As our workplaces evolve, so too do the threats to IT systems. What do you need to know?
The phrase ‘future of work’ conjures up an image of a slick, highly technical working environment that seems decades down the line. The reality is, the future of work is developing under our noses at a rapid pace.
Cybersecurity professionals and IT administrators have a particularly tough task at hand to deal with the so-called ‘future’ technologies, which are in fact being deployed at present, albeit not in their most advanced iterations.
Still, there is plenty to watch out for in the here and now that will apply to future cybersecurity strategy. From staff using unauthorised apps to internet of things (IoT) risks, Siliconrepublic.com asked the experts what people should be wary of in the coming months and years.
Malware cocktails leave IT admins shaken
CEO of global cybersecurity leader SonicWall, Bill Conner, says that ‘malware cocktails’ are something that will affect companies of all sizes. These cocktails are a mix of threats to construct brand new hybrid attacks. He says a layered security approach from both governments and businesses is crucial, including encrypted communication, cloud sandboxing and deep memory inspection.
Another key trend is the increasingly social nature of online workplaces, according to Ofer Maor, director at electronic design automation and IT firm Synopsys. “The traditional barriers and work-life balance are changing into a mish-mash of online presence where people conduct themselves for both their personal and professional lives.”
The lines between personal and professional are blurring and this has a tangible effect on cybersecurity standards.
A tangled web of cybersecurity issues
Martin Schallbruch, longtime director general for IT, digital society and cybersecurity in the German Federal Ministry of the Interior, and current deputy director of the Digital Society Institute of ESMT Berlin, says the growing volume of devices isn’t helping struggling IT managers.
What’s more, “a rising complexity in IT architecture”, such as the modern infrastructure of a hospital with “classical ICT surroundings and medical devices”, along with cloud services, is creating a more tangled IT landscape.
Maor agrees that the continuing decentralisation of IT management will remain a challenge. The use of AI is also a huge change and, while this presents new potential for employers, it also comes with risk.
While AI is nowhere near the endgame many imagine from science-fiction films and novels, there are still a lot of processes becoming automated. Maor said: “More and more business processes will be moved to completely (or almost completely) automated processes, where there is little to no human inspection involved.
“This can allow attackers to operate more easily without being detected or blocked, and create hacks that target these business processes directly, either by attacking the AI algorithms themselves or just finding ways around them.”
IoT causing headaches
As IoT devices in the home grow in popularity, so too do workplace connected devices. IoT risks are important to prepare for, according to Rahul Powar, CEO of London cybersecurity firm Red Sift. “Always have security in mind and ensure the devices you are using have strict authentication, limited access, and are heavily monitored. Look to a third-party security provider to add encryption,” advised Powar.
Devices other than IoT gear are also a key element of future security and, despite the bring-your-own-device (BYOD) issue being a decade old, it still presents just as much of a problem.
Perimeter security is not good enough
Powar explained: “Many companies struggle to defend against the threat because their legacy systems use perimeter-based security, which fundamentally just doesn’t work any more. The future points to next-generation security architectures that rely on ‘zero trust’, eg Google’s BeyondCorp, which shifts access controls from the perimeter to individual devices and users.”
This emphasis on zero trust is echoed by Bernd Koenig, director of security products at Akamai. “To protect against these threats, organisations must adopt a zero-trust approach to security, assuming no request to access networks, apps or data should be automatically trusted, no matter where it comes from, and requiring every attempt to be authenticated before access can be granted.”
Insider threats
The attack vectors ahead are numerous, from brute-force attacks to data breaches and even insider threats. The latter is particularly notable, given increasing use of cloud security by organisations.
Powar noted: “Most employees are trustworthy, but a rogue cloud service employee has a lot of access that an outside cyber-attacker would have to work much harder to acquire. Ensure you make your staff your strongest and most secure asset by educating and training them.”
CEO of password management firm Dashlane, Emmanuel Schalit, says that human error – and, in truth, laziness – will remain a major threat going forward. He added that multiple accounts can often lead to easily guessed passwords and further issues. “Between passwords for work and the ever-growing number of personal passwords, the amount of information we need to retain is overwhelming.
“Because they don’t want any hassle with logins, employees opt for weak, easy-to-remember passwords. And, to make matters worse, these are reused everywhere.”
Research from Code42 shows that 93pc of CEOs keep a copy of their work on a personal device. More than 68pc of CEOs know the practice is risky, but they do it anyway. Richard Agnew, vice-president of EMEA at Code42, reiterated that there is a general laxity when it comes to following correct practices. “If company CEOs aren’t following data security policies, how can we expect anyone else to?”
More benign threats include natural disasters affecting cloud data storage, or the simple accidental press of a button by a tired employee.
Remain calm and upskill
With all of these threats to keep note of, it’s easy to feel overwhelmed. However, there are some simple strategies you can deploy to future-proof your IT environment (within reason, of course).
Upskilling is crucial for everyone, whether in work or at home. Chief security officer at Cybereason, Sam Curry, says that separating the cyber from the kinetic “makes no sense any more, and this is true from the workplace to the weekend and from the boardroom to the battlefield”.
Curry notes that even the average home is now a mini IT environment comparable to what some mid-size companies had less than a decade ago. This means that basic cyber skills are now a requirement for all. He continued: “The risks posed might change, but the IT environment is looking more and more similar, with IoT coffee pots, cloud services, mobile devices and shared productivity suites being used in all aspects of our lives.”
Start at the design stage
The design of systems is a crucial time for IT administrators to make good decisions early on, says Schallbruch. He says that it is important for management to “take the view of the user” when designing IT architecture.
As it becomes more and more difficult to manage organisations in the traditional ‘overseer’ model, more bottom-up design thinking will help create better systems. Ensuring that security is, in his words, “sitting at the table from the first minute on” sets teams up for a successful cyber-hygiene model in the years to come.
This type of IT ethos can then teach personnel to better adhere to good practice, says Tim Hall, CTO of managed IT services firm Blue Logic. As well as this, network segmentation offers a better protective layer. “Getting the basics right is not easy, of course, and, because of this, organisations must shift their approach to cyber to be much more defence-in-depth by deploying more segmentation within their networks, ensuring that a single breach does not lead to total compromise.”
Technological advances and wily cyber-criminals do create new ways to exploit and damage businesses, so adopting protective solutions is vital. Equally important, though, is the knowledge base of every member of a team and a centring of cybersecurity in every organisation from the word ‘go’.