5 ways CISOs can secure BYOD and remote work without increasing security budgets

Remote and hybrid working models have quickly become ubiquitous. The rapid shift to this new way of working has jump-started efforts to address the new security threats that come with it.

As 2023 approaches and recession fears seep into business planning, security organizations must find ways to protect dispersed data and assets without driving up costs. But they also need to continue to support remote working and Bring Your Own Device (BYOD), which are key drivers of business agility, agility and accessibility for a wide range of human talent.

Here are five methods and controls for remote work security that can be implemented at minimal cost – and in some cases lead to cost savings.

1. Replace virtual desktops

Virtual desktops (VD) are virtual PCs in the cloud that enable remote access to physical devices on premises. After installing the virtual appliance software on the remote endpoint device, users can connect to their office workstations. This solution was designed for legacy architectures and was a good option when users needed to use their on-premises computers to access on-premises assets and continue working.

However, in today’s cloud-driven architecture, connecting through virtual desktops has become cumbersome and expensive. Using a VD to access SaaS applications and websites and process files locally is inefficient, subject to poor performance and latency, and creates significant IT overhead. These all contribute to a poor employee experience that reduces productivity.

In addition, VDs cost about twice as much as streamlined, cloud-driven browser security solutions, which are also better equipped to address web threats. By replacing VDs with modern solutions, security teams can reduce costs, increase productivity and improve security – all in one.

2. Implement a zero-trust approach

Cloud architectures have driven security teams to find new ways to provision permissions. With users spread worldwide, the traditional castle-and-moat approach could no longer suffice. Alternatively, identity became the new perimeter, requiring security teams to manage their access in a new and modern way.

The leading identity-based security approach for distributed architecture is zero trust, which consists of continuous user authentication and authorization, rather than trusting them based on their original network or IP. According to the recent IBM Cost of a data breach report 2022zero trust implementation saved organizations an average of $1 million in breach costs.

Any security solution should provide a zero-trust approach as part of the solution to reduce the attack window for gaining access or lateral movement and to reduce the cost of data breaches. Purchasing any other solution would be a waste of valuable budget dollars.

3. Manage access through detailed terms

Access control and user authentication are derived from a clear set of policies. This policy determines which identities can access which resources and which actions they can take. But keeping the policy at a high level will give users too many privileges and could lead to a costly data breach.

Authorization policies should be as detailed as possible to ensure that users are not given excessive access rights. This policy must be consistent across all SaaS apps and on-premises applications and enforced on both managed and unmanaged devices (see above).

In addition to policies based on user roles or attributes, policies can also be based on browsing events. Advanced website session analysis can allow blocking access to specific malicious web pages to neutralize them without harming the user experience that will result from completely blocking access.

By providing broad security coverage at a granular level without compromising users’ ability to work, security teams can achieve security and productivity, ensuring a high ROI for their security solution.

4. Train employees to increase security awareness

According to Verizon’s 2022 DBIR report, “82% of breaches involved a human factor. Whether it’s the use of stolen credentials, phishing, abuse or just a mistake, people continue to play a very large role in both incidents and breaches.” Remote work has only increased the use of phishing attacks and their sophistication, with 62% of security professionals stating that phishing campaigns were the biggest threat during COVID-19, according to Microsoft’s The new future of work report.

No security solution is complete without training users and raising awareness of the abundance and severity of cyber-attacks. Employees should be trained in the importance of being alert to Internet threats and risks, such as phishing emails or websites, malware injections, and accidental mis-delivery of private information. Conduct phishing exercises, show demos and constantly remind employees that the security of the organization is literally in their hands.

Enthusing employees about security and turning them into champions is the way to stretch the value of training dollars and reduce spending on unnecessary security audits.

5. Deploy modern alternatives to expensive network solutions

Network security solutions such as VPNs, CASBs, SWGs, and endpoint detection and response (EDR) are expensive and require IT management and maintenance, which also add business costs. They are difficult to implement, disrupt the user experience, and do not provide an immediate solution to the company’s need to scale.

On top of these operational shortcomings, network solutions do not provide comprehensive protection against web-borne threats. For example, CASBs cannot secure unapproved applications, SWGs cannot fully secure malicious websites, EDRs can overlook malware downloads, and VPNs tunnel users to networks instead of using zero trust.

Modern alternatives that provide conditional access to resources can provide a higher level of security without the operational costs and overhead of managing network traffic.

What awaits security teams in 2023?

Whether a recession is imminent or not, teams are expected to work extra hard to prove their worth without incurring additional costs to the company. Security teams, who have traditionally found it difficult to justify the need for budgets, will need to publicize their plans and explain how they went above and beyond to cut costs. Streamlined and effective security controls are essential to get through 2023 and make it to the other side.

Or Eshed is CEO and co-founder of LayerX