Endpoint security in an agile world

WFH small for Endpoint security blog

Endpoint security has evolved significantly over the last 2 years.

The old signature-based antivirus and basic firewalls are simply not enough to protect businesses from an endpoint breach, be it a laptop, desktop or a mobile device. The threat landscape has increased massively through COVID, endpoints are outside of the protection of the corporate network en masse. How the endpoint is protected is going to vary by the workload and application sets used within an organisation.


Endpoint Security for SaaS platforms and legacy applications

There are two main camps. Those who are predominately web based, say using Office365 and a couple of line of business applications that run on a SaaS (Software as a Service) platform.  And those who run a mix of legacy applications, probably with Office 365 and perhaps Citrix or Windows remote desktop. There are of course those who use technologies, such as AVD (Azure Virtual Desktop) but for simplicity we’ll bundle them into the latter camp. In reality, the risks to both are similar and need to be assessed.


Layering is key 

The key to protecting all endpoints and ultimately all organisations is to have numerous layers of defence. You can’t simply rely on a single control – because if that fails, or has a security vulnerability, then it’s probably going to be breached. The cybercrime industry is simply enormous, global, relentless and moves at lightning speed.

The more controls and the more checks and balances you have, the more chance you have of another control picking up and stopping exploits. This isn’t about doubling up, it’s about using a number of controls that protect against primary risks but may have some overlap. It’s not just about technology, so organisations really need to work on their risk registers to understand how they are controlling against certain risks and where they are thin.


Information Security Management System

Ideally organisations should be looking at implementing some form of ISMS (Information Security Management System). Something such as ISO27001 or IASME to continually evaluate, test and improve their IT security.

It’s now critical to have a framework to manage endpoint security as things are moving so fast. A business can’t simply rely on IT support and security teams to be responsible for data security. It’s the boards responsibility to make the decisions on how they are going to protect against particular risks, divert budgets, etc. It’s not the IT team that regulatory bodies, such as the ICO, FCA or SRA will punish if there is a breach. Neither will clients or the media be fobbed off that it’s an IT issue, especially if there is no ISMS in place.


Simplify IT environments

As a general rule, all organisations need to be focused on simplifying their IT environments. Over the years there has been too much bloat, in terms of too many applications, servers and data. This bloat has led to complexities.

The more complex an IT environment the more difficult it is to secure. This has to be a primary focus in this new world, simplifying the environment. Needs dependant, generally you can simplify and ultimately secure the endpoint by not having any data or applications running on it, except the bare minimum. The larger the attack surface the bigger the danger of an exploit.

This isn’t always going to be possible of course, but where it is, technologies such as Azure Virtual Desktop, Remote Desktop Services and the like do have their place.


Endpoint Security of BYOD (Bring Your Own Device)

More and more organisations are again talking about BYOD (Bring Your Own Device) coming out of the pandemic. In certain instances/circumstances BYOD can be extremely beneficial for a business if, for example, it’s giving access to a web based portal to a 3rd party contractor, obviously with some security measures, such as multi-factor authentication. However, as a general business practice, for all staff, BYOD not a good idea because in the main it’s difficult for an IT team to really lock down someone’s own device properly.

There are various container type solutions that isolate data and applications from the underlying operating system that can be used, but depending on what information that employee is dealing with you might want greater control and monitoring of the device. You can’t really do that on an employee’s personal device without impinging on their privacy.


Can CYOD help solve Endpoint Security issues?

One good solution can be a CYOD (Choose your own Device) initiative as a sensible middle-ground. That way people get the tech they prefer but the business can overlay whatever security solutions they like. In particular SIEM solutions and intelligent advanced endpoint security protections solutions are more and more critical.


What risks does an endpoint face?

The bulk of the risks that face the endpoint come over the network, as a direct attack against an interface, listening and man-in-the-middle attacks or delivered through an application, such as a web browser or email client. Once the endpoint is breached any follow-on breach to the main corporate network is going to also come from this device.

This is why it’s essential to get some control of the connections to and from the endpoint with technologies, such as SASE, CASB and VPNs. It should be noted that generally traditional VPNs are cumbersome and still problematic, and not ideal in a hybrid world.


Next Steps

If you’d like a free initial review of your security controls – without any obligation please fill in your details here and one of our team will get back to you.





Cyber-Security: Going Beyond Technology

Cyber Security Beyond Technology

Cyber Security beyond technology: a White Paper write up based upon a webinar hosted by David Clarke – QuoStar Head of Security & CISO, and Chris White – QuoStar Head of Consultancy & the CIO Service in July 2021.

Why is cyber security beyond technology such a hot topic?

Cyber-security is an increasing threat that all sized businesses should take seriously. It is a topic that should regularly be on the board’s agenda.

A day doesn’t pass without a business being targeted via ransomware, phishing or DDoS attacks – all causing significant disruption to businesses. For some businesses it has been so bad that it’s affected customers and meant closure.

The destructive rise of state sponsored attacks mixed with organised ransom focused crime gangs has changed the threat landscape dramatically.

Most firms are global 24/7, and their assets are mostly digital. The current ransomware situation is dire. Huge due diligence needs to be taken within supply chains now, particularly when working with the government.

We fall like dominoes if we’re not careful

What are the main threats to today’s landscape? Due to the technological set up of industries today, the knock-on effect of digital disruption is now very large. For example, the US fuel pipeline issue effecting the entire east coast of America was down to digital disruption. The possible effects of digital disruption have always been there, but now the impact and knock-on effects are  massive.

Follow the Swiss Cheese Risk Model

In today’s threat landscape layers of cyber defence need to be in place today. Not one or two, but several layers. Similar to the model that was used in the aircraft industry: the Swiss Cheese risk model!

When Swiss cheese is sliced it has holes, and that’s ok. The problem is when several holes inadvertently line up – if applied to security measures – that’s when disaster can strike. The force magnification is one large risk rather than a few small risks at lower levels.

Clients increasingly want to understand the security measures taken by a business. This in turn means questionnaires, audits, hoops to jump through before business can be conducted.
Requirements need to be met.

Unfortunately, due to the increase in cybercrime over the last couple of years, it’s more a case of WHEN it happens than IF it happens.


Prevention is better than cure

Businesses need to start preparing for an attack, rather than preparing to handle one. If you are handling it, it’s too late and the financial damage to deal with it has already been done. The down time caused by having to deal with an attack can cost millions a day potentially. In this case prevention really is better than cure.

The consequence of a breach is not just dealing with the ransomware attack. It’s that it may lead to having to rebuild your whole IT infrastructure. You may need to move physical servers, migrate networks or change cloud systems. Things that take a huge effort but need to be done in a very short timeframe before you are out of business – days or weeks maximum. The Law Firm DLA Piper paid 15,000 hours of IT overtime as a result of their attack!

Smaller organisations still face huge financial impacts and disruption to both them and their clients. Firms must take care of client data too. Breaches of that data can impact reputation, as well as run the risk of potential fines and punishment that can escalate rapidly. Regulators, including the ICO are becoming increasingly interested in these types of events.

So, how can we avoid successful attacks? It is much cheaper to get your security layers in there first. The layers don’t need to be expensive, just suitable, with good architecture.


When will they come for you?

It may seem obvious, but most attacks happen when you’re most vulnerable – for obvious reasons. Particularly during long weekends and bank holidays. So, have a robust plan of how to record a risk, even out of usual hours. Once reported, a risk can be managed or monitored from there at least.


It is a real struggle to get this message across to boards. If you’re responsible for security (not just IT but business issues, with IT holding a major stake) have a really robust, easy to use process so anyone can escalate an issue no matter how trivial it is. No, this does not include having to read a 500-page document just to submit a threat.

Stay in touch

A security manager would much rather be called with a minor issue to solve at 3am, than to not be told at all and find out a few days later that there is a huge security breach to deal with and very few options left. Have a robust submitting system. Ideally calling, rather than email, so that someone knows it is being dealt with.

Know all the links in your chain

Supply chains are often the biggest cause of problems. You need to ensure there are correct contacts in place for when issues arise. Who are your contacts? When are they available? Know in advance because you need an immediate handle on things when it hits the fan.

Even in large firms, the demand on digital tech security is not there in the same capacity as it is for physical tech security on a daily basis.


The more the merrier?

Companies tend to worry about the role of security if they have thousands (or tens of thousands) of staff. But in reality, the actual number of calls that come through to security as risks are very low, and 98% of those calls are well worth looking at.

The advantages of cloud vs. on premises

Data centres are highly complex – the building itself must be highly resilient. If you are reliant on one data centre or server room, sooner or later, they will go down. Generally, the cloud takes that risk away.

If done right, moving to the cloud shouldn’t be a barrier. But remember whichever you choose security isn’t a one and done deal. It’s a moving target – it needs to be managed, and the risks  monitored, all the time.

What are the risks with the cloud?

Are there additional risks in moving to the cloud? And if so, what can we do to mitigate them? The usual objections of moving to the cloud are security. But there is an argument that the cloud provider knows more about security than most businesses do – it’s their bread and butter.

Companies should be working on the basis that, at some stage, they may be hit – and should know what to do if that happens. There needs to be upfront planning and putting procedures in place.


The Regulators are watching

Regulators want us to take due care and attention of our client’s data. That’s why breaches cost the company. One of the first questions posed by the UK ICO is: Have your staff been trained? Most breach enforcement notices happen due to lack of training or management, as opposed to for the breach itself. This training needs to be demonstratable on an ongoing basis.

A security aware culture starts at the top.

The security aware culture starts at the top. That should be followed by various layers beneath – technology, end point protection, patching. The layer around staff is based in awareness and  knowledge to mitigate situations, as well as supplier due diligence.

There needs to be upfront planning and procedures put in place. There are philosophical decisions to be made before a security breach happens. You could well experience something that propagates. Your customers could also come under attack. Do you focus resources on protecting customers first or the business?

To best manage cyber-security risks, assume the worst-case scenario in order to avoid any unnecessary surprises – and prepare/plan for it.

Business Continuity has been put to the test

Covid has made us test all major categories of business continuity. A few years ago, we’d test things like ‘building unavailable’. Businesses have been put into the real-life working situation of no building available, no public transport, fewer staff numbers and sick and absent staff. We have been hit with all the major categories of business continuity at the same time.

Businesses have done a phenomenal job to keep going. To keep people working from home.

A shortage of senior cyber-security professionals

However, with a global shortage of senior cyber-security professionals, coupled with the prohibitively expensive costs of retaining a full-time, dedicated expert, many businesses may struggle to access the appropriate level of support required.


QuoStar designed the CISO Service to address this problem

Businesses get access to a dedicated Chief Information Security Officer who will provide senior security leadership and take responsibility for identifying, controlling and managing risk. Making sure the business’s security posture is strengthened.

Book your free consultation now. Find out more quostar.com/ciso-as-a-service


Fill out this form to download a PDF copy of this Cyber Security Beyond Technology white paper.

This write-up covers aspects of cyber-security, threats, actions to be taken, the risks of moving into the cloud, responsibilities, managing vendors and how to build a security aware culture.

If you’d like to attend one of our live webinars you can see the upcoming events in our calendar.