The transition to remote and hybrid work environments that began in 2020 has left many organizations vulnerable to a variety of cybersecurity threats. In its 2021 Remote IT Management Challenges Report, endpoint management service provider Action1 (action1.com) published some concerning statistics based on the results of a survey of IT professionals. Per the report, organizations are having problems keeping their remote employees’ systems updated and patched. They’re experiencing patch deployment issues and failures, leaving vulnerabilities unresolved for extended periods of time. Other surveys and studies have revealed that many remote employees are not receiving enough security training and that they are taking shortcuts to circumvent company security policies.
Of the 491 IT personnel who took part in Action1’s survey, 78% said they had encountered problems and delays over the previous year when attempting to patch critical vulnerabilities. On average, survey respondents reported that completing the deployment of a critical update to all remote systems within their environments was taking 10 days.
Why is this happening?
Sometimes, patching fails simply because remote employees are not connected to the company network when the updates are pushed. Some, for whatever reason, decline the updates when they receive notification that they are available to be installed. Other reasons for failures in patch deployment include:
• Companies making only limited use of their automated patch management tools. – the automated process includes servers but not endpoints
• Organizations failing to take advantage of new and effective cloud-based patching technology
• IT staffers having problems dealing with the increased complexity of the patch management process resulting from the transition to remote work
• The inability of IT personnel to get and effectively prioritize information about critical updates and patches
• The absence of patch management automation – patch management being done manually
• The absence of a patch management process
With the increase in the number of remote endpoints and the volume of patches needed to maintain security, a lack of bandwidth has also been blamed for deployment failures.
Improving the patching process
Following are recommendations organizations can implement to improve their success rates relative to patching remote endpoints and minimizing threats associated with vulnerabilities:
• Ensure that remote endpoints are visible to, and controllable by, IT personnel – Endpoints cannot be managed and patches cannot be deployed if IT staffers don’t know about them and/or can’t access them.
• Ensure that unsupported or unauthorized applications are removed from remote systems – Patches aren’t issued for vulnerabilities in unsupported applications, thus they will remain vulnerable until they are uninstalled. If remote workers are using company computers, IT personnel need to have the ability to determine when unauthorized applications are being installed and have the capability to remove them remotely. A software management/inventory system can be very helpful. Remote workers’ permissions should be limited to prevent them from installing unauthorized applications.
• Leverage automation – There is currently a shortage of qualified technology professionals that is only expected to worsen. Companies that manually manage the patching process are already having problems keeping up even with current staffing levels. Patch deployment needs to be automated. Many organizations use automated patch management systems, but only for their servers and third-party applications. Automation should also patch endpoints, whether they live within the company network or deployed remotely.
User training and policies
The need for effective user training has never been greater. Bad actors are finding new ways to take advantage of opportunities presented by remote and hybrid workforce models. If an organization needs help with developing and delivering training, the number of providers of training as a service is growing. These providers can simulate phishing and other social engineering attacks, automatically enroll users in training if they are found to be vulnerable, offer interactive online courses, and provide employers with metrics to evaluate the effectiveness of their programs. Training of remote employees should also include information relating to securing their home offices and company equipment.
Recent surveys have showed that many remote workers are taking shortcuts to avoid security requirements. Effective security policies and procedures, including those specifically intended to address the behavior of remote staffers, can reduce risk. This is especially true if there are real consequences associated with violating policy and we make employees aware of this.
If employees may access company resources using their personal devices, a BYOD policy is required. If IT can’t patch or control installed apps that are installed on a user’s personal device that can access critical systems and data, there is no way to determine what vulnerabilities are being introduced. If personal device access is not required to facilitate remote work, companies should consider disabling that access.
If all else fails…
Even with effective policies, patch management, and training programs, remote work introduces vulnerabilities that can lead to security incidents. In this new environment, an effective incident response plan is needed and should include strategies specifically relating to security incidents involving remote employees. These plans should be continuously evaluated and improved. Conduct incident response exercises so that those who will need to respond in the event of an incident understand the expectations of them. The preparation of after-action reports can also be of help when evaluating and changing an incident response plan.
The transition to remote and hybrid work models was a sudden one and introduced a wide range of new vulnerabilities that were rapidly leveraged by cyber criminals. A lack of visibility into the devices and systems being used by remote employees to access internal resources, insufficient control over those devices and systems, and problems deploying critical security patches have left companies susceptible to attack. Ineffective or non-existent user training and policies make the situation worse. Implementing the recommendations will mitigate many of these inherent risks and allow companies and employees to continue taking advantage of the many benefits associated with these new work models.