a person sitting at a table using a laptop
Read Time, 7 min.

Ask yourself: Imagine that a senior employee’s laptop is stolen. It could be industrial espionage. Are the security precautions you have in place today sufficient to stop the thief from extracting valuable information or credentials from the laptop?

Digital transformation and the changing workplace are shining a light on two intersecting trends: the variety and volume of endpoint devices, and the need to secure data and systems wherever they reside. Even before the pandemic, numbers were already alarming:

  • 64% of organizations experienced one or more endpoint attacks that successfully compromised data assets and/ or IT infrastructure.1
  • 5Bn threats are detected on devices on a monthly basis.2

And according to Gartner, by 2022, 70% of organizations that do not have a firmware update plan in place are likely to be breached due to a firmware vulnerability. Advanced malware that runs before the OS boots is a real threat and can be difficult to remove.

As security becomes table stakes for digital business, IT and security teams work closely to identify threats and vulnerabilities proactively across the entire IT architecture, and devices present some of the most vulnerable entry points to bad actors. Security teams understand the need to modernize endpoint security methods, from the device firmware up to the cloud, across all phases of the device lifecycle. But where do you stand?

According to October 2020 BCG’s research “Remote Working and the Platform of the Future“3, the foundations for the new hybrid workplace lay on technology solutions like modern devices and cloud based collaboration tools, grounded on security solutions that keep endpoints, data and identities secure. However, the same research confirms that only 27% of surveyed managers fully acknowledge to have the required technology in place.

Supporting a remote or hybrid workforce is a known new challenge. How to make it easier for people to do their jobs from any location while protecting data from threats, particularly at the endpoint level, knowing that many of these still consist of legacy devices with limited security.

Devices are used by employees across a variety of mission critical scenarios – from collaborating in Office on important documents to Microsoft Teams calls with coworkers across the globe. Providing robust protection against the latest malware and ransomware is a critical priority as organizations expect that their devices and data to withstand common attacks.

How to reduce the endpoint security risks of a remote workforce?

To build a more flexible and scalable approach to protect employee devices, data, and user identities across a dispersed workforce, 3 key dimensions should be considered:

1. Managing and securing remote devices

Protecting sensitive information on endpoint devices has typically involved a lot of manual configuration. These tasks become more impractical with a workforce dispersed among many different locations.

Many organizations are opting, therefore, to move to cloud-based solutions that combine device protection, information protection, and identity protection. Cloud-based mobile device management (MDM) eliminates bottlenecks and ensures that the software and operating systems on your devices are always up to date.

Endpoint security begins with the design of the device and continues throughout the entire device lifecycle, from deployment to end of life. An optimal security strategy enables administrators to control even the lowest level of hardware settings without having to touch the machine.

2. Protecting company information

Protecting your company’s information from loss, theft, and misuse becomes more critical—and more complex—with a dispersed workforce.

For many organizations, the best way to remain compliant with data privacy and other regulations is with a cloud-based solution that can help you classify and protect information regardless of where it’s stored or who it’s shared with. A modern information protection solution can automatically discover information as it appears, apply custom controls based on how it is classified, and apply policy-based actions to sensitive information.

Alongside a cloud solution for information protection, the devices you choose also play a big part in protecting sensitive data.

For example, modern biometric login solutions offer better protection than passwords, by using fingerprint and facial recognition. Plus, some devices offer instant and built-in data encryption, without the need for additional configuration by IT, so information on the hard drive can’t be accessed if the device is lost or stolen.

3. Securing identities

Many businesses have adopted a single sign-on (SSO) solution that lets users access multiple applications with just one credential. Consolidating logins to a single set of credentials improves security by reducing the attack surface (the more passwords used, the greater the opportunity for attackers to exploit weak passwords).

However, as the popularity of cloud applications grows, relying solely on an on-site SSO is no longer enough. Creating a direct connection each time between your SSO solution and every single cloud application, for every single user, is far too complex to manage. A simpler approach is to use a cloud solution for identity management.

Single-point identity confirmation is no longer enough either. Multi-factor authentication is more secure—and it needn’t be a burden for the organization or its users.

In addition to the convenience that SSO brings to how people work, there are new hardware technologies that help drive identity-based security. For example, Surface devices are configured out of the box with “containers” that isolate apps from other processes to protect them from misuse.

Choosing hardware that supports these new methods—in combination with cloud-based identity management—will help you build a strong defense against today’s growing threats. For instance, devices are increasingly available with fingerprint or retina-scan authentication in addition to traditional passcodes, as well as out-of-the-box software that isolates and hardens key system and user secrets against compromise.

The simple choice for device security with Surface for Business

a man taking a selfie

Endpoint security has always been at the core of Surface devices. Our engineering team has been using a unified approach to firmware protection and device security since 2015 through complete end-to-end ownership of hardware design, in-house firmware development, and a holistic approach to device updates and management.

Our Unified Extensible Firmware Interface (UEFI) is written in-house, continuously maintained through Windows Update, and fully managed through the cloud by Microsoft Endpoint Manager. This level of control enables enterprises to minimize risk and maximize control at the firmware level before the device even starts Windows 10. Additionally, Surface is the only manufacturer to have Device Firmware Configuration Interface (DFCI)4 enabled for cloud-scale remote firmware management with zero-touch device provisioning.  IT organizations have the ability through the cloud to disable a camera or disable the ability to boot from USB all at the pre-boot firmware level. The result is a reduced attack vector that is critical to endpoint protection.

Furthermore, to protect the firmware and initial boot of the device, Surface enables Secure Boot to ensure an authentic version of Windows 10 is started and make certain the firmware is as genuine as it was when it left the factory. Surface also ensures that each commercial device includes a security processor (TPM 2.0) to provide advanced encryption capabilities such as BitLocker, to secure and encrypt your data, and Windows Hello, to enable password less sign-in. Each of these built-in security options helps protect your device from malicious software attacks. DMA Protection, enabled by default in newer Surface devices, mitigates potential security vulnerabilities associated with using removable SSDs or external storage devices.

Surface has also worked diligently across multiple hardware platforms to enable VBS (Virtualization-Based Security) and HVCI (Hypervisor Code Integrity) by default on capable new Surface models. VBS and HVCI create and isolate a region of memory from the normal operating system using hardware virtualization capabilities. This security capability can stop most escalation of privilege attacks.

In an age of rising security threats, businesses need protection across multiple layers. From chip to cloud, Surface considers the most secure device capabilities available and continues to innovate to meet the evolving needs. With built-in protection at every layer, Surface is the best, most streamlined implementation of Microsoft’s security stack.

Learn more about security on Surface here and familiarize yourself with Eneco’s story – a leading energy supplier in the Netherlands – that chose Surface for Business devices to create a more sustainable and secure workplace.

 


1 Source: Ponemon Institute, “The 2018 State of Endpoint Security Risk,” October 2018
2 Source: Microsoft Security Blog, “The evolution of Microsoft Threat Protection, June update,” June 2019
3 BCG “Remote Working and the Platform of the Future“, October 2020
4 Surface Go and Surface Go 2 use a third-party UEFI and do not support DFCI. DFCI is currently available for Surface Book, Surface Laptop 3, Surface Pro 7, Surface Pro 7+, and Surface Pro X. Find out more about managing Surface UEFI settings.

Protect your business with Microsoft security and Surface

Discover How IT and business leaders facilitate safety, trust, and collaboration in our modern workforce

Education

  • a woman sitting at a table using a laptop

    VSNU: coordinating a nationwide university digital transformation in one weekend

    “A lesson for us during this crisis, has been that new technology doesn’t just change how you work – it also changes people and culture, which is something you have to support everyone through.” Director of Accountability at The Association of Universities in the Netherlands (VSNU), Reinout Van Brakel, is talking about the instrumental role […]

  • a woman using a laptop

    Make remote learning work better for everyone. Find out how.

    Since the COVID-19 outbreak first hit China, our education customers in the country have done amazing things to keep students engaged while they transition to remote learning. From eLearning innovations, to keeping students’ spirits high with photo and cooking challenges – teachers and students have shown extraordinary resilience during this difficult time. Now, as the […]

Government

  • Ineco

    Ineco improves employee productivity with modern tools and AI

    Struggling with software doesn’t help people get more done. Likewise, if sharing files and collaborating on documents is difficult, productivity takes a hit. Ineco, a Spanish public sector company, understands this, which is why it set out to change the way employees interact with technology and one another. By deploying Microsoft 365 to its over […]

  • a man and two women standing in front of a brick building

    Ajuntament de Lleida: transforming the public sector with a modern, virtual workplace

    “At Ajuntament de Lleida, we think differently. We embrace new technology. And when we see that it could add real value to the work we do, we find a way to make it happen.” Carles GinéSabaté, Systems Implementation Planning Manager at Ajuntament de Lleida, is reflecting on his organization’s open-armed approach to digital transformation and […]

Healthcare

  • Two female nurses having a virtual conversation through Microsoft Teams

    Belfast Trust: Reimagining patient care

    “There have been many heroic actions by our staff but we’re not heroes for what we’ve done – I’m just glad we could do our bit to help.” Paul Duffy, Co-Director of IT and Telecommunications at Belfast Trust, is talking about the monumental impact COVID-19 has had on the healthcare sector and how virtual consultations […]

  • a person sitting in front of a laptop computer

    The ‘Big Bang’ approach to digital transformation – and how to make it work

    These days there’s no such thing as ‘business as usual’. Change and disruption are the new normal. Just think of the changes affecting your organization right now, with new technology and techniques driving new attitudes and expectations from employees and customers alike. Everything is changing. And the one thing all those changes have in common […]

Manufacturing

  • Mais on a sunny day

    COFCO International: How cloud technologies ensured business continuity during challenging times

    “I have worked at COFCO for 12 years, always in an office. But I have spent the last 63 days working from home.” Marcus Seelbach, Chief HR Officer at global agribusiness COFCO International, is talking from his home via video call about the transition he and all his colleagues have undergone since COVID-19 led to the closure of the company’s offices worldwide. “But thanks to the preparation and […]

  • Etex

    Etex uses modern tools to unite its business and better focus on customers

    When it comes to construction, all components must come together in a timely manner in order to produce the optimum product. While Etex, a Belgian building solution manufacturing company, helps make this a reality on a day-to-day basis, it wanted to find a way to enhance productivity and collaboration internally. With locations across more than […]

Retail