In the early days of the pandemic, many businesses were forced to adopt remote work to respond to customer needs and keep operations going. Though businesses have reopened and vaccinations are well underway in several countries, clearly remote work is here to stay.
A survey by IDC revealed that 50 percent of organisations in ASEAN are looking to add remote work to their human resources policy. With the pandemic proving to be a catalyst for remote work, organisations in the region are focused on addressing the challenges of a distributed workforce, and technology will play a key role in implementing new ways of working.
As employees access company data in less secure environments, it is critical for IT teams to protect the company against cyberattacks while ensuring business continuity. IT teams face the dual task of ensuring productivity and efficiency while keeping threat actors at bay. With thousands of employees scattered across different locations, how can IT teams keep the organisation’s network safe?
We explore 4 tips to help mobile marketers thrive in the ‘new normal’
By leveraging machine learning (ML) techniques, IT teams can monitor employee activities across various locations. Organisations can leverage a standard baseline of user behaviour assigned for each employee to identify any anomaly in the network that could lead to a critical security threat. Accurate threat detection enables IT teams to save time and effort, as they can focus on responding to threats quickly and not get overwhelmed by false positives.
To protect the organisation’s network from cyberattacks like insider threats, account compromise, and data exfiltration, IT teams can start by monitoring user behaviour for suspicious activities. Here are some user behavioural changes to look out for in a decentralised workspace:
1. Unusual access times
The combination of employees working both from home and from the office can result in user access times that differ from the usual operating hours. Monitoring these changes enables IT teams to identify a new standard pattern of login hours for each employee regardless of their work location. This helps detect anomalies that go against the identified normal behaviour. For example, if a user’s new normal login time is 10am to 6pm and one day they log in at midnight, this should be counted as a time anomaly. IT teams can then immediately investigate this potential insider threat and respond to it.
2. Numerous login failures
With the increase in distributed workspaces, staying aware of the identity of the users logging in to the company’s network becomes increasingly difficult. Threat actors that carry out attacks like account compromise, data exfiltration, and advanced persistent threats often use techniques to gain access to a system from remote locations and remain in the network for a prolonged period of time, which can cause immense damage to the organisation’s network.
Monitoring login failures helps provide insights into who is trying to access the network and why there are numerous failures on a particular host within a specific period. This helps security teams detect the source of this suspicious activity and mitigate potential security threats.
3. Unusual file downloads
As both remote and on-site employees access the organisation’s resources, it can open up the network to intrusions. Cybercriminals can use the pandemic-driven shift to a distributed workforce as an opportunity to exfiltrate sensitive data. If an organisation has ML technology in place, a user with an unusual amount of file downloads will be flagged with a count anomaly. Whether the perpetrator is a malicious insider or an external threat, the security admin is immediately alerted to stop sensitive data from being exfiltrated.
4. Excessive authentication failures
The expansion of the remote workforce has made remote access easier to exploit and harder to detect. Monitoring authentication failures can highlight questionable user accounts for immediate investigation. Even before a security event occurs, security admins can be alerted to protect the network from intrusion attempts and other forms of external threats.
5. Abnormal permission changes
For an intruder to exploit an organisation’s network and access its resources, they need elevated user access privileges. Cybercriminals may manipulate accounts to maintain access to victims’ systems by modifying credentials or permission groups. Advanced user privileges essentially give threat actors a key to exfiltrate sensitive data. By monitoring unusual permission changes that can indicate excessively broad permissions being granted to compromised accounts, IT teams can identify these security threats and stop a potential cyberattack.
Keeping an eye on a decentralised workspace can be challenging. However, with the help of ML techniques, security teams can devise a standard baseline behaviour to identify user access anomalies. ML technology combined with an incident management system can help increase the productivity of IT teams by enabling them to prioritise security threats based on severity, perform proactive risk assessments at regular intervals, and detect and respond to persistent attacks. By setting a benchmark, IT teams can immediately address potential issues and secure the company’s network from cyberattacks.
As remote work continues, there is more leeway for malicious insiders and intruders to slip under the radar. IT security teams need to tighten their cybersecurity policies and ensure that all potential attack vectors are covered.
This was contributed by Esther Christopher, Product Consultant, ManageEngine
About the author
Esther Christopher is a product consultant at ManageEngine, the IT management division of Zoho Corporation. As part of her responsibilities, Esther studies the tactics adopted by cyber miscreants and recommends guidelines for IT teams to counteract them. She is interested in writing on contemporary topics related to cybersecurity.