The fortified castle model collapsed. The rise of the cloud and the generalization of remote work have put an end to the cyber security approach that prevailed until then, where it was enough to erect walls to secure information assets. So-called perimeter solutions such as antivirus programs, firewalls and VPNs no longer protect workstations when they access the information system outside the company walls.
“The reach of IS, which until now has been stopped in the office, extends to our homes,” notes Arnaud De Backer, Channel Manager of Keeper Security. The porosity between the personal and professional spheres is even greater as he notes an increased return to the practice of BYOD (bring your own device), consisting of an employee using their own digital tools. “Away from the office, employee behavior is evolving,” adds Etienne Laforet, senior manager of cybersecurity at WaveStone. There is no visual control anymore, people are looking behind his back. This can create a sense of impunity and enable risky behavior. »
New ways of working, new threats
Remote access to IT not only increases the area of ​​exposure to risks, but also creates new vulnerabilities. If the nature of the threats that traditionally weigh on the workstation remain primarily related to messaging and web surfing with phishing and malicious sites, new attack scenarios are emerging.
The generalization of multi-factor authentication (MFA) thus led to MFA phishing. “In the case of two-factor authentication using a smartphone, the code sent via SMS is intercepted by the attacker,” explains Etienne Lafort. In case of more advanced attacks, the authentication code is requested over the phone by an attacker. »
Another possible attack vector: the delegation of rights offered by cloud collaboration packages – Microsoft 365, Google Workspace – to third-party applications to access messages or the calendar. A cybercriminal can take advantage of this to compromise a workstation and then “later” advance the information system.
EDR, ZTA, MDM and ZTE
To combat these new risks, Etienne Lafore is witnessing a shift in cyber security solutions from on-premises to the cloud. EDR (Endpoint detection and response) replaces traditional antiviruses. “Similarly, the proxy is no longer on-premises but in SaaS mode to ensure filtering whether the workstation is on or off the company premises. »
Companies are also considering removing the VPN to move to a Zero Trust Access (ZTA) or SASE (Secure Access Service Edge) approach. “This includes continuously ensuring that access to the IS is only given to a workstation and user identified by connection context, location and security patch status,” explains Etienne Lafort.
Likewise, security policies are no longer enforced through Active Directory, but through MDM (mobile device management), which will ensure proper compliance with cyber policy across the entire IT fleet. When implementing Zero touch enrollment (ZTE) terminals, it prevents employees from having to physically go to the IT department to get their position. From a standard computer, it is identified and the “master” is automatically turned off.
The best password? None
Preaching to his parish, Arnaud De Backer emphasizes the importance of using a password manager that will automatically generate unique and strong passwords and enforce the company’s security policy.
He recalls that more than 80% of data breaches are due to compromised passwords or identifiers. If they are leaked on the dark web, a monitoring tool like BreachWatch from Keeper Security immediately alerts the security manager.
And why not without… a password? The “no password” trend has been booming in recent years. Microsoft and Google I encourage the system of access keys (passwords) which is based on PIN code, fingerprint sensor or even facial recognition.
Man, the weak link
Finally, since people remain the weak link in any cyber policy, action is needed to raise awareness among users. “Remote work is not limited to the home,” recalls Etienne Lafort. An employee can work from a train, airport, hotel. There are hygiene rules you should follow to reduce the risk of data leakage. »
By placing the employee in a real-life situation, fake phishing campaigns help raise awareness. Some companies make cyber-security training mandatory for employees who click on a corrupted attachment or malicious link.