Device-based security for the new hybrid workforce

Ask yourself: Imagine that a senior employee’s laptop is stolen. It could be industrial espionage. Are the security precautions you have in place today sufficient to stop the thief from extracting valuable information or credentials from the laptop?

Digital transformation and the changing workplace are shining a light on two intersecting trends: the variety and volume of endpoint devices, and the need to secure data and systems wherever they reside. Even before the pandemic, numbers were already alarming:

• 64% of organizations experienced one or more endpoint attacks that successfully compromised data assets and/ or IT infrastructure.¹
• 5Bn threats are detected on devices on a monthly basis.²

And according to Gartner, by 2022, 70% of organizations that do not have a firmware update plan in place are likely to be breached due to a firmware vulnerability. Advanced malware that runs before the OS boots is a real threat and can be difficult to remove.

As security becomes table stakes for digital business, IT and security teams work closely to identify threats and vulnerabilities proactively across the entire IT architecture, and devices present some of the most vulnerable entry points to bad actors. Security teams understand the need to modernize endpoint security methods, from the device firmware up to the cloud, across all phases of the device lifecycle. But where do you stand?

According to October 2020 BCG’s research “Remote Working and the Platform of the Future“³, the foundations for the new hybrid workplace lay on technology solutions like modern devices and cloud based collaboration tools, grounded on security solutions that keep endpoints, data and identities secure. However, the same research confirms that only 27% of surveyed managers fully acknowledge to have the required technology in place.

Supporting a remote or hybrid workforce is a known new challenge. How to make it easier for people to do their jobs from any location while protecting data from threats, particularly at the endpoint level, knowing that many of these still consist of legacy devices with limited security.

Devices are used by employees across a variety of mission critical scenarios – from collaborating in Office on important documents to Microsoft Teams calls with coworkers across the globe. Providing robust protection against the latest malware and ransomware is a critical priority as organizations expect that their devices and data to withstand common attacks.

How to reduce the endpoint security risks of a remote workforce?

To build a more flexible and scalable approach to protect employee devices, data, and user identities across a dispersed workforce, 3 key dimensions should be considered:

1. Managing and securing remote devices

Protecting sensitive information on endpoint devices has typically involved a lot of manual configuration. These tasks become more impractical with a workforce dispersed among many different locations.

Many organizations are opting, therefore, to move to cloud-based solutions that combine device protection, information protection, and identity protection. Cloud-based mobile device management (MDM) eliminates bottlenecks and ensures that the software and operating systems on your devices are always up to date.

Endpoint security begins with the design of the device and continues throughout the entire device lifecycle, from deployment to end of life. An optimal security strategy enables administrators to control even the lowest level of hardware settings without having to touch the machine.

2. Protecting company information

Protecting your company’s information from loss, theft, and misuse becomes more critical—and more complex—with a dispersed workforce.

For many organizations, the best way to remain compliant with data privacy and other regulations is with a cloud-based solution that can help you classify and protect information regardless of where it’s stored or who it’s shared with. A modern information protection solution can automatically discover information as it appears, apply custom controls based on how it is classified, and apply policy-based actions to sensitive information.

Alongside a cloud solution for information protection, the devices you choose also play a big part in protecting sensitive data.

For example, modern biometric login solutions offer better protection than passwords, by using fingerprint and facial recognition. Plus, some devices offer instant and built-in data encryption, without the need for additional configuration by IT, so information on the hard drive can’t be accessed if the device is lost or stolen.

3. Securing identities

Many businesses have adopted a single sign-on (SSO) solution that lets users access multiple applications with just one credential. Consolidating logins to a single set of credentials improves security by reducing the attack surface (the more passwords used, the greater the opportunity for attackers to exploit weak passwords).

However, as the popularity of cloud applications grows, relying solely on an on-site SSO is no longer enough. Creating a direct connection each time between your SSO solution and every single cloud application, for every single user, is far too complex to manage. A simpler approach is to use a cloud solution for identity management.

Single-point identity confirmation is no longer enough either. Multi-factor authentication is more secure—and it needn’t be a burden for the organization or its users.

In addition to the convenience that SSO brings to how people work, there are new hardware technologies that help drive identity-based security. For example, Surface devices are configured out of the box with “containers” that isolate apps from other processes to protect them from misuse.

Choosing hardware that supports these new methods—in combination with cloud-based identity management—will help you build a strong defense against today’s growing threats. For instance, devices are increasingly available with fingerprint or retina-scan authentication in addition to traditional passcodes, as well as out-of-the-box software that isolates and hardens key system and user secrets against compromise.

The simple choice for device security with Surface for Business

Endpoint security has always been at the core of Surface devices. Our engineering team has been using a unified approach to firmware protection and device security since 2015 through complete end-to-end ownership of hardware design, in-house firmware development, and a holistic approach to device updates and management.

Our Unified Extensible Firmware Interface (UEFI) is written in-house, continuously maintained through Windows Update, and fully managed through the cloud by Microsoft Endpoint Manager. This level of control enables enterprises to minimize risk and maximize control at the firmware level before the device even starts Windows 10. Additionally, Surface is the only manufacturer to have Device Firmware Configuration Interface (DFCI)⁴ enabled for cloud-scale remote firmware management with zero-touch device provisioning.  IT organizations have the ability through the cloud to disable a camera or disable the ability to boot from USB all at the pre-boot firmware level. The result is a reduced attack vector that is critical to endpoint protection.

Furthermore, to protect the firmware and initial boot of the device, Surface enables Secure Boot to ensure an authentic version of Windows 10 is started and make certain the firmware is as genuine as it was when it left the factory. Surface also ensures that each commercial device includes a security processor (TPM 2.0) to provide advanced encryption capabilities such as BitLocker, to secure and encrypt your data, and Windows Hello, to enable password less sign-in. Each of these built-in security options helps protect your device from malicious software attacks. DMA Protection, enabled by default in newer Surface devices, mitigates potential security vulnerabilities associated with using removable SSDs or external storage devices.

Surface has also worked diligently across multiple hardware platforms to enable VBS (Virtualization-Based Security) and HVCI (Hypervisor Code Integrity) by default on capable new Surface models. VBS and HVCI create and isolate a region of memory from the normal operating system using hardware virtualization capabilities. This security capability can stop most escalation of privilege attacks.

^{1 Source: Ponemon Institute, “The 2018 State of Endpoint Security Risk,” October 2018
2 Source: Microsoft Security Blog, “The evolution of Microsoft Threat Protection, June update,” June 2019
3 BCG “Remote Working and the Platform of the Future“, October 2020
4 Surface Go and Surface Go 2 use a third-party UEFI and do not support DFCI. DFCI is currently available for Surface Book, Surface Laptop 3, Surface Pro 7, Surface Pro 7+, and Surface Pro X. Find out more about managing Surface UEFI settings.}