Matthias Reinwarth and Martin Kuppinger are discussing the security challenges enterprises are now facing with the majority of employees working from home.
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Matthias Reinwarth and Martin Kuppinger are discussing the security challenges enterprises are now facing with the majority of employees working from home.
Matthias Reinwarth and Martin Kuppinger are discussing the security challenges enterprises are now facing with the majority of employees working from home.
Welcome to the cooking Nicole Analyst Chat podcast. I will be your host today. My name is Matthias. I'm not. I'm an Analyst and advisor at cooking are called Analyst. In this podcast. We will focus on specific hopefully interesting topics that we as analysts encounter in our daily work. The work we do is mainly focused on the topic areas of cybersecurity, identity and access management.
AI is much more, we do in-depth research, but also advisory work with vendors and end users as clients alike in each edition, I will have one guest joining me, often a fellow Analyst or another interesting partner, and we will have a 15 minutes or so chat around current topics. That's it for the introduction. My guest today is Martin Kuppinger. He is principal advisor at KuppingerCole and today we will talk about a very, very current topic. It's cybersecurity for enterprises in the age of working from home. So Martin welcome, Welcome Matthias. Pleasure to talk with you.
Again, We are currently in a situation that many organizations are thrown into the situation that they have to work from home there, wherever it is possible, their employees are sitting at their desk and they're working from home with their own PC, with a corporate PC, and cybersecurity is at least an an afterthought. What do you think organizations should now that we are a few days in this development, what they should really do at first, when it comes to securing their working environment?
Yeah, basically it is specifically in these days, it's always about balancing, keeping the business working and mitigating security risks. So this is about finding the right balance here and there are some things with this changing work environment businesses must do without hindering their people work. So I have five points on my list. The first one is multifactor authentication. The second is endpoint protection, the service patch management. Then there very clearly is security draining and data protection.
So these are the five areas I believe to focus on instead of going for complex topics. Like I built my security operations center to the next level. So really put focus on things that help mitigating the risks, which are implied with a changing work style. You've mentioned multifactor authentication.
First, if I think of the persons I know who are not the tech people, many of them have not even yet activated their multifactor authentication for the, for the personal accounts they use on a daily basis. So they're, I don't know Facebook or whatever they use. How would multifactor authentication look like in a, in a working environment from home, which would be the factors where, where, where can we start? It basically starts with usually using the smartphone as second factor by receiving pins.
And it's usually a combination then of, so you often indicate you get a pin and then a device fingerprint as it is called, is taken from the device you're using. And then for a while, you don't need a second factor. Technically seen relatively easy. And the number of platforms, specifically platforms, which are in heavy use these days, such as Microsoft teams or Google cloud platform, they support these technologies out of the box. Multifactor really helps mitigating risks because trusting a password is not sufficient anymore. It requires more than the password.
So it makes life of attackers far, far more complex. However, what is really essential is before you activate such a feature in one of these platforms, which is easy to do for an admin, prepare your workforce first, explain what will happen, explain what they need to do and ensure that you have tested it with a number of systems, because it will be not the standard work environment. It'll be work from home environment, which might look somewhat different from user to user specifically than they bring their own devices. Right?
So the good thing is that you don't have to roll out any hardware devices being used as, as, as a second factor, as you had to do say 15 years ago, but people have to understand that their phone that they actually already trust could be, or will be their second factor. And they need to understand how to use it. They need guidance on that, which is, as I've said, not really super complex, but inform first, explain first, then activate. And that is one of the things, but I think, you know, users are really capable of doing a lot of things.
That is what I feel for instance, about a second aspect, endpoint protection, every user easily can track the status of a system. I know it well for, for windows. You might know it better for apple, but for windows, I just look for windows or windows security depending on the language. And I will find the standard box, which shows me the status. If everything is green, I'm done, if not let them call the help desk. Right? Exactly.
So there, there, there is typically software either built in, or at least to check the, the, the patching status of the, of the machine. And there is lots of software available that can also do a, a scan on the machine in windows. It is built in that's correct. So really understanding what the actual current status of the platform that you're using is, is not that difficult.
And it is, as you've mentioned, it's mandatory because at that moment that when you're working from home and you're using that device in communication with corporate systems, this system becomes a part of the corporate infrastructure, at least temporarily. And that needs to be protected. Otherwise you end up with all the bad mechanisms like malware, like ransomware are one step closer to your corporate data. Yeah.
And I think for both aspects, one, one thing is super important to these days, don't end up in esoteric discussions in your it security department about, oh, maybe that smartphone is not secure enough or we would, could have something better or shouldn't we go for that or that, or that, or is windows defender good enough as an ware before you fail in deploying another anti malware solution, better use what is built in, rely on what you have, make best use out of that, Especially with the, with the current sense of urgency, because people just have to get going Yes.
And you can't walk to their desk easily, like you could do at the office. So you must manage everything remotely.
And so, so there, there's not the fallback of saying, okay, you've got a problem. I come to your office.
No, it doesn't work. Exactly.
And again, that, that you've mentioned that as the fourth point, but actually I think that is very important. We've had it with a multifactor authentication, the explain aspect, and we have it with the endpoint protection.
Again, the explain aspect, I think, security training, taking your users by their hand and just guiding them to protecting their environment and to using it adequately. I think that is the, the main thing to achieve.
Yeah, for sure. Everyone does it regularly. So every business does it for years and regularly and in a very efficient manner.
No, unfortunately not that's the problem. Right? So still a lot of businesses lack doing a good security training. So I just published a video, I think in both German and English with of five minutes, essential security Ann for the work from home users. And it's really what you should do. Keep it very simple illustrated, do it positive, maybe shorts for simple explanations, do it occasionally, not too frequent, but really do it in a way where people understand from their daily work. What to look at.
The good thing is everyone is a computer use in his private and the smartphone use in his private life as well. They have the same challenges with fishing and other stuff. So link it to their personal experience and keep it very lean. There are a few links where you just need to, to create awareness, look at strange email addresses, don't click links without syncing. Don't open attachments without syncing and syncing and syncing and asking and better ask before you do something. But at the end, the most important rule anyway, is use your good human sense as a computer user. Right? Exactly.
And, and if these explanations of this training is really created in a, a step up way of thinking.
So to really start with the initial things that are required to get going, as you've mentioned, using multifactor authentication, and based on that really explaining what are the dos and don'ts once things are going, then that would be a good approach to, as is that lean not too often, but the things that have to be communicated first, do it first, even as a third item, when, if I remember correctly patch management, how, how to convey the message to the end user that they have to do the patch management adequately.
The good thing is with most modern systems, most modern applications, you don't have to do that much. Some do it better or some do it, not as good, but a lot also I would say if it's a company on device trust, activate.
So anyway, even, even side of work from home, it is a good idea to rely on automated pattern because the risks nowadays of automated patterns are lowered than side of security risk. I still know a couple of organizations which say, okay, we first test the patches before we roll them out. That might have been adequate from some five or 10 years ago, where more patches failed and cybersecurity risks for zero day attacks were considerably low, but this has totally changed. And so it anyway, makes sense to push out patches automatically. There might go something wrong by the risk is lure.
So the business should care for patching all their stuff. The virtual private networks, if used the applications, the servers, and for the endpoint, it depends on if it's a personal owned, bring your own device. Then obviously the user must look at it goes back to number two, check professor endpoint protections enable check. We windows security settings are all green, which also would include patch management and then do it.
Yes, you get your patches regularly. You might have to reboot your system every now and then. So for Microsoft more or less once a week, because then they bring their new set of patches, but that's it. And that is something which then runs in the background and where rarely something should go wrong. Yeah. And this is something that really just happened this morning to me because I, I went to my laptop, which runs 24 hours. And I could not unlock it with my finger. I had to relock in because then afterwards it told me that it applied a crucial security update overnight.
And that is exactly the, the way that things should happen. Not that they have to run 24 hours, but that they do patch automatically. Okay. You've mentioned a fifth point and I think that is data protection.
And I, I think that is a, that's a huge topic actually, when it comes to protecting sensitive data, especially on a, on a potentially insecurity device, like a personally owned PC. Yeah.
And, and the context of security drain, I already said, be careful with attachments. And it's not a good idea with work from home and with bring your own device to send around attachments. There are better ways to do it. So a couple of players, including Microsoft is team offer a free use for a certain period of platforms. If you not already have it go for such platforms where you can relatively secure, collaborate and share information, because you could have multifactor authentication, you could can have some level of access control, collaboration rooms to whatever.
And then you work on that platform. And yes, there are always can be some questions, but again, focus and balance risks. So what is the bigger risk is the bigger risk using a established cloud platform, which is used by many organizations where I know organizations in the critical industry, even using these platforms, or is the bigger risk saying, oh, that might be insecure. And I continue sending file attachments around. I think the answer is so apparent don't and files use collaboration platforms.
And there are some high secure platforms available as well, which you get as a cloud service, which are used for instance, more finance industry space. And, and for, for secure data rooms, if you say it's really so super sensitive, check out these Exactly.
And, and I know there are dangerous or threats that come with the browser itself, but once you are using a platform like this, you have an abstraction layer between your own machine and the actual document that you're working with. And that is the browser. So there is a, a, a real disconnect between the actual document and its potential dangers and your actual machine. I think that is a good way to go. And many should look at that. And that is one of the things. So there are things businesses should do for cybersecurity, but don't go over the top. Don't do the big things.
Now focus, you can, and parallel start planning of how do you do it better for the next crisis? How do you prepare for the future? But that should be for the bigger steps that should be planning and concepts and architectures where we truly help you. We can advise you, but don't try to implement complex things which might disrupt the work of the users. Now you can't afford that happening. Exactly. So thank you very much, Martin. Just to sum it up.
We mentioned today, the first steps for cybersecurity, for enterprises in the age of working from home and we've proposed four individual steps to look at, it starts with multifactor authentication. Look at endpoint protection. Think of your patch management, think of your security training for your end users and implement strong data protection, but in a reasonable way, in a risk based approach. So that's the summary for today. I'm looking forward to having you in another episode of this podcast. Thank you very Martin. And thank you for your time listening.
Thank you to all people listening to this podcast and you, Matt.