Hybrid Workplaces Are A Cybersecurity Nightmare
Kanebridge News
Share Button

Hybrid Workplaces Are A Cybersecurity Nightmare

It’s a hacker’s dream: a constantly changing mix of workers and stretched security staffs.

By James Rundle
Thu, Jun 10, 2021 12:07pmGrey Clock 6 min

For many bosses and employees, there is a measure of relief in returning to the office—especially for those who have the flexibility of continuing to work from home part of the time. But for those teams working to protect their offices from hackers, the new hybrid workplaces aren’t nearly as welcome.

In a typical hybrid workplace, some employees will be in the office, some will be working from home—or spaces like coffee shops and client headquarters—and some will be cycling back and forth. Devices, too, are moving in and out of the company network, with employees bringing their laptops onto company networks and then taking them back home—where they’re much more exposed to hackers and can easily get infected with malware.

So, security chiefs are faced with the task of supporting a constantly changing mix of office workers and remote workers, and company and home devices. Whereas security teams were able to focus on protecting the remote workforce during stay-at-home orders, doing so when employees are in the office for certain days of the week and at home for others will be difficult, says Rick McElroy, principal cybersecurity strategist at VMware Inc.’s Security Business Unit.

“It’s hard to maintain a security staff that looks one way in the data centre or one way in an office, and then one way for remote employees,” he says.

Making things even worse: Security teams have been stretched thin by the demands of the pandemic. For the past year, they’ve had to make sure everyone is equipped to work from everywhere and can use critical tools such as virtual meeting rooms. Things will only get tighter now that businesses are hiring more workers and launching into new projects they had put on hold during the pandemic.

The issues associated with hybrid work follow a bruising year for companies that were caught flat-footed by the coronavirus pandemic, many of which had to move to a fully remote model for the first time—and often almost overnight. Hackers were quick to realize that insecure home networks and a lack of security controls typically found on corporate networks could work to their benefit. The World Economic Forum estimates that cyberattacks jumped 238% globally between February and April 2020.

Those attacks have continued to hammer corporate networks, and in many cases target the technologies that companies implemented to quickly provide for remote work, such as cloud services. A report from Verizon Communications Inc., published in May 2021, found that attacks against cloud-based email, remote desktop applications and similar technologies designed to assist with remote work all increased over 2020.

“I think many organizations probably rushed [the move to remote work] and maybe haven’t done it in the right way,” says Phil Venables, a vice president at Alphabet Inc.’s Google and the chief information security officer of its cloud unit.

Now, the task gets even harder, as some workers return to the office, some stay home and some do both. Here’s a look at some of the challenges businesses are facing as they make this transition—and how they’re dealing with them.

Catching up on patches

One of the most basic problems security teams face is getting their machines up to speed with the latest software patches. These updates are released constantly to ensure that security vulnerabilities aren’t left open for hackers to exploit. If companies miss just one of these, they can pay a high price in terms of their vulnerability.

Now security chiefs are wary of the number of devices that may have sat idle in offices for over a year—turned off and unable to download patches—while employees have been absent, says Jadee Hanson, chief information security officer at cybersecurity firm Code42 Software Inc. And we’re not talking about just one patch, but potentially dozens or hundreds.

Of equal concern are devices that have been used by employees during remote working. Because of the extended time away from the office, users may have gotten negligent about installing patches, leaving machines vulnerable when they reconnect to the corporate network, says Ms. Hanson, a former security chief at Target Corp.

“We push a lot of the patching stuff down to our end users,” says Ms. Hanson. “But if they have not connected to the network in a long period of time, we just don’t know what’s left unpatched out there.”

Keeping personal devices sequestered

When it comes to employees’ work-from-home devices, it’s not just a lack of patches that’s a problem. It’s the fact that many employees have gotten lax about security practices while stuck at home for so long.

Email-security firm Tessian Ltd. published a survey of 2,000 workers in December, for instance, that found over half had connected work devices to public wireless networks, which are often regarded as insecure.

Similarly, a survey of over 3,000 workers published by AT&T Inc. in March found that over half of respondents had used work devices for personal business such as online banking and downloading apps, and over a third had connected them to smart home devices such as speakers.

Bringing those machines immediately into a company network, where they might spread infections and give hackers a beachhead, could be dangerous. Instead, the safest thing may be to have personal devices log into a “quarantine network,” says Mr. McElroy of VMware.

Under this model, he says, user devices would connect to a network that is separated from corporate systems until security staff can ensure the devices are free of malware and appropriately patched.

Security staff must also be vigilant for deeper threats that may be waiting in employee devices—such as malware that can stay asleep for some time before it awakes and allows for further infection.

Will quarantining work on a continuing basis? Quarantine networks may be difficult to manage if workers are in and out of an office frequently and have to continually quarantine devices, rather than doing so once during a full office return, Ms. Hanson of Code42 says.

“If somebody is doing 100% overnight, that might make sense” to go with a quarantine, she says.

Removing the human factor

To some security chiefs, though, the hybrid model has so many risks that we need to rethink the way we approach network safety entirely. Imagine if we had hybrid work from the very beginning. Would we really be treating cybersecurity the same way we do now?

Not likely, the security chiefs say. The usual ways of training employees to guard against hackers often don’t work, they say, so we should take that responsibility out of workers’ hands—and create defenses that work behind the scenes as much as possible.

“I think it’s insane that we have basically said that we are going to train people to filter phishing emails. We didn’t train people to filter spam emails, we just invented spam filters to take the problem away,” says Tim Sadler, Tessian’s CEO.

So, what’s the alternative? One possibility is a concept called zero trust.

To understand zero trust, consider the traditional type of network security. Usually, it focuses on building a perimeter around the company network to keep intruders out—think of firewalls.

The problem is that hybrid work makes it very easy for intruders to breach those outer defences, because employees working at home aren’t as vigilant as they should be. And because traditional security is focused on keeping hackers out, it’s tough to stop them once they get in—so the bad guys can run wild.

Systems that are more vigilant use multifactor authentication: Users might have to confirm their identity rigorously when they sign in to the network, such as entering a password along with something else, like responding to a message on their phone.

Zero trust takes that a step further. Even after users pass the authentications, security checks constantly exchange information in the background to verify whether users can access certain systems or files, rather than assuming that because they passed through the gateway, they should be allowed free movement.

By doing it this way, security staff assume hackers are already inside a company’s digital walls, and their job is to make it difficult for them to wreak havoc. And, because these processes are usually automated, zero trust doesn’t have to rely on users to make it all work.

At Microsoft Corp., CISO Bret Arsenault’s team has built out a zero-trust system to check employees’ identities and devices at every turn, including through multifactor authentication that can include face, eye and fingerprint scans. Once the tools verify Microsoft users, he says, they will push employees directly to cloud-based apps such as the Office365 workplace suite, rather than onto a corporate network.

Security veterans such as William O’Hern, the chief security officer at AT&T, say that improving identity management and other core zero-trust concepts can go a long way toward foiling hackers, who often rely on compromised credentials such as breached usernames and passwords. Around 61% of attacks during 2020 involved this information to some degree, Verizon said in its May report.

“If I had one thing to tell everyone to do, it would be to focus on strong identity proofing, not only of individuals but of [devices], too,” Mr. O’Hern says.



MOST POPULAR
11 ACRES ROAD, KELLYVILLE, NSW

This stylish family home combines a classic palette and finishes with a flexible floorplan

35 North Street Windsor

Just 55 minutes from Sydney, make this your creative getaway located in the majestic Hawkesbury region.

Related Stories
Money
New York Watch Auctions Record Uptick in Sales in the Face of Market Slowdown
By LAURIE KAHLE 24/06/2024
Money
The Crazy Economics of the World’s Most Coveted Handbag
By CAROL RYAN 24/06/2024
Lifestyle
Why It’s Easier Than You Think to Score a Coveted Table When Visiting Paris for the Olympics
By SHIVANI VORA 23/06/2024
New York Watch Auctions Record Uptick in Sales in the Face of Market Slowdown
By LAURIE KAHLE
Mon, Jun 24, 2024 4 min

Luxury watch collectors showed ongoing strong demand for Patek Philippe, growing interest in modern watches and a preference for larger case sizes and leather straps at the June watch sales in New York, according to an analysis of the major auctions.

Independent and neo-vintage categories, meanwhile, experienced declines in total sales and average prices, said the report from  EveryWatch, a global online platform for watch information. Overall, the New York auctions achieved total sales of US$52.27 million, a 9.87% increase from the previous year, on the sale of 470 lots, reflecting a 37% increase in volume. Unsold rates ticked down a few points to 5.31%, according to the platform’s analysis.

EveryWatch gathered data from official auction results for sales held in New York from June 5 to 10 at Christie’s, Phillips, and Sotheby’s. Limited to watch sales exclusively, each auction’s data was reviewed and compiled for several categories, including total lots, sales and sold rates, highest prices achieved, performance against estimates, sales trends in case materials and sizes as well as dial colors, and more. The resulting analysis provides a detailed overview of market trends and performance.

The Charles Frodsham Pocket watch sold at Phillips for $433,400.

“We still see a strong thirst for rare, interesting, and exceptional watches, modern and vintage alike, despite a little slow down in the market overall,” says Paul Altieri, founder and CEO of the California-based pre-owned online watch dealer BobsWatches.com, in an email. “The results show that there is still a lot of money floating around out there in the economy looking for quality assets.”

Patek Philippe came out on top with more than US$17.68 million on the sale of 122 lots. It also claimed the top lot: Sylvester Stallone’s Patek Philippe GrandMaster Chime 6300G-010, still in the sealed factory packaging, which sold at Sotheby’s for US$5.4 million, much to the dismay of the brand’s president, Thierry Stern . The London-based industry news website WatchPro estimates the flip made the actor as much as US$2 million in just a few years.

At Christie’s, the top lot was a Richard Mille Limited Edition RM56-02 AO Tourbillon Sapphire
Richard Mille

“As we have seen before and again in the recent Sotheby’s sale, provenance can really drive prices higher than market value with regards to the Sylvester Stallone Panerai watches and his standard Patek Philippe Nautilus 5711/1a offered,” Altieri says.

Patek Philippe claimed half of the top 10 lots, while Rolex and Richard Mille claimed two each, and Philippe Dufour claimed the No. 3 slot with a 1999 Duality, which sold at Phillips for about US$2.1 million.

“In-line with EveryWatch’s observation of the market’s strong preference for strap watches, the top lot of our auction was a Philippe Dufour Duality,” says Paul Boutros, Phillips’ deputy chairman and head of watches, Americas, in an email. “The only known example with two dials and hand sets, and presented on a leather strap, it achieved a result of over US$2 million—well above its high estimate of US$1.6 million.”

In all, four watches surpassed the US$1 million mark, down from seven in 2023. At Christie’s, the top lot was a Richard Mille Limited Edition RM56-02 AO Tourbillon Sapphire, the most expensive watch sold at Christie’s in New York. That sale also saw a Richard Mille Limited Edition RM52-01 CA-FQ Tourbillon Skull Model go for US$1.26 million to an online buyer.

Rolex expert Altieri was surprised one of the brand’s timepieces did not crack the US$1 million threshold but notes that a rare Rolex Daytona 6239 in yellow gold with a “Paul Newman John Player Special” dial came close at US$952,500 in the Phillips sale.

The Crown did rank second in terms of brand clout, achieving sales of US$8.95 million with 110 lots. However, both Patek Philippe and Rolex experienced a sales decline by 8.55% and 2.46%, respectively. The independent brand Richard Mille, with US$6.71 million in sales, marked a 912% increase from the previous year with 15 lots, up from 5 lots in 2023.

The results underscored recent reports of prices falling on the secondary market for specific coveted models from Rolex, Patek Philippe, and Audemars Piguet. The summary points out that five top models produced high sales but with a fall in average prices.

The Rolex Daytona topped the list with 42 appearances, averaging US$132,053, a 41% average price decrease. Patek Philippe’s Nautilus, with two of the top five watches, made 26 appearances with an average price of US$111,198, a 26% average price decrease. Patek Philippe’s Perpetual Calendar followed with 23 appearances and a US$231,877 average price, signifying a fall of 43%, and Audemars Piguet’s Royal Oak had 22 appearances and an average price of US$105,673, a 10% decrease. The Rolex Day Date is the only watch in the top five that tracks an increase in average price, which at US$72,459 clocked a 92% increase over last year.

In terms of categories, modern watches (2005 and newer) led the market with US$30 million in total sales from 226 lots, representing a 53.54% increase in sales and a 3.78% increase in average sales price over 2023. Vintage watches (pre-1985) logged a modest 6.22% increase in total sales and an 89.89% increase in total lots to 169.

However, the average price was down across vintage, independent, and neo-vintage (1990-2005) watches. Independent brands saw sales fall 24.10% to US$8.47 million and average prices falling 42.17%, while neo-vintage watches experienced the largest decline in sales and lots, with total sales falling 44.7% to US$8.25 million, and average sales price falling 35.73% to US$111,000.

MOST POPULAR
11 ACRES ROAD, KELLYVILLE, NSW

This stylish family home combines a classic palette and finishes with a flexible floorplan

35 North Street Windsor

Just 55 minutes from Sydney, make this your creative getaway located in the majestic Hawkesbury region.

Related Stories
Property
Thousands of Australian companies on the brink of going into administration as EOFY nears
By Bronwyn Allen 21/06/2024
Money
Social-Media Influencers Aren’t Getting Rich—They’re Barely Getting By
By SARAH E. NEEDLEMAN 19/06/2024
Property
The two Australian states where it’s a buyers’ market
By Bronwyn Allen 18/06/2024
0
    Your Cart
    Your cart is emptyReturn to Shop