5 ways CISOs can secure BYOD and remote work without increasing security budgets

Check out all the on-demand sessions from the Intelligent Security Summit here.

In today’s cloud-driven architecture, though, connecting through virtual desktops has become cumbersome and expensive. Using a VD to access SaaS applications and websites and to process files locally is inefficient, subject to poor performance and latency, and creates significant IT overhead. These all contribute to poor employee experience that reduces productivity.

Additionally, VDs cost approximately twice as much as leaner, cloud-driven browser security solutions, which are also better equipped to deal with web-borne threats. By replacing VDs with modern solutions, security teams can cut costs, drive productivity, and enhance security — all in one.

2. Implement a zero-trust approach

Cloud architectures prompted security teams to find new methods for permissions provisioning. With users dispersed globally, the traditional castle-and-moat approach could no longer suffice. Alternatively, identity became the new perimeter, requiring security teams to manage their access in a new and modern manner.

The leading identity-based security approach for distributed architecture is that of zero trust, which consists of ongoing user authentication and authorization, rather than trusting them based on their originating network or IP. According to the recent IBM Cost of a Data Breach Report 2022, zero trust deployment saved organizations an average of $1 million in breach costs.

Any given security solution should offer a zero-trust approach as part of its solution to help curtail the attack window for gaining access or moving laterally and to cut the costs of data breaches. Procuring any other solution would be a waste of valuable budget dollars.

3. Manage access through granular conditions

Access management and user verification is derived from a clear set of policies. These policies will determine which identities can access which resources, and which actions they can perform. But keeping policies at a high level will give users too many privileges and could result in a costly data breach.

Authorization policies should be as granular as possible to ensure no excessive access privileges are given to users. These policies should be consistent across all SaaS apps and local applications and enforced on both managed and unmanaged devices (see above).

In addition to policies based on user roles or attributes, policies can be based on browsing events. Advanced analysis of website sessions can enable blocking access to specific malicious web pages to neutralize them without hurting user experience that will result from blocking access altogether.

By providing broad security coverage at a granular level without damaging users’ ability to work, security teams can achieve security and productivity, ensuring a high ROI for their security solution.

4. Train employees to raise security awareness

According to Verizon’s 2022 DBIR report, “82% of breaches involved the human element. Whether it is the use of stolen credentials, phishing, misuse, or simply an error, people continue to play a very large role in incidents and breaches alike.” Remote work has only enhanced the use of phishing attacks and their sophistication, with 62% of security professionals stating that phishing campaigns were the most increased threat during COVID-19, per Microsoft’s The New Future of Work report.

No given security solution will be complete without training users and raising awareness on the abundance and severity of cyber attacks. Employees must be trained on the importance of being alert to web-borne threats and risks, like phishing emails or websites, malware injections and accidental private data mis-delivery. Conduct phishing drills, show demos, and continuously remind employees that organizational security is literally in their hands.

Getting employees excited about security and turning them into champions is the way to stretch the value of training dollars and reduce spending on unnecessary security controls.

5. Deploy modern alternatives to costly network solutions

Network security solutions like VPNs, CASBs, SWGs and endpoint detection and response (EDR) are costly and require IT management and maintenance, which also come at a business cost. They are hard to deploy, disturb the user experience and do not provide an immediate solution for the business’s need to scale.

On top of these operational shortcomings, network solutions do not provide comprehensive security from web-borne threats. For example, CASBs cannot secure unsanctioned applications, SWGs cannot fully secure malicious websites, EDRs might miss malware downloads, and VPNs tunnel users into networks rather than employing zero trust.

Modern alternatives that provide conditional access to resources have the potential to provide a higher level of security without the operational cost and overhead of managing the network traffic.

What’s in store for security teams in 2023?

Whether or not a recession is around the corner, teams will be expected to work extra hard to prove their worth without incurring extra costs on the business. Security teams, which have traditionally found it difficult to justify the need for budgets as it is, will have to evangelize their plans and explain how they’ve done everything in their power to cut costs. Lean and effective security controls are key for treading through 2023 and making it out on the other end.

Or Eshed is CEO and cofounder of LayerX