It’s important to open by saying this is not the complete list. But by focusing on the fundamentals and the foundational protections, you can safely move your businesses’ security forward as the country starts its recovery following the last two years of exceptional challenges.
1. Remote working
The last two years have seen a massive acceleration in the trend towards remote working. It is both employees working from home and the vendors and suppliers requiring access to corporate IT systems. The switch was initially made in a hurry. Companies were looking for a way to keep workforces operating as effectively and as quickly as possible.
Now there’s a chance to step back and review that process. It is time to take a more considered approach towards achieving a more secure and robust way of enabling remote work. Increasingly, Virtual Private Networks (VPNs) are seen as a potential weak link. They’re complex to manage, don’t address the problems of managing the security of the connected endpoint, and don’t help manage those precious administrator connections any more than regular users. You can’t avoid VPN’s these days, but you must mitigate the risks and the risks are highest with privileged users. Remote desktop systems are equally vulnerable, again especially for privileged users.
Both systems are being replaced with more secure remote access management systems, especially those used by administrators. A major strength of such systems is that they can isolate access to applications and devices to remove the risk of potentially infected endpoints and potential exposure of administrator credentials.
2. Protection Systems
Unfortunately, it is not a question of “if” your organisation will be attacked, but “when”. As has always been the case, there will still be more investment made in defence systems such as firewalls, anti-virus, and SIEM, amongst others, to build ever higher defensive walls.
When enhancing these defences or building the walls even higher, it’s critical to ensure access is protected. Without that protection, you are essentially leaving the keys in the gate of the fortress wall.
3. Recovery systems
Once you accept that you will be attacked, you have to also plan for your recovery. It’s important to build recovery plans – but it’s equally critical to test them. A written plan provides guidance but isn’t going to help if it hasn’t been proven to work.
Remember the fundamentals. A core element to recovery from almost any attack or natural disaster is to restore systems from backups. Such backup management systems are very powerful, but they also need to be protected in the same way as the security systems already mentioned. If we suppose for a moment that access to the backup system is compromised, it’s also realistic to expect that backup policies can be changed or, even, backups are deleted. It makes it hard or impossible to recover.
To that point, the Osirium Ransomware Index asked 1001 IT managers about policies related to protecting backups. It revealed that only a third of businesses are using access management to protect backups. We expect investment in this area to increase significantly in 2022.
4. Attack surface
Often overlooked, the organisation’s staff is the largest attack surface (the number of places where an attack might start from). Every employee with a laptop or login is a potential weak point that an attacker can exploit.
A lot has been written about the need for high-quality training of staff. It can reduce the chance of clicking on a link or downloading software that could have been infected by malware, but mistakes are easily made. Even the most experienced administrator can fall foul of modern spear-phishing and social engineering attacks. Training needs to be supported by systems that help prevent innocent mistakes from becoming expensive attacks.
One of the most significant steps is to employ a “Least Privilege” strategy. It ensures staff only have the minimum access to the least number of systems they need to get their work done. Many already talk of zero trust strategies. Yet, these can be very complex and expensive to deploy, especially when considering complex, distributed workforces and legacy systems no longer supported by modern security environments. Least privilege is a pragmatic step towards that goal.
Start by removing local admin rights from end-users. Many users are given a local admin account to make configuration changes (e.g., connect to a printer or WiFi network) without calling the IT help desk. The recommendation is:
- Identify all devices and local administrator accounts
- Verify if they’re really needed
- Deploy endpoint management systems that allow those users to run only approved applications with elevated privileges.
These steps will prevent any unwanted installation or execution of potentially infected applications.
5. Supply Chain
Finally, it’s critical to consider outsourced IT services. These could range from a supplier running your e-commerce website through to your ERP, CRM or HR systems, and on to contractors’ building management systems. Outsourcing is still a growing trend, and for a good reason, but it also introduces new risks to your network.
It’s one thing to follow advice to protect your on-premises systems, but do you have complete confidence in the systems provided by your suppliers? Osirium research recently revealed that although most IT organisations understand the supply chain risk, less than half have any formal agreement with their suppliers to cover them against ransomware attacks or understand just how systems will be recovered after such an attack.
Advice for 2022 is clear. Review dependencies on your supply chain, ensure you have good agreements in place for protection and recovery – and test.
Osirium Technologies is a leading UK-based cybersecurity software vendor delivering Privileged Access Management (PAM), Privileged Endpoint Management (PEM) and Osirium Automation solutions that are uniquely simple to deploy and maintain.
With privileged credentials involved in over 80% of security breaches, customers rely on Osirium PAM’s innovative technology to secure their critical infrastructure by controlling 3rd party access, protecting against insider threats, and demonstrating rigorous compliance. Osirium Automation delivers time and cost savings by automating complex, multi-system processes securely, allowing them to be delegated to Help Desk engineers or end-users and to free up specialist IT resources. The Osirium PEM solution balances security and productivity by removing risky local administrator rights from users, while at the same time allowing escalated privileges for specific applications.