Contrary to what some professionals might assume, remote work can help enhance an organization's network security strategy.
When most organizations were forced into a work-from-home model due to the COVID-19 pandemic, C-suite and IT leaders had to evaluate their organizations' network security strategies and remote access technologies. This shift may have felt like a scramble in the beginning, but it also helped IT teams recognize the tools they already had that they hadn't used to their full potential, according to author Aditya Mukherjee. Organizations that make the most of their existing tools can glean significant benefits and save money.
In Mukherjee's book, Network Security Strategies, IT teams can discover the best ways to secure their networks against major threats and attacks, as well as tips for how to improve their organization's strategies for network security.
Editor's note: The following interview was edited for length and clarity.
What do organizations need for an effective network security strategy?
Aditya Mukherjee: When it comes to network security, I don't think it is given importance outside of normal devices and policies in place by default.
This is why we see a lot of attacks where attackers are able to infiltrate one system and then stay … persistent in the environment for 80 or 90 days, depending on detection capabilities. So, for most companies -- which are not focusing on information security [infosec] specifically -- their network responsibilities lie with the network administrator or network engineer, who are primarily focused on making the network function rather than secure.
One of the best ways to approach network security for any organization is to go through security audits or penetration tests to understand gaps they have in mitigation, detection and response so they can … build up a more secure network. The business impact a network breach or data loss will have is not just from an operational standpoint, but from a monetary [or] reputation standpoint -- the impact is huge.
Most organizations don't understand how vulnerable they are or what's at risk [until they] receive a ransom note from an attacker.
What common mistakes do IT teams make with their network security strategies?
Mukherjee: One major flaw is, from time to time, they do not do security revisions or security audits to understand how particular users, who are persistent in the environment for a longer period of time, actually accumulate a lot of access. And, once those accounts become exposed or accessed by an external threat actor, they have a lot [more] privileges than they traditionally should, which is authorization creep.
Basically, ensure that any new device coming in is secure. Is it expanding your threat landscape? All these things are basic building blocks, which a lot of organizations do not focus on.
When did network security start to become as critical as it is today?
Mukherjee: With time, it has become more complex because, now, the boundaries are transparent. Earlier, we knew the certain devices we had and the partners [and] other vendors we worked with.
Today, with BYOD, cloud [and] shadow IT, the boundaries of an enterprise are very transparent, and that inherently impacts the network as well. Knowing where your data exists, how that is processed [and] who processes it is very important. The different complexities have elevated the need for a good, secure network, which is not just stable from an operation standpoint, but resilient in case of a cyber or DDoS [distributed denial-of-service] attack.
In the past, what we have seen is, a lot of times, when attackers try to infiltrate a network, they often do a DDoS attack or try to get the attention of the security team with a bogus attack. Having those addressed from day one so you can adequately focus on everything you're getting at the same time, instead of just focusing on one attack vector, is important.
With boundaries becoming more transparent, how does that affect network security?
Mukherjee: Pretty much every organization right now is on a work-from-home model, and this has been great from a security perspective because a lot of organizations were mandated by either their executive leadership or boards to look long and hard at how their employees [and] customers would be secure from remote locations tunneling into this network. That was a huge paradigm shift for companies, employees and security professionals.
People started focusing on how remote connections have been established, how they handle those connections, focusing on VPN [and] load balancing, because a lot of companies ... had to schedule employees to come in at certain hours and other teams to come in at certain hours because their VPN was not capable of handling that load all at once. It has increased the attention towards [infosec] and overall interconnectivity between companies and employees, and that has been good for the market, as well as for [putting] more secure and better policies in place.
It's not going to be soon that we go back to our workplaces and, even if we do, with the mindset people have been in for the last eight to nine months -- remote access and working from home are going to be part of the culture for every team possible.
The importance will only increase with more complex and sophisticated services coming out to authenticate [and] authorize users and how they mix with the amalgamation of different networking devices and services we provide to customers. It's going to continue for a foreseeable future.
What common questions do you get about network security?
Mukherjee: One of the most common questions we get from CISOs is: 'Are we secure?' And the clear-cut answer is either, 'We are secure to a considerable amount,' or, 'We are not very secure,' because, as everybody knows, there is no 100% security. You have to gauge the risk appetite of the organization. How much budget is available? What fixes can you put in place to mitigate threats? Infosec has always been a cat-and-mouse game.
The second is from CISOs, CEOs, security managers and directors. When they come out from a security conference or talk, they hear about some new, flashy technology, such as threat hunting, [user behavior analytics], zero trust, and their immediate idea would be, 'How do we implement this?'
One thing that security professionals need to help them understand is they don't need to put every single technology available in their environments to make them secure. Whatever you have, first, utilize that 100%, and get the optimal output from it. And, if there is a genuine business case for a new solution, which further mitigates or remediates an existing risk, only then should you look at that.
Various companies have 70 security products in their arsenal, and they're hardly using five to seven to their full potential. That's a waste of dollar value and creates additional burdens on resources. Make sure, whatever you have, you're using it to the best [of its ability], and then look out for something new.