An expanded attack surface: The cybersecurity challenges of managing a hybrid workforce

With the global pandemic upending the traditional way we work, employees across every market sector in New Zealand are now spending their workdays alternating between offices, their homes and other locations. It’s a hybrid work model that Kiwis have embraced and it is here to stay.

At a recent CIO New Zealand roundtable event in Auckland, supported by Palo Alto Networks and Vodafone New Zealand, senior technology executives from organisations across Aotearoa discussed the challenge of keeping security front of mind when the workforce is dispersed.

Glenn Johnstone, Vodafone NZ’s Head of ICT Practices, highlighted the findings of their Disconnection report in which 30% of those surveyed said they would move roles if their employer didn’t offer remote working. But the productive benefits of working from home also bring a more complex IT environment to manage.

“The sheer number of smart devices in our lives means we are more vulnerable than we think. We’re connected through our phones, the printer, our cars, fridges, fish tanks – and any connection can be an issue. It means we need security across all devices; in the office, at home, anywhere and everywhere your people are connected,” says Johnstone.

“The other key aspect is implementing zero trust networking. If you’re working in the cloud, you have increased the surface area for cyber crime attacks by a factor of 60,” he adds.

Sean Duca, Palo Alto Networks’ Regional Chief Security Officer – Asia Pacific & Japan, echoes this. “With the primary focus now on safely and securely delivering work to our workers, irrespective of where they are, we need to think about where the data resides, who has access to it, and how it’s protected and accessed.”

How NZ companies are mitigating risk in a hybrid working environment

Joe Locandro, Chief Information Officer at Fletcher Building, praises the many productive benefits hybrid working has brought but highlights the challenges it brings from a security perspective.

“The computing edge has extended to people working from various ‘out of office’ locations including homes, hotels and different countries. In addition, most home computers are used by various family members. As a result, the potential for malware to become resident on home computers is increasing.”

Locandro highlights the need to focus on the securing the edge with cyber products which cover “end point” protection, two-factor authentication as well as employees keeping up to date with virus protection software on home computers.

Waqar Qureshi, General Manager for Network & Technology at Horizon Energy Group, says they have developed a work-from-home policy for their organisation which includes awareness and responsibilities for accessing, storing and sharing the data/information.

SSO, MFA and VPN systems are also in place to restrict unauthorised access to accounts and systems.

Another attendee at the event says they are using a secure VPN, MFA around that; MFA around logins as well as the use of geo-fencing.

“In terms of people risk, there is a great deal of communication. We use town hall meetings and email bulletins to remind them of the importance of being vigilant. Everyone also has to undergo phishing training plus we are running SMX over our email which blocks/disables various functions,” the senior technology executive adds.

With organisations no longer having their applications in-house, being consumed as a service or apps running outside the traditional perimeter; many have simply looked at addressing the challenges by focusing on access and authorisation, but the need to inspect all traffic is paramount, says Palo Alto Networks’ Sean Duca.

“Attackers target the employee’s laptops and the applications they use thus, we need to inspect the traffic for each application. The attack surface will continue to grow and also be a target for cybercriminals, which means we must stay vigilant and can continuously identify when changes to our workforce happen when our employees are and watch our cloud estates at all times.”

Educating your organisation is key

Attendees at the roundtable event discussed best ways to get buy-in and further awareness of the importance of cybersecurity, both from the board and the wider organisation.

Joe Locandro says Fletcher Building’s management team and its board are briefed monthly on cyber statistics, activities and events.

“There is strong support on cyber programs from management. We regularly educate our employees about the potential of malware through scam emails, often alerting staff to current market scams as well as regular phishing exercises. We measure ‘click through’ rates on phishing exercises as well as [the] degree of difficulty to detect.”

Another attendee at the event says being transparent with the board is key. “Risk is the number one topic in my board paper and is always bright red. There are details then of the current situation, what we are doing about it, and current progress. We are using Essentials 8 to provide a framework and rigour which is easy to understand and define.”

Waqar Qureshi underlines the importance of every organisation investing in ICT staff training on cybersecurity “mainly to help them understand why certain policies, systems and processes are important. This includes all ICT staff, not just members of the security team. ICT helpdesk staff are generally the first touch point between ICT and users.”

The evolving threat landscape

Running legacy solutions that can’t meet the demands of a borderless workforce could see an impact on productivity and the solution may not be able to deal with modern-day threats.

“Every organisation should use this as a point in time to reassess and re-architect what the world looks like today and what it may look like tomorrow,” says Glenn Johnstone. “In a dynamic and ever-changing world, businesses should look to a software-driven model as it will allow them to pivot and change according to their needs. How we work has changed, so we need to change our thinking and approaches.”

With the threat landscape evolving, Sean Duca advises that CIOs should be ever vigilant that:

• The attack surface has grown. Be sure you know what an attacker can see and manage it accordingly.
• Know your assets in and outside of the organisation – each one acts as a potential entry point for an attacker.
• Secure your cloud estate: ensure you have visibility and control over each of the workloads and data repositories in the public clouds you operate in – look for consistent security, not piecemeal approaches in each.
• You no longer have a perimeter, you have perimeters: secure your data apps where they reside – use least privilege access with continuous trust verification and security inspection.