Secure Workspaces whitepaper

21
The role of cybersecurity in accelerating your digital business A Frost and Sullivan white paper Commissioned by Dimension Data and Cisco Securing workspaces for tomorrow

Transcript of Secure Workspaces whitepaper

Page 1: Secure Workspaces whitepaper

The role of cybersecurity in accelerating your digital business A Frost and Sullivan white paper Commissioned by Dimension Data and Cisco

Securing workspaces for tomorrow

Page 2: Secure Workspaces whitepaper

The need to transform to the workspaces for tomorrow

Table of contents

Cybersecurity – your future workspace enabler and accelerator

Key elements for office transformation The last word

Examining risks in the workspaces for tomorrow

040711

1719

Securing workspaces for tomorrow | Table of contents

02

Page 3: Secure Workspaces whitepaper

03

As enterprises increasingly aspire to create future workspaces and harness the benefits of a mobile workforce that leverage cloud platforms, there’s a greater need than ever to implement appropriate measures to secure data, infrastructures, applications, and users wherever they may reside.

Page 4: Secure Workspaces whitepaper

Securing workspaces for tomorrow | The need to transform to the workspaces for tomorrow

The need to transform to the workspaces

for tomorrow

Technology, globalisation, and social media are key factors shaping the future of work. ‘Disruption’ is the new buzzword in the market as we increasingly see new business models, new products, new services, and new delivery models evolve and change the face of industry forever.

As a result, enterprises are under greater pressure than ever to foster innovation to gain a competitive advantage in the face of a dynamic and turbulent marketplace. They need to break the silos and provide mechanisms to bring together teams, once separated by structure, hierarchy, and geography, to spur innovation and boost productivity. Technology is at the core of the workspaces for tomorrow as enterprises strive to transform into digital businesses by seamlessly converging mobility, collaboration, business, and strategy to drive growth.

Mobility is an important trend in the workspaces for tomorrow. Employees today demand a more mobile workplace, with the flexibility to work from anywhere, any time and on any device to become more productive while achieving work-life balance. There is a sharp increase in telecommuting, with staff working from home or virtual offices, and freelance employment. In fact, technology is enabling employees to adopt a more proactive role in managing their careers. A recent ADP Research Institute study shows that ‘82% of respondents globally will define their own work schedules.’1 Already, close to 80% of knowledge workers globally work remotely at least one day per week. By 2020, up to 1.55 billion workers will be responsible for work that does not confine them to a desk.2 Enterprises that are not adapting to the changing expectations and failing to offer a flexible, autonomous and creative work environment risk difficulties in attracting and retaining next-generation talent. Many organisations are also viewing workplace mobility as an opportunity to reduce overhead costs while improving employee engagement and motivation.

With a forecast of over 80 billion connected devices in use globally by 20252, we are on the brink of a connected user revolution that is set to transform the way we live, work, and interact. The proliferation of online and social media is leading to the emergence of well-informed and knowledgeable customers who increasingly demand a personalised experience every time they interact with the brand. Social media is giving users the platform to voice their opinions about any experience throughout the customer lifecycle, raising customer expectations. In fact, 20% of customers surveyed expect brands to respond within an hour through social media.2

The definitions and expectations of work are undergoing tremendous change, as the growing mobile and social networking usage is changing the how, when, and where people consume, contribute and share information.- Frost & Sullivan

041Forbes.com, ‘For Employees, Workplace Technology Stirs Up Both Angst And Exuberance’, June 29, 2016, 2Frost & Sullivan Survey and Analysis

Page 5: Secure Workspaces whitepaper

The rapidly evolving trends continue to redefine the business priorities of modern organisations while meeting employee expectations and customers’ changing behaviour and demands. Amid this dynamic market scenario, enterprises are focusing on revamping the underlying denominator influencing all these elements – the ‘workspace’ – to enable business transformation. Technology giants like Google, Samsung, and LinkedIn are leading the way, by setting examples of evolving workspaces for tomorrow. The user is the primary disruptive force in future workspaces with designs revolving around increasing spatial productivity, enhancing worker well-being, fostering better communication, and enabling easier collaboration both internally and externally across different roles, teams, offices, time zones, and locations. Escalating office space costs are also stimulating greater use of on-demand models and online marketplaces, while co-working spaces continue providing collaboration opportunities.

Source: Frost & Sullivan research and analysis

Now that technology allows us to work anywhere, on any device, work is something people do – not just a place to which they go. This shift demands that businesses manage and operate so that they can attract the right people, retain them, and ensure they can do their best work. New ways to improve business productivity, flexibility, and agility are no longer just nice to have: they are essential for the modern workplace.- Harvard Business Review

Modern organisationsagile

innovativeproductive

cost savings

Needs of customersdemanding

socially consciousknowledgeable

Preference of workerswork-life balance

autonomyflexibility

Nature of work

Securing workspaces for tomorrow | The need to transform to the workspaces for tomorrow

0305

Page 6: Secure Workspaces whitepaper

Securing workspaces for tomorrow | The need to transform to the workspaces for tomorrow

06

Source: BBC News, ‘Flexible working rights extended to all’, June 30, 2014 | Government of Canada, ‘Flexible Work Arrangements: A Discussion Paper’ May 2016 | ABC.net.au, ‘NSW public service promises flexible work hours by 2019’ Mar 8, 2016 | The Fiscal Times, ‘How Obamacare Is Fueling the Gig Economy’ May 3, 2016 | Business Wire, ‘Flexibility a Must for Employers Wanting to Attract, Retain Valued Workers’ July 14, 2016 | Harvard Business Review, ‘Workspaces That Move People’ Oct 2014 | Forbes, ‘Japan Turns To Telework To

Expand A Diminished Workforce’ July 21, 2016 | European Trade Union Institute, ‘Belgium: the government proposes greater flexibility in working time’ Apr 13, 2016

USNearly three-quarters of companies

said that they would contract with more freelancers this year because

of Obamacare.Regus survey - 56% of American workers would turn down a job where flexibility

was not offered

SingaporeMore that 6 out of 10

employees in Singapore feel their home or home office would be the ideal

place to work.

Middle EastIn a RICS survey of over

500 Middle East employees, 75% said they needed more flexibility in their

working environment to be more productive.

UKEvery employee now has

the right to request flexible working hours after the

government extended the right previously reserved for carers and those

looking after children.

BelgiumGovernment is drafting reform of statutory working time to support flexible working.

CanadaAccording to a 2012 Rogers

Communications and Harris/ Decima survey:

- 44% of full-time employed Canadians are able to

work remotely- 70% of full-time millennial workers

would be more satisfied in their jobs if they could work remotely using cloud.

AustraliaNSW public service promises flexible work hours by 2019.

JapanPrime Minister Shinzo Abe has

been encouraging companies to support telecommute to overcome

shrinking workforce challenge.

Worldwide emerging trends for new workplaces

According to Frost & Sullivan, future workspaces will enable employees to work effectively and efficiently from anywhere, have access to any application or data anytime, using any device or network. The highly connected and converged workspaces will not only drive innovation and productivity, but help reduce operational expenses for organisations as well. For example, connected technologies of future workspaces could be equipped with the capabilities to analyse a worker’s daily plan and assign an appropriate working area in a dedicated office space, optimising office space utilisation. This concept is potentially exportable to alternative office spaces, so that instead of leasing one central office in the long term, firms could lease desks in a variety of work centres, circulating employees according to daily or weekly tasks while improving spatial flexibility and scalability. The list of possibilities and benefits are enormous, with organisations just starting to realise the full potential of workspace transformation.

Page 7: Secure Workspaces whitepaper

0307

Securing workspaces for tomorrow | The key elements for workspace transformation

The key elements for workspace transformation

Enterprises focusing on developing the workspaces for tomorrow need to adopt a multi-dimensional strategy across various components including end users from different generations; multiple devices; new enterprise communications and collaboration applications; Internet of things (IoT) enabled environment; diverse locations and networks. These developments could blur the line between the personal or professional identity for users, further challenging the tasks of CIOs in keeping the enterprise secure.

EnvironmentAdvanced sensors, wireless,

building energy management systems, smart HVAC

ApplicationsVirtual reality, holographic telepresence, augmented

reality, enterprise applications, social network, email,

collaboration applications

UsersMillenials, Gen X,

Gen Z

Emerging TechnologiesRobotics, artificial

intelligence, IoT

DevicesSmart watch, smartphone, laptop,

desktop, tablet, camera, head mounted display

Nature of work

As companies increase the focus on developing the workspaces

for tomorrow, it would require them to have a multi-dimensional strategy across

various components including the users from different generations,

variety of devices, new enterprise communication and collaboration

Page 8: Secure Workspaces whitepaper

Securing workspaces for tomorrow | The key elements for workspace transformation

08

DevicesThe mobile age is fully upon us, as smartphones increasingly become a necessity than a luxury. The consumerisation of IT coupled with mobile connectivity is changing the devices marketplace, and driving the growth of the Internet of things (IoT). The rise of wearables including smartwatches, wristbands, and smart glasses depict how networked the world is becoming. An average user today utilises 4 devices per day, predicted to increase to five connected devices per user by 2020.3 Rapid developments in the devices space not only impact the lives of users, but also significantly influence the way businesses operate, paving the way for new revenue streams, boosting workplace efficiencies, and improving interactions with customers. A recent study of workers in the US and UK showed that wearables use increases productivity by 8.5%, and job satisfaction by 3.5%.3

IT departments, traditionally responsible for devices purchased by the enterprise (such as desktops, laptops, office mobile and fixed phones), are now incorporating new-age devices in their enterprise ecosystem. While IoT offers immense opportunities for businesses to streamline operations and interact with customers, it is not without its challenges. It is vital for organisations to invest in the right platforms, solutions and services to simplify and support the user experience to achieve business goals. The overall wearables market is forecast to surpass USD 50 billion in revenue and 220 million units shipped by 2020.3 Smart watches and wristbands are projected to continue leading the total wearables market; however, smart glasses are poised for the highest growth rate in enterprise adoption, comprising 49.4% of the enterprise wearables market in 2018.3

UsersThe global workforce is anticipated to reach approximately 3.85 billion people by 2025, with Generation X accounting for over one-fourth of the labour pool and Millennials almost half.4 The Millennials are different from earlier generations as they have grown up with broadband, smartphones, laptops and social media. These users are tech-savvy and early adopters of new technology devices and applications; their affinity to the digital world makes them expect instant access to information from anywhere. They do not prefer rigid corporate structures and a siloed approach. Instead, they demand a corporate culture that is entirely different from anything in the past; one that is flexible and offers work-life integration giving them personal space. As they start to dominate the workforce globally, organisations will need to adapt to their work style, to attract the next-generation talent and retain them. The Bureau of National Affairs estimates that US businesses lose up to USD 11 billion annually due to employee turnover.5 Deloitte’s Millennial Survey 2016 stated that when financial benefits are removed from the equation, work-life balance is the most important criteria for evaluating job opportunity.6

Organisations need to review their entire corporate structure and culture. As data connectivity improves, employees are likely to want the option of choosing their place of work (e.g. remote, part-time, independent, or dispersed). Organisations should be able to embrace this new workspace to save on travel time and costs, offer flexibility to employees, improve team engagements and collaboration, and foster a better working environment.

Environment The emergence of smart cities, smart buildings, and smart homes serve to improve sustainability and address consumer demand for connected products to solve everyday problems. Enterprises are investing in smart buildings to optimise operational cost and risk, improve employee wellbeing, support innovation, and productivity.

As IoT implementations gain ground, with an expected 80 billion connected devices in use by 2025, smart office spaces are poised to become the technological norm.4 Smart technologies are already transforming the way users interact with buildings and each other, like The Edge, Deloitte’s new state-of-the-art office in Netherlands. The building is equipped with a massive network of over 40,000 sensors enabling the garage to recognise vehicles automatically, open gates and guide employees to parking spots; the office app can assign desks to employees based on their daily schedules and seating preferences, also allowing for changing the lighting and heating.

Commercial real estate companies are investing in design and technology upgrades to stay competitive with new builds. With investments meant to last up to 50 years, large corporate campuses could be designed in line with the preferences, needs, and behaviours of tomorrow’s workforce. The upcoming commercial structures could be equipped with smart systems including smart lighting, HVAC, air quality, and security systems to save energy, predict system failures, and allow remote monitoring. While collating and analysing the data generated from these systems remain a challenge, organisations could increasingly leverage these insights for efficient office space and energy management. Cisco has deployed its smart workplace solutions globally, leading to higher operational efficiency and space utilisation saving over USD 60 million in capex.7 As of April 2014, 192 projects have also applied for the ‘Living Building Challenge’ certifications that provide the most advanced measure of sustainability in the built environment. Of the projects applying for this holistic standard, 57% are mixed-use structures and 8% are commercial buildings, covering a total of 3.45 million square feet of space.4

Advances in automation also continue to change various aspects of the modern workspaces, homes, city infrastructure and smart buildings, expanding the role of the CIOs to include facilities management and integration. Gaining relevant insights from the sheer volume of data generated from these smart workspaces are key priorities for IT departments in enhancing employee experience while controlling costs and boosting productivity.

The mobile age is fully upon us, as smartphones increasingly become more of a necessity than a luxury. 3Frost & Sullivan Survey and Analysis, 4Frost & Sullivan Survey and Analysis, 5Forbes.com, ‘Why Are So Many Employees Disengaged?’ Jan 18, 2013, 6The Deloitte Millennial Survey 2016, 7Cisco Case Study

Page 9: Secure Workspaces whitepaper

0309

Securing workspaces for tomorrow | The key elements for workspace transformation

Applications

As teams become more global and dispersed in nature, efficient collaboration is set to become a business priority in improving productivity. Enhanced telepresence and video conferencing solutions continue to drive virtual co-location trends, enabling better teaming. Many leading enterprises and government bodies including Volvo, NASA, and Case Western Reserve University already deploy some of these futuristic technologies. Enterprises globally are increasingly investing in communication and collaboration applications (e.g. unified messaging, real-time conferencing, data sharing) placing pressure on IT teams to offer user experience on par with consumer-grade applications for driving adoption. Employees utilising their personal apps to collaborate with team members could also present further challenges for IT teams to manage and secure enterprise data and systems.

According to a Frost & Sullivan survey in the US, employees are most likely to use social media (60%), consumer telephony (49%), and conferencing (47%) for business purposes on their personal devices.8 A report from Nimble Storage and Oxford Economics also found that 77% of Millennials felt ‘sub-optimal application performance’ affected their productivity and ‘personal best’. Around 50% of Millennials said they ceased using an application because it was slow, while 78% ‘occasionally or consistently experienced delays’ with business software.9 Globally, 697.4 million users are expected to collaborate via enterprise social networking by 2020.8 In North America alone, 72% of enterprises currently use internal social networking software.8 IT teams would need to support these collaboration and communication applications for efficient and effective teaming.

Emerging technologiesThe evolution and expansion of IoT into almost every domain continue to produce more data streams. This necessitates high-speed data processing, analytics and shorter response times to leverage the data. Enterprises striving to achieve these goals in the current cloud-based model could face some challenges. However, the rise of fog computing architecture that extends the cloud to the network edge is enabling better decision-making and actionable insights to happen at the edge device itself. Enterprises increasing their focus on big data would be able to transform both structured and unstructured data into actionable forecasts, using predictive analytics.

Improvements in artificial intelligence (AI) capabilities, robotics, machine learning, natural language processing and cognitive computing are driving the next level of productivity improvements by creating powerful tools for work applications. These technologies offer enormous potential to use data science to improve business processes starting from onboarding new team members, organising workflow to communicating about work performance. Other advances include blockchain that promises to revolutionise the finance sector and other aspects of the digital economy and virtual reality that is changing the way construction, marketing, training, education, and recruitment sectors operate. Solutions providers are anticipated to cluster around emerging anchor platforms, while adopters increasingly demand interoperability with existing solutions and updates. By 2025, the number of industrial robots in operation worldwide could top 5 million units.8 That stated, the current low robot density rates in many countries signal new opportunities for growth.

Improvements in artificial intelligence capabilities, robotics, machine learning, natural language processing and cognitive computing are driving the next level of productivity improvements by creating powerful tools for work applications.

8Frost & Sullivan Analysis, 9CIO.com ‘Millennials are shaking up workplace communication’ Jun 13, 2016

Page 10: Secure Workspaces whitepaper

Securing workspaces for tomorrow | The key elements for workspace transformation

Examining the current and future workspaces – changes to endpoints and the potential cyber threats they bring

Mobile device attacksMobile devices increasingly have access to control a lot more devices other than just corporate data. Malicious apps could infiltrate these devices to gain access to data and manipulate the systems.

Working without securityMobile workers, contract employees, external contractors that work remotely do not have access to the enterprise grade security when working remotely, exposing themselves to potential breaches

Possible consequences• loss of intellectual property• penalties to be paid to authorities • potential lawsuits • reputational loss • distrust of consumers and partners• loss of careers for key executives • inaccurate, low-quality data analysis• safety of automated systems• productivity loss • mental stress to workers • dissatisfaction with services and

customer churn

Cyber attacks of the futureCyber criminals constantly aim to exploit the vulnerabilities of new Internet-enabled devices for malicious purposes. From causing possible physical harm in manipulating driverless cars to stealing intellectual property on unsecured devices, the possibilities are endless.

Manipulating cyber-physical systems Shutting down electrical and water systems, manipulating the automated entry and exit systems as well as unauthorised entry could endanger the safety of workers.

Attacks focus on cloud platformsCyber attackers work on attacking cloud applications to gain access on user credentials, and confidential data that resides in them

Unsecured wireless & LTE networksCyber attackers explore flaws and vulnerabilities in network infrastructures, thereby gaining access to perform man-in-the-middle attacks, perform espionage or as a step in gaining privilege access into enterprises

Past and presentOffices that employ traditional technology for applications, storage, and networking face challenges in meeting employee needs for agility and mobility in the workspaces for tomorrow.

The future

Legacy signature-based anti-virus that is incompetent in protecting advanced persistent threats delivered by social engineered attacks.

Employees are bound to strict 9 to 5 timeframes in the office, working from home policies do not exist and not allowed to bring their own devices.

Humanoid robots taking on mundane tasks within the workspace; for example, robots staffing hotel reception

to register guests while storing their confidential information on databases of customers and internal staff.

The workspace for tomorrow will demand the use of cloud-based infrastructures and platforms to provide the required agility, collaboration and availability needed in the new workspace. Endpoints are shifting to new perimeters, devices and platforms.

A mobile sales force that needs access to CRM and corporate data anytime, anywhere without the need

to be in the office, saves on rentals and allows the workspace to be more agile.

Companies striving to improve work-life balance by facilitating the ability of employees to work remotely.

The flexibility has been shown to increase employee retention by up to 25%.

Driverless cars allowing an always on-the-go sales force where the office can reside in a mobile space, working on computing devices even while commuting.

New product developments, engineering, gaming and infrastructure designs using augmented reality, with intellectual property (IP) residing in visor platforms.

Wearables assisting in multiple areas such as authentication and automated ergonomics.

Virtual meeting spaces and the use of holograms becoming commoditised and a reality in meetings.

Employees continuing to use personal productivity applications on their mobile devices beyond

enterprise-approved applications.

Internet of things (IoT) enabling smart lighting systems and building systems management in the workspace.

On-premise network security

On-premise data centres and corporate developed applications

10

High performance WIFI networks and 5G LTE connectivity becoming imperative in supporting both

in-office and mobile workforce demands.

Workloads and collaboration tools moving to SaaS and IaaS in the public cloud enabling a sustainable and scalable platform where

applications and services can be provisioned any time for any worker.

Page 11: Secure Workspaces whitepaper

0311

Examining risks when designing the workspace for tomorrow

Thoughtful workspace design focuses on characteristics that promote health and safety for workers while enhancing overall productivity. The factors are assessed according to physical environment risks, be it the quality of air, slipperiness of the floor, and the clear space furniture, fixtures, and fitting needs to avoid potential hazards.

However, as shown in the earlier illustration, workspaces for the future are likely to have a vast number of devices linked to the Internet and connect to cyber-physical systems, opening up corporate systems to more users – and multiplying opportunities for a cyber attack. Hence, it is imperative for companies to adopt a proactive cyber risk management strategy to safeguard their most critical assets.

The problem is not limited to cybersecurity-specific roles, or even the broader category of IT

roles. An organisation’s greatest vulnerability remains its own

workforce, so even if all needed cybersecurity roles were filled,

the enterprise would still be open to exploitation.

- Center For Internet Security

Securing workspaces for tomorrow | Examining risks when designing the workspace for tomorrow

Health risksLighting, air quality,

heat and cold, cleanliness and staff welfare

Cyber risksConfidentiality, integrity, and availability of data in

the workspace

Safety risksEntry and exit, housekeeping,

work areas, floors, and surfaces, workstations

Page 12: Secure Workspaces whitepaper

Securing workspaces for tomorrow | Examining risks when designing the workspace for tomorrow

Cyber risks and the potential consequences for the future workspaceAs enterprises increasingly aspire to create future workspaces and harness the benefits of a mobile workforce that leverage cloud platforms, there is a greater need than ever to implement appropriate measures to secure data, infrastructures, applications and users wherever they may reside. The devices, environment, applications, emerging technologies all connect to the Internet, potentially opening up avenues for cyber criminals to exploit the vulnerabilities of the new workspace. The table below lists the possible consequences, as reflected by recent cyber attacks on enterprises.

Cyber risks Cyber attack scenarios Potential implications for business and workspace

Data loss/leak(Confidentiality)

Cyber attackers stealing data to expose online or sell on the dark web.

Threats to disclose sensitive data of individuals.

Loss of intellectual property

Penalties to be paid to authorities

Mental stress to workers

Potential lawsuits

Reputational loss

Distrust of consumers and partners

Loss of careers for key executives

Data manipulation(Integrity)

Cyber attackers altering data in digital assets, such as in a file or defacing a website.

Manipulating controls of cyber-physical systems.

Reputational loss

Inaccurate, low-quality data analysis

Denial of power and water services in the workspace

Safety of automated entry and exit systems

Data denial (Availability)

Ransomware encrypting files, rendering them inaccessible unless the ransom is paid.

Denial of Service attacks preventing access to online data.

Productivity loss

Inability to perform business tasks

Mental stress to workers

Cyber extortion losses

Dissatisfaction with services and customer churn

Disruption to business operations while on the move is one serious consequence of cyber attacks on the mobile workforce. These end users are usually more vulnerable to attacks as they access the Internet on the go and may not have the same level of security as within the office perimeter. For example, a sales representative could unknowingly access a malicious link using an unsecured wireless network resulting in the download of ransomware encrypting his files hours before a client presentation. It is, therefore, essential for organisations to consider the right prevention tools to ensure their employees are well protected working within the office or remotely.

12

Page 13: Secure Workspaces whitepaper

Securing workspaces for tomorrow | Examining risks when designing the workspace for tomorrow

Venturing into cyber workspaces and risks of social networkingProfessional social networking platforms such as LinkedIn have gained substantial traction in the past years, allowing individuals to connect, interact, discuss and share useful insights on topics related to their work. Today, a considerable number of workers spend their time networking and developing online professional relationships in these cyber workspaces. LinkedIn reported a subscriber base of 450 million members in 2014, translating to a growth of 138%.10

The chart above measures the interest levels of users worldwide based on Google searches for ‘LinkedIn Spam’ using a technique by the Department of ICT, the University of A Coruña, to indicate the amount of spam received by LinkedIn subscribers.11 The growing popularity of the platform is attracting an increase of attackers viewing LinkedIn as a new and effective attacking ground. In the past two years, there has been a growing number of fraudulent LinkedIn accounts impersonating as a professional or recruiter to reach out to senior executives, leading the victim to click or open a malicious file.

Social networking sites also pose an additional risk of divulging sensitive personal information of workers, such as birthdates, the company they work for, and email addresses, which can be used by the cyber criminal to perform reconnaissance in the process of launching a targeted phishing attack. The sites can expose users to cyber bullying or cyber stalking, adversely affecting employee morale and making them potential victims of online harassment. Social media can also serve as a platform to highlight possible insider threats – such as disgruntled employees sharing links on the platform from a cloud file-sharing site, such as Dropbox that generally stores classified corporate information.

Interest over time - Searches for 'LinkedIn Spam'Social networking sites also pose an additional risk of divulging sensitive personal information of workers, such as birthdates, the company they work for, and email addresses, which can be used by the cyber criminal to perform reconnaissance in the process of launching a targeted phishing attack.

Motivations to attack – easy and high returns Unlike the past, cyber attacks today can be done easily using ready-made attacking kits or ‘as-a-service’ option. With the emergence of distributed denial of service (DDoS)-for-hire services, the barriers to entry for an attacker are non-existent with the possibility to anonymously attack a target they desire for a small cost. Ransom-DDoS campaigns have been hugely successful as a ‘viable business’ – where attackers first create fear by sending an email threatening the victim with a DDoS attack unless a ransom is paid. Attackers are also developing techniques that specifically target businesses, resulting in the risk of downtime and consumers not being able to access online services. Likewise, their employees who depend on online systems will not be able to conduct critical tasks. Another popular technique is ransomware; threat researchers have seen a 3,500% increase in the criminal use of net infrastructure to run ransomware campaigns.12 There are more than 120 separate families of ransomware, posing significant inconvenience and productivity loss to employees who are unable to access their files unless they pay the ransom. 0313

100

60

20

80

40

0

2014

/07/

06

2014

/11/

06

2014

/09/

06

2015

/01/

06

2015

/09/

06

2015

/05/

06

2016

/01/

06

2015

/03/

06

2015

/11/

06

2015

/07/

06

2016

/03/

06

2016

/05/

06

2014

/08/

06

2014

/12/

06

2014

/10/

06

2015

/02/

06

2015

/10/

06

2015

/06/

06

2016

/02/

06

2015

/04/

06

2015

/12/

06

2015

/08/

06

2016

/04/

06

2016

/06/

06

10 ‘SEC Filings’, Investors.Linkedin.com, 11 ‘Detecting LinkedIn Spammers and its Spam Nets’ International Journal of Advanced Computer Science and Applications (IJACSA), 201312 www.bbc.com, ‘”Alarming” rise in ransomware tracked’ June 7, 2016

Page 14: Secure Workspaces whitepaper

Threats when devices go ‘off-premise’A functional mobile workforce allows employees to access corporate applications and data from anywhere, be it working in the headquarters or branch office, co-located with another office tenant, on-site at a client’s premises, at home or while traveling. While the mobile endpoint is a potential game changer for businesses, it exposes mobile workers to security risks and vulnerabilities, as they are not protected by enterprise-grade security. What’s more, companies are increasingly permitting personal devices or bring your own device (BYOD) into the workplace, raising the risk of data leakage due to the lack of control or visibility into personal devices, or access to the business network if the device is lost or stolen.

Smartphones and tablets used extensively by staff on-the-go pose inherent risks that are different from office-based PCs. Both Apple’s App Store and Google Play are always on the lookout for malicious apps and work diligently to remove them from their online stores. However, it is inevitable that some infected apps could still slip through the security screening process and infect mobile devices.

Cloud platforms emerging as the new gold mineMany have described data as the new ‘gold’ in the digital economy enabling organisations to gain valuable insights for a competitive advantage. Exfiltration of data using sophisticated techniques may shift from secure internal enterprise networks to cloud platforms as companies leverage cloud offerings, especially public could services, for work collaboration, storage of files or to deliver anytime, anywhere unified communications. Cyber criminals could target software-as-a-service (SaaS) platforms to obtain the information they need, and if data in transmission to the cloud is intercepted or residing in the cloud without proper encryption, it becomes an instant gold mine in waiting for its discoverers.

For example, business chat application provider, Slack, achieving a user base of 500,000 in its first year, experienced a cyber attack on its central database in 2015, compromising user profile information such as login usernames, passwords, and other personal data such as phone numbers and Skype IDs.14 With the information, a cyber criminal could potentially log into users’ accounts to access sensitive corporate data residing in their chats within Slack, containing confidential details about intellectual property and sensitive press releases. As future workspaces could potentially use cloud-based collaboration tools like Slack, it is important to be aware of the possible attacks to these platforms and the proper security measures to mitigate these threats.

Securing workspaces for tomorrow | Examining risks when designing the workspace for tomorrow

Cyber attacks are mostly undetectable, exploiting encryption and commonly used filesCyber attacks are no longer as simple as an odd-looking executable file that one can quickly judge as being malicious and detectable by standard anti-virus software. Malicious traffic these days is transferred mostly through encrypted protocols such as HTTPs, which stay undetected through a firewall or intrusion prevention system (IPS) that is unable to inspect encrypted traffic. Recent threat research has identified a growing number of malware using transport layer security (TLS) to perform their attacks. Between September 2015 and March 2016, there was a fivefold increase in HTTPS traffic employing malicious ad-injectors or adware techniques.13 The rise highlights ongoing and future attack methods on office users using security protocols to mask and work in stealth targeting enterprises that fail to upgrade their security tools to perform deep packet inspection on corporate Internet traffic.

Malicious codes are also carefully scripted into legitimate-looking files such as Word and PDF documents that can detonate malware onto the victim’s device at any time. One likely scenario is where a HR professional opens a Word or PDF document submitted as a resume, but in fact has malware written in it, which exploits the vulnerability of the operating system it is sitting on. This could lead to the launch of a malware attack such as ransomware. Workspaces for the future need to employ smart security tools to detect such sophisticated attacks to determine if the file is benign or harmful to the workplace.

Social networking sites also pose an additional risk of divulging sensitive personal information of workers, such as birthdates, the company they work for, and email addresses

350K

250K

150K

50K0K

APR AUG DEC 2016 APRJUN OCT FEB

300K

113,753108,618

303,808298,863

200K

100K

Ad Injectors HTTPS HTTPSAmou

nt o

f tra

ffic

(web

requ

ests

)

14

Source: Cisco security research

13 Cisco 2016 Midyear Cybersecurity Report, 14 www.pcworld.com, ‘Slack hacked, compromising users’ profile data’ Mar 27, 2015

Page 15: Secure Workspaces whitepaper

Securing workspaces for tomorrow | Examining risks when designing the workspace for tomorrow

End users identified as the weakest linkCyber attackers continue to innovate and create more advanced malware and code injection/intrusion techniques. The widespread usage of social media in recent years is enabling threat actors to perform reconnaissance on their intended targets to create phishing attacks to increase their success rate, or simply craft an email to request a wire transfer to their bank accounts. Nearly 54% of security professionals worldwide view phishing/social engineering as one of the two most common threat techniques experienced15, highlighting the fact that while security tools are essential, it may not block all attacks. Greater vigilance towards such attacks needs to be exercised by the users themselves.

Social engineering attacks are not only becoming common, but also more sophisticated as attackers innovate new techniques other than phishing attacks that are designed to fool the victim into carrying out a task, such as clicking on an email link activating a drive-by download of malware. New methods involve ‘pharming’ that redirects clicks on websites to fraudulent sites; ‘vishing’ where a scam artist attempts to use voice calls to obtain personal information; and ‘smishing’ which tries to do the same using SMS, exploiting the fact that smartphones are able to access the Internet the moment the user clicks on a malicious link in a text message, and unlike email, there are no SMS spam filters.

We have observed the tendency for attackers to launch phishing attacks on employees working in less robust security infrastructures and amassing large amounts of consumer data, such as the retail sector. In 2015, spear phishing attacks accounted for approximately 17% of overall incident response engagements, in which there was a 12% rise in attacks towards retailers worldwide, overtaking the finance sector which was previously the highest.16

Recent business email compromise attacks Business email compromise (BEC) attacks targeting high-level executives are increasingly successful with cyber criminals posing as someone of high seniority in the organisation such the CEO, and sending an email requesting the accounts payable to wire transfers to a bank account belonging to the attacker.

The FBI estimated that previously organisations that fall victim to BEC attacks lost between USD 25,000 and USD 75,000 on average based on the cases reported; however, within the span of the past two years and five months, the total loss has accumulated to USD 2.3 billion.17 Some have incurred substantially higher losses in BEC attacks, such as toy manufacturer, Mattel, that lost USD 3 million. In some cases, it has even resulted in the loss of careers; the CEO of Austrian aerospace parts maker, FACC, was fired after a BEC attack hit the company, losing USD 47 million.18

Recent business email compromise attacks

Retail

Education

Government

Business and professional services

Technology

Energy & utilities

0% 10% 20% 25%5% 15%

Finance

Manufacturing

Gaming & entertainment

1515 The 2015 (ISC)2 Global Information Security Workforce Study, 16 NTT Group, 2016 Global Threat Intelligence Report, 17 www.fbi.gov, ‘FBI Warns of Dramatic Increase in Business E-Mail Scams’ Apr 4, 2016,

18 www.reuters.com, ‘Austria’s FACC, hit by cyber fraud, fires CEO’ May 25, 2016

Page 16: Secure Workspaces whitepaper

… And the creator of internal threats with shadow ITIt is important to understand where critical data resides and the applications employees use as companies today leverage cloud platforms and embrace BYOD. Smartphones and tablets are installed with applications employees use as their productivity tools that may or may not be sanctioned by the organisation, for example, note-taking using Evernote or using LastPass to manage passwords. BYOD could take on a new meaning as ‘Bring Your Own Danger’ where mobile applications used to store confidential data may not have enterprise-grade security controls over them. For example, in 2015, password manager LastPass, announced that email addresses and encrypted master passwords were compromised due to a data breach.19

Another example of how employees turned out to be internal threats was the recent breach of Dropbox. In the incident, it was surmised that a Dropbox employee had re-used a password used on another site, which was possibly discovered by cyber attackers who used it to log into his/her account. The Dropbox employee’s files apparently contained a project document containing 70 million email accounts used for login purposes.20 The case reflects the critical need to establish proper security protocols and educate employees on cybersecurity best practices; and not rely solely on security technologies to serve as an adequate preventive measure.

Securing workspaces for tomorrow | Examining risks when designing the workspace for tomorrow

Smart offices: IoT brings the Internet of threatsThe IoT-enabled workspaces for the future deliver a degree of control and customisation not achievable in the past. The office environment is seeing a greater use of CCTVs as well as smart devices for door locks to lighting with users controlling them via smartphones and smart hubs. However, these smart devices and their hubs may be more susceptible to cyber attacks as they are typically designed with only basic security features.

Smartphone-enabled smart locks for entry and exit areas in workspaces are gaining popularity to lock and unlock doors without the use of keys. While it provides a convenient way of physical security, some have been found to be vulnerable to simple hacking tools. In fact, 75% of smart locks can be easily hacked to unlock at will, according to two researchers who tested 16 different smart locks at a major hacker convention in 2016.21

Besides smart locks, future workplaces may also consider smart lighting that can be controlled using a smartphone to provide customisation in terms of colour and brightness. However, vulnerability researchers have managed to hack into such smart light bulbs, obtaining the usernames and password of the wireless network. This was accomplished using readily available equipment to impersonate as a new bulb joining the network where the smart bulbs had to share credentials among each other when authenticating to the network.22

The growing demand for sustainable, healthy, energy-efficient work environments is leading many buildings to deploy smart building management systems (BMSs). The integration of numerous operational functions connected to the Internet to remotely perform configurations or monitoring delivers many benefits. However, these systems may not be designed with adequate cybersecurity practices such as network security and patching, and hence, are a potential point of attack. For instance, security researchers were able to detect vulnerabilities in the BMS at the Google Australia building. The system was not patched for vulnerability, and they could access a control panel screen showing blueprints of the floor, water pipes, indication of water temperatures, and buttons to access controls such as ‘active overrides’ and ‘BMS Key’.23 Water, lighting, heating, and security are essential functions for offices. Any breach of the systems could result in severe and costly consequences. Therefore, it is imperative for IoT on operational technologies (OT) used in future workspaces to be well guarded against potential cyber attacks.

Need for security by design in the workspaces for tomorrowCybersecurity addresses the confidentiality, integrity, and availability of data residing either within the enterprise perimeters or at the edge where employees want to work and on devices they choose to utilise. It is vital for organisations to view cybersecurity as a key enabler towards workspace transformation, as every initiative will go digital presenting cyber attackers opportunities to infiltrate the new environment filled with many entry points as well as unsecured devices and applications. Some of these applications could be hosted in the public cloud an enterprise does not own, involving even tougher challenges in mitigating the threats towards them. In the new digital workspaces, companies need to future-proof cybersecurity mechanisms, as highlighted in the next chapter.

16

19 www.time.com, ‘Cybersecurity Firm LastPass Hacked; User Data Stolen’ June 16, 2015, 20 www.businessinsider.com, ‘Hackers stole almost 70 million customer passwords from Dropbox after an employee reused a password’ Aug 31, 2016, 21 www.cnet.com, ‘Have a smart lock? Yeah, it can probably be hacked’ August 9, 2016,22 www.bbc.com, ‘Smart LED light bulbs leak Wi-Fi passwords’ July 8 2014, 23 www.wired.com, ‘Researchers hack building control system at Google Australia office’ June 5, 2013

Page 17: Secure Workspaces whitepaper

Securing workspaces for tomorrow | Cybersecurity – your future workplace enabler and accelerator

Cybersecurity – your future workplace enabler and accelerator

Along with continuous lateral monitoring across enterprise networks with

user, device, and application awareness, the solution

accelerates incident response, improves forensic

investigations and reduces enterprise risk.

The following section presents next-generation cybersecurity controls and practices to consider in combating both existing and future cyber threats. In essence, it is building up a smart defence against smart attacks in the workspaces for tomorrow.

Blocking threats through context-aware security analyticsContext-aware security analytics can be used to quickly detect a broad range of advanced attacks such as volumetric DDoS, zero-day malware, and insider threats. Along with continuous lateral monitoring across enterprise networks with user, device and application awareness, the solution accelerates incident response, improves forensic investigations and reduces enterprise risk. The implementation of intelligent sensors on the network routers enables constant monitoring of entire branch networks without compromising system performance. The integration of threat detection and mitigation into the sensors serve as a gatekeeper with automated policies in place to block the access of malicious threats at the router. Enterprises are able to gain centralised visibility of incoming threats from the actionable data collected through the intelligent sensors.

Enabling mobility and extending defence at the DNS by harnessing the power of cloudSecurity protection can be extended to the domain name system (DNS) with additional features such as phishing or botnets protection and content filtering. A cloud-delivered network security service provides protection to any device that connects to the enterprise’s network. Predictive cybersecurity intelligence with live graphs of global DNS requests and relevant information safeguard the enterprise from attackers and provide a level of prediction on possible future attacks.

Security protection should also cover an off-VPN environment to block potential threats such as malware, phishing or advanced persistent threats over any Internet port. This ensures that every Internet activity that bypasses the enterprise parameter is fully monitored. Off-network blind spots are eliminated with security protection at the DNS layer while providing greater visibility to the organisation.

Source: Cisco

Threats blocked - Over any port

Malware | Phishing | C2 callbacks

Roaming laptop

Main office

Security serviceCisco Umbrella

On-network security

Off-network security

Internet

VPN offUmbrella active

Perimeter security

Cisco NGFW

17

Page 18: Secure Workspaces whitepaper

18

Securing BYOD solutions

A BYOD policy needs to be well designed to enable secure mobility and separation between work and non-work data or applications. For example, certain security features such as password locks, identification, and authorisation or security application are required to be activated on the devices. BYOD security tools employing different levels of data-centric encryption and information protection need to be placed according to the employee hierarchy to unlock the full value of the new secured BYOD culture. The strong defence and seamless network experience can be achieved by employing wireless LAN controllers and access points in the office that are versatile and reliable, coupled with a lightweight secure mobility client that provides secured remote access and a robust identity services engine that enables the IT administrator to control all access points through the network in one place.

Offering signature-less detection and response against advanced attacksCyber attackers research heavily about prevention technologies and are always innovating new ways to circumvent and evade them. The latest advanced persistent threat techniques use a combination of various attack vectors when designing zero-day malware, which are yet to be analysed by threat researchers that develop anti-malware signatures to detect them, making signature-based solutions ineffective in stopping them. Advanced malware protection tools need to be deployed at the network and endpoints and rely on signature-less detection techniques to analyse malware, such as via virtual code emulation and behavioural analysis. The tools must also offer the appropriate response plan to contain and eradicate these threats before they spread throughout the enterprise.

Going beyond technology: creating committees and extending cybersecurity education across the enterpriseEnterprises, both large and small, should address the risk of human vulnerabilities to ensure that intellectual property is secure within the workspace. Employees need to be aware of the importance of data security and their roles and responsibilities in safeguarding sensitive corporate data and resources. The creation of cybersecurity committees will help to make security relevant to every employee in an enterprise. Regular updates about cyber threats enable companies to review and improve policies and processes to anticipate and effectively manage cybersecurity risks. The committees are also a good starting point to elevate cybersecurity to a cross-department function enabling departments to request the tools they need to do their job in a secured environment. Security practices have to adapt to people of different ages and job roles with continual education efforts. Policies, guidelines, and security awareness training can help to educate the workforce and achieve a secure future workspace.

Cloud security technologies shaping secured business practices using cloud servicesCloud technologies continue to redefine the way businesses operate, given the changing nature of work and geographically distributed workplace. By leveraging cloud services, enterprises are able to achieve high efficiency and productivity across the entire business process with fast access to data, software, and services. Employees can also access cloud-based software-as-a-service applications anywhere, anytime.

To fully embrace the advantages of cloud applications, there is a need to integrate cloud security protection tools such as cloud access security brokers (CASB) into the SaaS applications enterprises use. Security services such as cloud data loss prevention (DLP) solutions protect sensitive data in public cloud applications. When used in combination with cloud-based web security, users gain not only additional protection from malicious websites, but also authentication and encryption features when accessing cloud-based services. Actionable cybersecurity intelligence across the entire cloud infrastructure is also essential in identifying vulnerabilities and threats within the enterprise.

The latest advanced persistent threat techniques use a combination of various attack vectors when designing zero-day malware, which are yet to be analysed by threat researchers that develop anti-malware signatures to detect them, making signature-based solutions ineffective in stopping them.

Securing workspaces for tomorrow | Cybersecurity – your future workplace enabler and accelerator

Page 19: Secure Workspaces whitepaper

Securing workspaces for tomorrow | The last word

The last word

However, even in the workspace of today, enterprises

are already facing challenges with cyber attacks, amounting

to massive dollar losses due to system downtime or

penalties to the authorities for failing to secure their

consumers’ data.

As businesses transition towards digital transformation to meet the evolving needs of end users, the future workspaces require robust security tools to mitigate cyber threats allowing enterprises to embrace digitisation securely.

However, even in the workspace of today, enterprises are already facing challenges with cyber attacks, amounting to massive dollar losses due to system downtime or penalties to the authorities for failing to secure their consumers’ data. In a recent global security survey, approximately 79% of respondents revealed having no formal incident response in place; and spending a great deal on resources before dealing and investigating data breaches in 2015, highest at 28%24 (see figure). The findings clearly indicate the ill-preparedness of most enterprises today in responding to cyber attacks.

Percentage of investigation performed based on incident category60

40

20

50

30

10

02013 2014 2015

Malware DDoS Breach investigation Others Internal threat Spear phishing

1924 NTT Group, 2016 Global Threat Intelligence Report

Page 20: Secure Workspaces whitepaper

Moving forward, enterprises need to consider the following critical questions in planning their next steps when developing their workspaces for their future:

When was the last time your workspace went through a cyber-health check?Much like how we undergo health screenings to determine our wellbeing, the same principle needs to be applied for cybersecurity – performing thorough risk assessments that go beyond meeting compliance needs. As data may sit on multiple devices and infrastructures, it is important to perform data classification. For example, what are the data types, where are they located, and what access rights and protection levels are required. A vulnerability assessment across all devices used in the enterprise is essential in identifying gaps cyber attackers may potentially exploit. Penetration tests, using the latest attack techniques, are also useful in identifying critical gaps in both IT and OT environments.

Do you know the cyber threats attacking your workspace right now?Cyber attacks are relentless; therefore, all organisations must be vigilant in detecting and responding to attacks at any given time. Much like how security guards and CCTVs operate 24/7 to monitor any attempted physical security breaches to an organisation, the same principle should be applied to cybersecurity. Enterprises should consider cybersecurity operation centres (CSOCs) to monitor the threats in real-time, manage security solutions, and promptly react to risk indicators before an attack infiltrates the organisation. Regular cyber drills should also be conducted to ensure security analysts are well prepared in responding to attacks.

Securing workspaces for tomorrow | The last word

Do you have a competent service provider as your secured business partner for workspace transformation?In the journey towards establishing a cyber-resilient enterprise, organisations may be daunted by the challenges of acquiring and integrating advanced security solutions, monitoring threats 24/7, performing regular risk assessments, and sourcing for manpower with the right expertise. In today’s industry landscape where more companies are shifting towards an opex model to manage business operations, enterprises should consider leveraging managed security services to facilitate their security needs. The service provider should have in-depth expertise in understanding the current and future needs of end-user computing, allowing enterprises to execute transformation initiatives using a structured end-user computer development framework designed with security in mind.

User experienceUser training and adoption

User and business benefits

User activities

Corporate social

Communicationsproductivity

Workspace managementApplication management

Software licensing

End-user computing maturity levelEnd-user computing maturity level

Business enablementGovernance

Device deliveryStrategy

System monitoring

Initial | Repeatable | Defined | Managed | Optimised

Device managementDevice supportDevice strategy

NetworkRemote access

ArchitectureServersCloud

Performancemanagement

People Information fabric

Security policyTechnology

Users Applications Operational excellence

Devices Infrastructure Security

Dimension Data helps organisations achieve greatness through technology, and can help you to transform and secure your workspace in the digital era. Visit: www.dimensiondata.com/secureworkspaces

20

Page 21: Secure Workspaces whitepaper

Middle East & AfricaAlgeria • Angola

Botswana • Congo • BurundiDemocratic Republic of the Congo

Gabon • Ghana • KenyaMalawi • Mauritius • Morocco

Mozambique • Namibia • NigeriaOman • Rwanda • Saudi Arabia

South Africa • Tanzania • UgandaUnited Arab Emirates • Zambia

AsiaChina • Hong Kong

India • Indonesia • JapanKorea • Malaysia

New Zealand • PhilippinesSingapore • TaiwanThailand • Vietnam

AustraliaAustralian Capital Territory

New South Wales • QueenslandSouth Australia • Victoria

Western Australia

EuropeAustria • Belgium

Czech Republic • FranceGermany • Hungary • Ireland

Italy • Luxembourg • NetherlandsPoland • Portugal • Slovakia

Spain • SwitzerlandUnited Kingdom

AmericasBrazil • Canada • Chile Mexico • United States

For contact details in your region please visit dimensiondata.com/globalpresence