You’ve probably heard this security adage: “The perimeter is dead.” Well, I’m here to tell you that the managed endpoint isn’t far behind. Even as a growing number of people in the U.S. get vaccinated and case numbers fall, the pandemic-driven alterations in how and where many of us work have lingered. As of April, 72 percent of white-collar employees still reported working remotely, and 35 percent of all full-time employees who’ve been fulfilling their professional obligations from home at least part of the time want to continue working remote as much as possible, according to Gallup. It’s clear that many people want the shift to WFH to become a permanent change – and that also means a lasting adjustment in how we approach endpoint security.
Securing Endpoints in the WFH Era: Is It Possible?
The new reality of remote work as the rule rather than an exception requires security teams to rethink their long-term endpoint protection strategy to account for people relying on potentially unsecured devices to do their jobs. For instance, a 2020 IBM Security study found that 50 percent of people newly working from home reported utilizing their personal computers for work. Improperly secured devices are a huge risk for any organization, as 70 percent of data breaches start at endpoints and numerous types of malware (e.g., LokiBot, NanoCore and FormBook) specifically target endpoints, according to the Cisco blog entry “Security Remote Work: Protecting Endpoints the Right Way.”
While you can implement endpoint protection solutions and invest in corporate devices to lower your odds of experiencing a breach, in our current work-from-home environment, it’s become essentially impossible to ensure none of your endpoints are compromised. To achieve the highest possible level of security, you have to shift your focus away from enforcing endpoint and toward sandboxing applications and protecting your servers and cloud infrastructure.
How to Lower Your Breach Risk With Bring Your Own Device (BYOD), Sandboxing and SASE
Although it might seem counterintuitive at first, you can improve your security posture by encouraging your employees to utilize their own devices for work. Take the funds you would have otherwise spent on company issued-phones, laptops and so on and give your team members a stipend to select and purchase devices that they like and are comfortable using. Then leverage a secure access service edge (SASE) solution to minimize your data breach risk level.
SASE combines SD-WAN functionality with cloud-native security features and is ideal for businesses that rely increasingly on cloud solutions and services, according to Cisco. This type of solution allows security teams to adjust cost, reliability, performance and cybersecurity for each network session based on user identity and context, as McAfee explains. Some of our clients have implemented secure remote work strategies by going serverless with Microsoft 365 apps like SharePoint and OneDrive and then protecting their environment with our Office Anywhere offering, which combines a zero-trust framework with SASE and includes the following features:
- A single secure user identity based on specific device characteristics, multi-factor authentication (MFA) and other app classifications
- End user ability to log in via any device with their identity, with policy enforcement ensuring each device is secure before granting access to company resources
- Policy enforcement that only gives end users access to the resources they need to do their job in accordance with the device’s security checks, user access requirements, and the determination process
- The latest in SASE tech even includes a SASE-hosted sandboxed browser and other such applications, meaning that even if the end user’s host is compromised, it’s impossible for malware to leak over into your critical information systems!
If your company has Microsoft 365, you can also leverage Intune to implement a BYOD program and manage apps with work-related data on your employees’ devices. Admins can require end users to utilize Office mobile apps and set up protective policies for those apps to prevent data loss.
SASE app and browser sandboxing – as well as endpoint checks to ensure the user’s device has all the necessary updates, anti-virus, and endpoint detection and response software before they connect to your corporate network – will significantly reduce your risk of an endpoint-related breach without corporate devices and extensive endpoint management. This benefits businesses in the form of savings on devices and management efforts while providing employees with new personal devices they can keep even if they part ways with the company. With your endpoint management savings, you can launch a program that gives your staff members an annual tech stipend, which should help attract top talent to your company.
Of course, you shouldn’t completely forget about vulnerability scanning, OS patching and software version enforcement. However, with this updated security strategy, you can hyper-focus on protecting the servers, applications and other high-value assets behind the SASE “moat.” As a result, you’ll see faster vulnerability resolution times for your company’s critical systems and better security overall.
If you have any questions about endpoint security and data breach prevention, our security analysts are available to assist you. We can provide information about SASE, Intune and many other cybersecurity solutions, in addition to assisting with long-term security strategy development. Get in touch with us today by calling 877-599-3999 or emailing sales@stratospherenetworks.com.