new user policies and tools to try to manage the remote user base. Already limited resources have been stretched even thinner.
Cyber attackers are adjusting to hybrid, too.
Although organizations have amped up their security efforts to compensate for the potential increase in vulnerabilities arising from the swift movement to remote work, cybercriminals have been equally hard at work seeking ways to exploit those gaps before they are identified and closed. According to Neustar’s 2020 report, U.S. and EMEA organizations experienced more than double the cyberattacks in 2020 as they did in 2019. Additionally, 74% of organizations reported being on the receiving end of a DDoS attack in 2020, compared to 60% in 2019.
In May of this year, fuel distribution to major East Coast markets was disrupted by a ransomware attack involving Colonial Pipeline, resulting in panic, shortages and price hikes. The attacker’s way in? A single, compromised password. Organizations involved in infrastructure, healthcare and education have all been recent targets of powerful attacks, and other industries — especially financial services, gaming and e-commerce/retail — are consistently targeted with such attacks. Network security is business-critical, and as there is no panacea that addresses all vulnerabilities, organizations need to acknowledge that any viable solution will require investing in a tailored, multifaceted approach.
Start by knowing what needs protection.
The need to protect network security is certainly urgent; every day that passes without an effective solution is another day of opportunity for attackers to hit pay dirt. But before investing in security, organizations need to know what their assets are and where they reside.
Key priorities are maintaining and protecting employee connectivity as well as corporate infrastructure. That corporate infrastructure may no longer be managed solely from an on-site data center; rather, key systems may be managed via microservices in the cloud or may be third-party cloud services. The once well-defined security perimeter has become increasingly blurred, and organizations must identify where critical borders have gaping, unguarded holes.
Consider the various potential threats.
Just as corporate networks and infrastructure have grown more complex, so have attack vectors. Where applications or systems are hosted, and how, may determine which types of threats are more serious or more likely to occur. Web applications have been shown to be a top vector for hacking, particularly content management systems that are popular with many organizations as a way to share information and build a digital presence. Compromising one of these systems could provide attackers a backdoor into your organization.
Domain name system (DNS) attacks have also been on the rise, as DNS services, by their nature, are relatively open and thus susceptible to bad actors. Domain hijacking, DNS cache poisoning, DNS tunneling and botnet-based domain attacks can all bring an organization down, impacting brand and reputation beyond the financial cost.
Capitalizing on the remote work environment, attackers have started using DDoS to target organizations’ virtual private networks (VPNs). Such attacks are just the tip of the iceberg, and security teams need to plan for these and other vectors when developing protective solutions.
Incorporate solutions that conform to organization needs.
Companies may consider following the FBI’s advice on best current practices for protection. For those that rely on web applications, applying a strong web application firewall policy can ensure that your WAF continues to protect the organization and create a barrier to hide your application vulnerabilities. Fortifying and securing your DNS infrastructure is another critical element for a stronger defense, as is finding a DDoS mitigation vendor to help in detecting and redirecting abnormal traffic to protect the network.
The bottom line is that each organization is unique in how it grows and develops — including its network systems and infrastructure. When seeking security solutions, finding a close, tailored fit is critical. While some companies may offer one-size-fits-all products, such services simply cannot provide the exact coverage where needed in all instances. It is sometimes more effective to integrate solutions from multiple vendors to ensure the optimal systems are in place to provide organizations with the confidence they need to move forward and face whatever the next new normal may be.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?