How to manage inherent endpoint risk in a hybrid IT environment
For many years, IT’s job in terms of managing endpoint risk was complicated but straightforward; ensure any endpoint device (primarily laptops or mobile devices) were verified as belonging on the network (normally a VPN or behind a firewall), up to date in terms of their anti-virus software, and that best practices were followed in terms of data hygiene for compliance purposes.
That was then, this is now.
The definition of an endpoint has expanded tremendously; it's gone from a laptop in a secure, predictable place, to laptops that are well outside a secure perimeter and moving around at will, plus the addition of an endless and constantly evolving new set of endpoints as IoT explodes across nearly every vertical. To complicate matters further, this expansion is taking place at the same time that companies are moving to the cloud in earnest - the pandemic dropped the hammer on digital migration and companies were forced to compress years of migration into weeks. No longer straightforward but complicated, the job has also become difficult and requires an agility to adapt that most companies lack.
The risk here is not just a security challenge due to the vast expansion of the potential attack surface, there are significant compliance implications that are constantly evolving, becoming more stringent on a steady cadence, and constantly testing the upper ranges of statutory limits. Having to pay a seven or eight figure fine while you’re trying to invest in securing your perimeter is not only aggravating, it's counterproductive.
The potential risks cover multiple areas:
Financial risk - endpoints as a means of access are a hackers dream. There are so many of them, and most people given the choice of convenience or security, are likely to choose convenience. It can also be non-obvious; hackers from Finland were able to access a casino’s high roller database by accessing a “highly secured” network by hacking into temperature sensors on a fish tank that were connected to a PC. If it's on the network, it is technically accessible, and there are a lot of things on the network these days. Ransomware attacks are so common these days they are no longer front page news, but they are definitely expensive and disruptive to the victims of the attack.
Compliance risk Between CCPA/CPRA, GDPR, SOC2, HIPAA and a myriad of other compliance frameworks, it has never been more critical to be paying particularly close attention to what is happening on your devices, and who is responsible for what is on them. This is a combination of having well defined internal protocols for how employees interact with information resources - all new hires have to have this drilled into them as part of the onboarding process, and existing employees need to have refresher training at least once a quarter. Sounds like a hassle? How does an eight figure fine sound? Complying with regulatory mandates is straightforward, if everyone pays attention.
Security risk A remote device is less secure than one inside your firewall or on a VPN. A home wifi (how the remote workforce commutes these days) is built for convenience, not security, and is shared by employees and family members who probably have very different views of the security aspects of compliance mandates. The risk of ransomware continues to increase; it’s too easy, and the money is too good to not keep hackers focused. Keep in mind the definition of endpoint is also not what you probably think, and IoT devices (of which there are increasingly vast numbers) are designed for interconnectivity, which is effectively the opposite of security. If it has an IP address and is on your network, it’s at risk.
Reputational risk On one hand, everyone understands that there are hackers out there constantly looking for opportunities, and it can happen to anyone. On the other hand, if you were hacked, you look vulnerable at best, or incompetent at worst. In either case, you have no upside, and people tend to have long memories when it comes to security breaches. Your worst case scenario is becoming a cautionary tale in the Harvard Business Review. Keep a ridiculously tight and continuous grip on the security of your perimeter, because at this point you don’t really have an option.
So how can enterprises stay ahead of something this complex that is constantly evolving? Technology needs to be contextualized to its use, and viewed from a single perspective across the entire lifecycle of the asset in question. This enables a much more cohesive and integrated approach to technology management across the enterprise, including a stronger security posture, better adhesion to compliance mandates, improved financial efficiencies in managing technology across the asset lifecycle, and a better and more engaging employee experience. This is the value-add with Enterprise Technology Management.