Remote work is still causing security headaches for CISOs

Four years after the pandemic precipitated a major transition towards remote work, CISOs still report the practice as a major hurdle in keeping their organization secure.

COVID-19 forced many companies to shift to these practices and work through many of the complexities of maintaining a secure perimeter with employees logging in from various locations.

New research from Absolute Security surveyed 250 CISOs based in the UK gauging their assessment of their organization's cyber resilience, and found security leaders still find remote work to be a major hindrance to their firm’s defensive posture.

Half of the respondents said they experienced some form of cybersecurity breach or attack in the last year, with 47% noting an increased volume of nation-state associated attacks in the same period.

The vast majority of CISOs (84%) said phishing scams targeting endpoint security were the most common cause of breaches, while 80% identified ransomware as their organization's biggest concern.

Just under half of the CISOs surveyed by Absolute Security (43%) admitted that their security teams had not been allocated enough budget to keep on top of the growing number of threats they are exposed to, and increased complexity due to remote working has exacerbated this problem.

Almost three-quarters (72%) agreed that remote working had complicated their organization’s cyber resilience posture, while 73% said remote devices are their biggest weakness .

The complications flexible working introduces to a cyber leader’s security strategy are numerous, the study found, with one of the main concerns being the cyber hygiene of remote workers.

Separate research from Cloudflare found 67% of UK business leaders’ top cybersecurity concern related to their remote/hybrid workforce using personal devices to access company networks and data.

CISOs are still adapting to hybrid work security practices

Speaking to ITPro, Andy Ward, VP international at Absolute Security, explained how the transition to flexible work practices dramatically expanded the attack surface security teams need to manage.

“The COVID-19 pandemic transformed working models and catalyzed remote working and work-from-anywhere which still dictates how many of us work today,” he noted.

“However, the rise in remote working increased the attack surface for organizations, and several years on, our research suggests remote working continues to be a major weakness for security teams, with 72% of CISOs stating that remote working has complicated their organization's cyber resilience posture, and 73% identifying remote devices as their enterprise's biggest weakness.”

Ward cited the multiplicity of endpoints, vulnerabilities in remote desktop protocol (RDP) software, and phishing attacks targeting hybrid workers as some of the major risks flexible working has introduced to enterprise security .

Manufacturers: Discover digital initiatives that transform how you approach business

“The increased attack surface facing organizations due to multiple endpoints—such as laptops, mobile devices, home networks, and IoT devices—presents a difficult challenge for CISOs as they ward off the rising number of cyber threats .”

“Key factors complicating this process include vulnerabilities in Remote Desktop Protocol (RDP) and remote access software, and an increased volume of phishing attacks targeting remote workers.”

Richard Sorosina, chief technical security officer EMEA/APAC at Qualys, drilled down on how remote workers are introducing new threats for businesses.

“For remote workers, you need security capabilities that extend down to remote devices, so that you do not have devices connected to your network that are outside of the control of your security teams. Having full visibility and control of these remote devices is important but has proven to be a challenge for many CISOs,” he explained.

“Remote workers are also more likely to introduce shadow IT risks , using their own SaaS solutions where they feel the company tools on offer don’t work for them remotely, such as uploading company data to a tool that your organization does not manage and cannot secure.”

Jon Jarvis, Microsoft security solutions architect at Advania, told ITPro the shift to hybrid working has necessitated widespread adoption of zero trust security frameworks, as traditional perimeter-based security precautions become outdated.

“In this context, the concept of zero trust has gained significant traction. Zero trust is a security model that operates on the principle of ‘never trust, always verify,” he said.’

“It's a holistic approach that secures the organization by verifying every user, validating every device, and intelligently limiting access. As the world rapidly adopts remote work, zero trust provides a framework that adapts to the complexity of modern environments, offering robust security that aligns with the dynamic nature of today's workforce.”