5 ways CISOs can secure BYOD and remote work without increasing security budgets

Check out all the on-demand sessions from the Intelligent Security Summit here.

Remote and hybrid work models have quickly become ubiquitous. The rapid shift to this new mode of work jumpstarted attempts to address the new security risks that accompany it.

Now, with 2023 around the corner and the fear of recession creeping into enterprise planning, security organizations must find ways to protect dispersed data and resources without driving up costs. But, they also need to continue supporting remote work and Bring Your Own Device (BYOD), which are key drivers for business flexibility, agility and accessibility to a wide range of human talent.

Here are five methods and controls for remote work security that can be implemented at minimal costs — and in some cases, even lead to cut costs.

1. Replace virtual desktops

Virtual desktops (VD) are virtual PCs in the cloud that enable remote accessibility to on-premises physical devices. After installing the virtual device software on the remote endpoint device, users can connect to their in-office workstations. This solution was designed for legacy architectures and was a good option when users needed to leverage their on-premises computers to access on-premises company resources and continue working.


Intelligent Security Summit On-Demand

Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.

Watch Here

In today’s cloud-driven architecture, though, connecting through virtual desktops has become cumbersome and expensive. Using a VD to access SaaS applications and websites and to process files locally is inefficient, subject to poor performance and latency, and creates significant IT overhead. These all contribute to poor employee experience that reduces productivity.

Additionally, VDs cost approximately twice as much as leaner, cloud-driven browser security solutions, which are also better equipped to deal with web-borne threats. By replacing VDs with modern solutions, security teams can cut costs, drive productivity, and enhance security — all in one.

2. Implement a zero-trust approach

Cloud architectures prompted security teams to find new methods for permissions provisioning. With users dispersed globally, the traditional castle-and-moat approach could no longer suffice. Alternatively, identity became the new perimeter, requiring security teams to manage their access in a new and modern manner.

The leading identity-based security approach for distributed architecture is that of zero trust, which consists of ongoing user authentication and authorization, rather than trusting them based on their originating network or IP. According to the recent IBM Cost of a Data Breach Report 2022, zero trust deployment saved organizations an average of $1 million in breach costs.

Any given security solution should offer a zero-trust approach as part of its solution to help curtail the attack window for gaining access or moving laterally and to cut the costs of data breaches. Procuring any other solution would be a waste of valuable budget dollars.

3. Manage access through granular conditions

Access management and user verification is derived from a clear set of policies. These policies will determine which identities can access which resources, and which actions they can perform. But keeping policies at a high level will give users too many privileges and could result in a costly data breach.

Authorization policies should be as granular as possible to ensure no excessive access privileges are given to users. These policies should be consistent across all SaaS apps and local applications and enforced on both managed and unmanaged devices (see above).

In addition to policies based on user roles or attributes, policies can be based on browsing events. Advanced analysis of website sessions can enable blocking access to specific malicious web pages to neutralize them without hurting user experience that will result from blocking access altogether.

By providing broad security coverage at a granular level without damaging users’ ability to work, security teams can achieve security and productivity, ensuring a high ROI for their security solution.

4. Train employees to raise security awareness

According to Verizon’s 2022 DBIR report, “82% of breaches involved the human element. Whether it is the use of stolen credentials, phishing, misuse, or simply an error, people continue to play a very large role in incidents and breaches alike.” Remote work has only enhanced the use of phishing attacks and their sophistication, with 62% of security professionals stating that phishing campaigns were the most increased threat during COVID-19, per Microsoft’s The New Future of Work report.

No given security solution will be complete without training users and raising awareness on the abundance and severity of cyber attacks. Employees must be trained on the importance of being alert to web-borne threats and risks, like phishing emails or websites, malware injections and accidental private data mis-delivery. Conduct phishing drills, show demos, and continuously remind employees that organizational security is literally in their hands.

Getting employees excited about security and turning them into champions is the way to stretch the value of training dollars and reduce spending on unnecessary security controls.

5. Deploy modern alternatives to costly network solutions

Network security solutions like VPNs, CASBs, SWGs and endpoint detection and response (EDR) are costly and require IT management and maintenance, which also come at a business cost. They are hard to deploy, disturb the user experience and do not provide an immediate solution for the business’s need to scale.

On top of these operational shortcomings, network solutions do not provide comprehensive security from web-borne threats. For example, CASBs cannot secure unsanctioned applications, SWGs cannot fully secure malicious websites, EDRs might miss malware downloads, and VPNs tunnel users into networks rather than employing zero trust.

Modern alternatives that provide conditional access to resources have the potential to provide a higher level of security without the operational cost and overhead of managing the network traffic.

What’s in store for security teams in 2023?

Whether or not a recession is around the corner, teams will be expected to work extra hard to prove their worth without incurring extra costs on the business. Security teams, which have traditionally found it difficult to justify the need for budgets as it is, will have to evangelize their plans and explain how they’ve done everything in their power to cut costs. Lean and effective security controls are key for treading through 2023 and making it out on the other end.

Or Eshed is CEO and cofounder of LayerX

Originally appeared on: TheSpuzz