Protecting the Atomized Attack Surface: Cybersecurity in the New World of Work

A new study reveals how moving to a remote workforce model and migrating business-critical functions to the cloud are exposing the vast majority of organizations to increased risk.

The next 18 months are going to test the mettle of cybersecurity organizations around the globe like never before.

The attack surface has been atomized by systems put in place to support remote work in response to the COVID-19 pandemic, all of which are well on their way to becoming permanent fixtures as the boundaries between office and home blur. The SolarWinds and Kaseya attacks heighten concerns about the integrity of the software supply chain. And the cloud is no longer optional — it's a crucial enabler of critical business functions in a workplace without boundaries.

What does all this mean for security leaders? We believe it represents an opportunity to rethink what's considered an "asset" and how a "vulnerability" is defined — and how to improve visibility into both — all while keeping employees productive and safe. It places renewed emphasis on the need to align cybersecurity with business practices.

A new study, Beyond Boundaries: The Future of Cybersecurity in the New World of Work, commissioned by Tenable and conducted by Forrester Consulting reveals that adjustments organizations made to adapt during the pandemic have heightened their level of risk. And it provides a sometimes alarming glimpse into what's happening on the average home network.The study is based on the results of an online survey of 426 security leaders, 422 business executives, and 479 remote workers across 10 countries (i.e., full-time employees working three or more days from home), as well as in-depth telephonic interviews with six business and security executives.

According to the study, 80% of security and business leaders indicate their organizations have more exposure to risk today as a result of moving to a remote workforce model and migrating business-critical functions to the cloud. We believe many of the remote work and cloud tools were pressed into service without security controls; in some cases, the tools themselves are nascent and their security controls are immature.

It's already well past time for infosec leaders to strategically re-evaluate the systems put into place to accommodate these changes with an eye toward making their security as dynamic as the workplace itself. Already, nearly a quarter (24%) of business and security leaders have made the move to remote work permanent; another 68% say they'll make it official over the next two years.

Expanding the software supply chain is likewise seen as a vector of increased risk for 61% of respondents. We believe any software expansion borne of necessity and spun up in haste is more likely to lack robust third-party security controls.

And the consequences for businesses are real. According to the study:

• 92% of organizations experienced a business-impacting cyberattack or compromise within the past 12 months resulting in one or more of the following outcomes: a loss of customer, employee, or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft; and/or theft of intellectual property. 

• More than two thirds of respondents (67%) say these attacks targeted remote workers.

• The vast majority (74%) said at least one attack resulted from vulnerabilities in systems put in place in response to the COVID-19 pandemic.

• Nearly three quarters (70%) were victims of three or more attacks. 


Meanwhile, the perimeter between the home network and the corporate network is dissolving. Not only are remote workers accessing sensitive corporate data from home, they're often doing so using a personal device. According to the study, over half of remote workers acknowledge accessing customer data using a personal device. When you consider remote workers have an average of eight devices connecting to their home network — including employer-provisioned devices, personal devices, appliances, wearables and gaming systems — and, on average, have three people in their household with devices connecting to the same home network, the challenges facing security leaders becomes stark.

Connecting from home is one thing; connecting from personal devices on an overtaxed consumer-grade home network without any corporate security controls is entirely another.

These findings make clear how little visibility organizations have into what's happening in their environments: 71% of security leaders say they lack high or complete visibility into remote employee home networks; 64% lack this level of visibility into remote employee-owned devices. With privacy expectations for employees naturally limiting any view employers can have into a home network, it becomes clear that security protections need to reside as close as possible to business-critical data and the assets used to access it. In short: If you can't understand the device and network, you need to control the access a user has.

While the challenges may seem daunting, the path forward is hiding in plain sight. Organizations must rethink how they define risk, looking beyond software flaws and device compliance to achieve a holistic view of their dynamic and disparate environments. They must invest in adaptive user and data risk profiles to disrupt attack paths by accounting for misconfigurations in Active Directory and the cloud and step up security based on changing conditions, behaviors or locations. And they must take a hard look at the limits of traditional, perimeter-based security architectures, to consider more sophisticated options that continuously monitor and verify every attempt to request access to corporate data at all levels, whether that's a device, app, user, or network attempting to make that connection. For some, this may mean a reckoning with their own cyber hygiene and vulnerability management practices; for others, it could present an opportunity to shift toward risk-based vulnerability management and continuous monitoring of Active Directory as a strategy for effectively disrupting attack paths; and, for the most advanced organizations, it could mean taking the first steps on a journey toward zero trust.

Whichever path you choose, the study makes one thing clear: business and security leaders must work together to find new ways to protect sensitive data in the new world of work.

자세히 알아보기

• Read the full study, Beyond Boundaries: The Future of Cybersecurity in the New World of Work

• View the infographic, Beyond Boundaries: Rethinking Risk in the New World of Work