If you thought that your current IT security practices were robust enough to fully support the transition to hybrid work, it’s time to think again.
According to data from Statista, 68.5% of businesses have been victimized by ransomware in 2021—the highest percentage reported to date and a 24% increase compared to just three years prior.
As both IT professionals and media reports have noted, much of that rise can be directly attributed to work-from-home (WFH) employees and the resulting shift in attitudes as well as practices when it comes to basic work-related computing. Once users step outside of the office walls, organizations simply haven’t been able to mitigate all the risks their activity might pose to the corporate network.
That creates a serious dilemma. Hybrid work, aside from being a necessary public health measure, has manifold advantages for employees and organizations alike. Neither wants to—or should have to—sacrifice those advantages. At the same time, a true hybrid work environment requires organizations to provide their users with secure yet straightforward remote access to business-critical applications on the days when they’re not in the office.
To err is human, but software isn’t blameless
Even if employees were to stay unfailingly vigilant and adhere to the most exacting security practices every second of the day, the fact remains that most virtual desktop products, including desktop-as-a-service (DaaS), don’t provide adequate protection against ransomware and other remote access security threats.
For example, the popular Remote Desktop Protocol (RDP) requires open server ports to the Internet to function. Hackers and malicious actors know this, which is why RDP-specific attacks like BlueKeep are proliferating in the remote and hybrid work era. The cybersecurity company ESET charted a 768% growth in RDP attacks in 2020, which equates to 29 billion attempted RDP attacks during that period. Many of those were simple brute force attacks.
When it comes to the old guard of VDI, DaaS and RDP solution providers, tighter security hasn’t been baked into their products at a core level. Instead they recommend a litany of external remedial measures: adding VPNs, using strong passwords, implementing two-factor authentication, performing regular software updates, using a remote desktop gateway, installing the latest OS patches, enforcing account lockout or implementing a centralized audit trail.
These extra steps add up to more than most IT departments can manage and/or ask of their users, and with advice like this, it’s a wonder that the number of ransomware victims isn’t 100%.
Rethinking security to support the hybrid workplace
It’s clear that hybrid work requires a complete revamp of how we think about and approach security. With the shortcomings of past and current solutions in mind, here are some things to consider going forward:
- Limit your attack surface: The more moving parts a solution has, the more potential points of exploitation it offers to rogue actors. Organizations, regardless of their size or sophistication, need solutions that eliminate the need for additional gateways and appliances that can inadvertently become security risks.
- Control your ports: Many remote technologies leave RDP ports open by default, which leaves your network vulnerable to brute force attacks. Your remote and hybrid work solutions should help lock down your ports by design, not haphazardly leave them open.
- Eliminate VPNs: VPNs simply create a secure tunnel between a user’s device and the corporate network. That model is based on implicit trust of the user. But if that user is on a personal device that’s riddled with malware, VPNs become a liability as they enable the user’s infected machine to access your corporate network and data.
- Keep it clean: When your remote and hybrid employees are using remote technologies to access their apps and files, their user data must be deleted from the server every time they log out. That way, in the unlikely event that the secure browser is compromised, the hacker only has fleeting access to the user’s session.
Securing hybrid work with virtual app delivery
Amid the global shift to hybrid workplace models, virtual application delivery has emerged as a preferred and proven way to empower remote workforces while enforcing strict security policies.
To begin with, virtual application delivery (VAD) simplifies remote access to business-critical apps. This has major ease-of-use benefits, of course, but it also succeeds in minimizing the attack surface. With VAD, users access only the applications they need via a secure HTML5 browser. That keeps the session self-contained and limits individual users’ interaction with the corporate network.
Additionally, some VAD platforms allow organizations to exercise tighter control over ports while also eliminating VPNs entirely—all without compromising on functionality. Intelligent technologies allow these platforms to dynamically open and close RDP ports, for example, to allow the flow of essential data without leaving the ports open on a permanent basis.
And because virtual app delivery technologies are able to keep remote users productive while also keeping their devices isolated from the corporate network, it doesn’t rely on VPNs to establish secure connections.
Last but not least, it’s not uncommon for VAD solutions to employ non-persistent data practices. This wipes each user’s data after each session, which severely limits a hacker’s scope of operation even if they were to somehow gain access.
These practices make virtual application delivery a powerful tool for securing your hybrid workers, especially if you’re aiming to deliver a Zero Trust environment. Users are able to enjoy full-featured access to the software they need at any time and on any device, and IT departments can rest easy knowing that longstanding security vulnerabilities are addressed and fortified against.
So as you rethink your organization’s approach to securing hybrid work, it’s important to start by assessing whether your organization truly needs a full virtual desktop implementation or if it would be more secure and less complex to enable people to access solely their business-critical apps instead of a full desktop.
In many cases, it won’t be an either/or decision – you may have a subset of power users who need a desktop, while the rest need secure access to their apps from any device. Regardless of your organization’s needs, the criteria above can help serve as a guide when evaluating the security of the remote & hybrid solutions you’re considering.
About the Author:
Robb Henshaw is Co-Founder & CMO of Cameyo