Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Protecting the Atomized Attack Surface: Cybersecurity in the New World of Work

A new study reveals how moving to a remote workforce model and migrating business-critical functions to the cloud are exposing the vast majority of organizations to increased risk.

The next 18 months are going to test the mettle of cybersecurity organizations around the globe like never before.

The attack surface has been atomized by systems put in place to support remote work in response to the COVID-19 pandemic, all of which are well on their way to becoming permanent fixtures as the boundaries between office and home blur. The SolarWinds and Kaseya attacks heighten concerns about the integrity of the software supply chain. And the cloud is no longer optional — it's a crucial enabler of critical business functions in a workplace without boundaries.

What does all this mean for security leaders? We believe it represents an opportunity to rethink what's considered an "asset" and how a "vulnerability" is defined — and how to improve visibility into both — all while keeping employees productive and safe. It places renewed emphasis on the need to align cybersecurity with business practices.

A new study, Beyond Boundaries: The Future of Cybersecurity in the New World of Work, commissioned by Tenable and conducted by Forrester Consulting reveals that adjustments organizations made to adapt during the pandemic have heightened their level of risk. And it provides a sometimes alarming glimpse into what's happening on the average home network.The study is based on the results of an online survey of 426 security leaders, 422 business executives, and 479 remote workers across 10 countries (i.e., full-time employees working three or more days from home), as well as in-depth telephonic interviews with six business and security executives.

According to the study, 80% of security and business leaders indicate their organizations have more exposure to risk today as a result of moving to a remote workforce model and migrating business-critical functions to the cloud. We believe many of the remote work and cloud tools were pressed into service without security controls; in some cases, the tools themselves are nascent and their security controls are immature.

It's already well past time for infosec leaders to strategically re-evaluate the systems put into place to accommodate these changes with an eye toward making their security as dynamic as the workplace itself. Already, nearly a quarter (24%) of business and security leaders have made the move to remote work permanent; another 68% say they'll make it official over the next two years.

Expanding the software supply chain is likewise seen as a vector of increased risk for 61% of respondents. We believe any software expansion borne of necessity and spun up in haste is more likely to lack robust third-party security controls.

And the consequences for businesses are real. According to the study:

  • 92% of organizations experienced a business-impacting cyberattack or compromise within the past 12 months resulting in one or more of the following outcomes: a loss of customer, employee, or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft; and/or theft of intellectual property. 

  • More than two thirds of respondents (67%) say these attacks targeted remote workers.

  • The vast majority (74%) said at least one attack resulted from vulnerabilities in systems put in place in response to the COVID-19 pandemic.

  • Nearly three quarters (70%) were victims of three or more attacks. 


Meanwhile, the perimeter between the home network and the corporate network is dissolving. Not only are remote workers accessing sensitive corporate data from home, they're often doing so using a personal device. According to the study, over half of remote workers acknowledge accessing customer data using a personal device. When you consider remote workers have an average of eight devices connecting to their home network — including employer-provisioned devices, personal devices, appliances, wearables and gaming systems — and, on average, have three people in their household with devices connecting to the same home network, the challenges facing security leaders becomes stark.

Connecting from home is one thing; connecting from personal devices on an overtaxed consumer-grade home network without any corporate security controls is entirely another.

These findings make clear how little visibility organizations have into what's happening in their environments: 71% of security leaders say they lack high or complete visibility into remote employee home networks; 64% lack this level of visibility into remote employee-owned devices. With privacy expectations for employees naturally limiting any view employers can have into a home network, it becomes clear that security protections need to reside as close as possible to business-critical data and the assets used to access it. In short: If you can't understand the device and network, you need to control the access a user has.

While the challenges may seem daunting, the path forward is hiding in plain sight. Organizations must rethink how they define risk, looking beyond software flaws and device compliance to achieve a holistic view of their dynamic and disparate environments. They must invest in adaptive user and data risk profiles to disrupt attack paths by accounting for misconfigurations in Active Directory and the cloud and step up security based on changing conditions, behaviors or locations. And they must take a hard look at the limits of traditional, perimeter-based security architectures, to consider more sophisticated options that continuously monitor and verify every attempt to request access to corporate data at all levels, whether that's a device, app, user, or network attempting to make that connection. For some, this may mean a reckoning with their own cyber hygiene and vulnerability management practices; for others, it could present an opportunity to shift toward risk-based vulnerability management and continuous monitoring of Active Directory as a strategy for effectively disrupting attack paths; and, for the most advanced organizations, it could mean taking the first steps on a journey toward zero trust.

Whichever path you choose, the study makes one thing clear: business and security leaders must work together to find new ways to protect sensitive data in the new world of work.

Learn more

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training