a person sitting at a table using a laptop
Read Time, 7 min.

Ask yourself: Imagine that a senior employee’s laptop is stolen. It could be industrial espionage. Are the security precautions you have in place today sufficient to stop the thief from extracting valuable information or credentials from the laptop?

Digital transformation and the changing workplace are shining a light on two intersecting trends: the variety and volume of endpoint devices, and the need to secure data and systems wherever they reside. Even before the pandemic, numbers were already alarming:

  • 64% of organizations experienced one or more endpoint attacks that successfully compromised data assets and/ or IT infrastructure.1
  • 5Bn threats are detected on devices on a monthly basis.2

And according to Gartner, by 2022, 70% of organizations that do not have a firmware update plan in place are likely to be breached due to a firmware vulnerability. Advanced malware that runs before the OS boots is a real threat and can be difficult to remove.

As security becomes table stakes for digital business, IT and security teams work closely to identify threats and vulnerabilities proactively across the entire IT architecture, and devices present some of the most vulnerable entry points to bad actors. Security teams understand the need to modernize endpoint security methods, from the device firmware up to the cloud, across all phases of the device lifecycle. But where do you stand?

According to October 2020 BCG’s research “Remote Working and the Platform of the Future“3, the foundations for the new hybrid workplace lay on technology solutions like modern devices and cloud based collaboration tools, grounded on security solutions that keep endpoints, data and identities secure. However, the same research confirms that only 27% of surveyed managers fully acknowledge to have the required technology in place.

Supporting a remote or hybrid workforce is a known new challenge. How to make it easier for people to do their jobs from any location while protecting data from threats, particularly at the endpoint level, knowing that many of these still consist of legacy devices with limited security.

Devices are used by employees across a variety of mission critical scenarios – from collaborating in Office on important documents to Microsoft Teams calls with coworkers across the globe. Providing robust protection against the latest malware and ransomware is a critical priority as organizations expect that their devices and data to withstand common attacks.

How to reduce the endpoint security risks of a remote workforce?

To build a more flexible and scalable approach to protect employee devices, data, and user identities across a dispersed workforce, 3 key dimensions should be considered:

1. Managing and securing remote devices

Protecting sensitive information on endpoint devices has typically involved a lot of manual configuration. These tasks become more impractical with a workforce dispersed among many different locations.

Many organizations are opting, therefore, to move to cloud-based solutions that combine device protection, information protection, and identity protection. Cloud-based mobile device management (MDM) eliminates bottlenecks and ensures that the software and operating systems on your devices are always up to date.

Endpoint security begins with the design of the device and continues throughout the entire device lifecycle, from deployment to end of life. An optimal security strategy enables administrators to control even the lowest level of hardware settings without having to touch the machine.

2. Protecting company information

Protecting your company’s information from loss, theft, and misuse becomes more critical—and more complex—with a dispersed workforce.

For many organizations, the best way to remain compliant with data privacy and other regulations is with a cloud-based solution that can help you classify and protect information regardless of where it’s stored or who it’s shared with. A modern information protection solution can automatically discover information as it appears, apply custom controls based on how it is classified, and apply policy-based actions to sensitive information.

Alongside a cloud solution for information protection, the devices you choose also play a big part in protecting sensitive data.

For example, modern biometric login solutions offer better protection than passwords, by using fingerprint and facial recognition. Plus, some devices offer instant and built-in data encryption, without the need for additional configuration by IT, so information on the hard drive can’t be accessed if the device is lost or stolen.

3. Securing identities

Many businesses have adopted a single sign-on (SSO) solution that lets users access multiple applications with just one credential. Consolidating logins to a single set of credentials improves security by reducing the attack surface (the more passwords used, the greater the opportunity for attackers to exploit weak passwords).

However, as the popularity of cloud applications grows, relying solely on an on-site SSO is no longer enough. Creating a direct connection each time between your SSO solution and every single cloud application, for every single user, is far too complex to manage. A simpler approach is to use a cloud solution for identity management.

Single-point identity confirmation is no longer enough either. Multi-factor authentication is more secure—and it needn’t be a burden for the organization or its users.

In addition to the convenience that SSO brings to how people work, there are new hardware technologies that help drive identity-based security. For example, Surface devices are configured out of the box with “containers” that isolate apps from other processes to protect them from misuse.

Choosing hardware that supports these new methods—in combination with cloud-based identity management—will help you build a strong defense against today’s growing threats. For instance, devices are increasingly available with fingerprint or retina-scan authentication in addition to traditional passcodes, as well as out-of-the-box software that isolates and hardens key system and user secrets against compromise.

The simple choice for device security with Surface for Business

a man taking a selfie

Endpoint security has always been at the core of Surface devices. Our engineering team has been using a unified approach to firmware protection and device security since 2015 through complete end-to-end ownership of hardware design, in-house firmware development, and a holistic approach to device updates and management.

Our Unified Extensible Firmware Interface (UEFI) is written in-house, continuously maintained through Windows Update, and fully managed through the cloud by Microsoft Endpoint Manager. This level of control enables enterprises to minimize risk and maximize control at the firmware level before the device even starts Windows 10. Additionally, Surface is the only manufacturer to have Device Firmware Configuration Interface (DFCI)4 enabled for cloud-scale remote firmware management with zero-touch device provisioning.  IT organizations have the ability through the cloud to disable a camera or disable the ability to boot from USB all at the pre-boot firmware level. The result is a reduced attack vector that is critical to endpoint protection.

Furthermore, to protect the firmware and initial boot of the device, Surface enables Secure Boot to ensure an authentic version of Windows 10 is started and make certain the firmware is as genuine as it was when it left the factory. Surface also ensures that each commercial device includes a security processor (TPM 2.0) to provide advanced encryption capabilities such as BitLocker, to secure and encrypt your data, and Windows Hello, to enable password less sign-in. Each of these built-in security options helps protect your device from malicious software attacks. DMA Protection, enabled by default in newer Surface devices, mitigates potential security vulnerabilities associated with using removable SSDs or external storage devices.

Surface has also worked diligently across multiple hardware platforms to enable VBS (Virtualization-Based Security) and HVCI (Hypervisor Code Integrity) by default on capable new Surface models. VBS and HVCI create and isolate a region of memory from the normal operating system using hardware virtualization capabilities. This security capability can stop most escalation of privilege attacks.

In an age of rising security threats, businesses need protection across multiple layers. From chip to cloud, Surface considers the most secure device capabilities available and continues to innovate to meet the evolving needs. With built-in protection at every layer, Surface is the best, most streamlined implementation of Microsoft’s security stack.

Learn more about security on Surface here and familiarize yourself with Eneco’s story – a leading energy supplier in the Netherlands – that chose Surface for Business devices to create a more sustainable and secure workplace.

 


1 Source: Ponemon Institute, “The 2018 State of Endpoint Security Risk,” October 2018
2 Source: Microsoft Security Blog, “The evolution of Microsoft Threat Protection, June update,” June 2019
3 BCG “Remote Working and the Platform of the Future“, October 2020
4 Surface Go and Surface Go 2 use a third-party UEFI and do not support DFCI. DFCI is currently available for Surface Book, Surface Laptop 3, Surface Pro 7, Surface Pro 7+, and Surface Pro X. Find out more about managing Surface UEFI settings.

Protect your business with Microsoft security and Surface

Discover How IT and business leaders facilitate safety, trust, and collaboration in our modern workforce

Discover more related articles per industry:

Education

  • a person sitting at a table using a laptop computer

    Reimagining education: From remote to hybrid learning

    The COVID-19 pandemic has generated a torrent of individual and small-group responses as to how education could be transformed. We have found a groundswell of interest in the question, “How best to take advantage of the new opportunities arising from the disruption?” What people desperately need are opportunities to team up and find pathways of […]

  • a young boy using a laptop computer

    Escolaglobal: a digital-first school for blended classroom and remote learning

    “This weekend, our preschool teachers created another video for the students – just saying hi and checking everyone was ok at home. Each teacher has their own Microsoft Stream channel, and the feedback from the kids and parents is amazing: “Hi, teacher! How are you? I remember you so well!” Nuno Moutinho, CEO of Portuguese […]

Government

Healthcare

  • Two female nurses having a virtual conversation through Microsoft Teams

    Belfast Trust: Reimagining patient care

    “There have been many heroic actions by our staff but we’re not heroes for what we’ve done – I’m just glad we could do our bit to help.” Paul Duffy, Co-Director of IT and Telecommunications at Belfast Trust, is talking about the monumental impact COVID-19 has had on the healthcare sector and how virtual consultations […]

  • a woman standing in front of a screen

    Istituto Neurologico Carlo Besta: providing essential patient care from a distance

    “Telehealth was a technology we’d been planning to implement for a couple of years. But then almost overnight everything changed – it became a must-have platform the hospital needed today.” Francesca De Giorgi, CIO of Italian research hospital IRCCS Carlo Besta, reflects on the recent challenges her team faced when social distancing measures imposed by […]

Manufacturing

  • a woman smiling for the camera

    Etex Group: Future-proofing employees to work anywhere across the world

    When COVID-19 spread across Europe in early 2020, businesses entered a new digitally-dependent age. Social distancing measures had asked offices of all shapes and sizes to close their doors, sparking organizations to quickly find other virtual ways for colleagues to meet and collaborate remotely. But for Belgium building material specialist Etex, this was a step they were ready for – having already implemented a cloud-based infrastructure and collaboration tools […]

  • Mais on a sunny day

    COFCO International: How cloud technologies ensured business continuity during challenging times

    “I have worked at COFCO for 12 years, always in an office. But I have spent the last 63 days working from home.” Marcus Seelbach, Chief HR Officer at global agribusiness COFCO International, is talking from his home via video call about the transition he and all his colleagues have undergone since COVID-19 led to the closure of the company’s offices worldwide. “But thanks to the preparation and […]

Retail

Discover more related articles per dossier:

Customer Stories

Digital Transformation

  • NorthWest Clinics building

    Northwest Clinics: A new era in virtual healthcare

    “I am generally quite modest – I don’t like to brag about my achievements too much. But in this case, I want to make an exception. I want to tell the world what we have done.” For Ed de Myttenaere, CIO at Northwest Clinics hospital (Noordwest Ziekenhuisgroep) in the Netherlands, breaking with tradition is becoming increasingly normal. In responding to the COVID-19 outbreak, his team have implemented a virtual consultation solution that has the potential to redefine […]

Security & Privacy

Tips

  • a person sitting at a desk in front of a laptop computer

    Top tips for smarter remote working with Microsoft Teams

    With remote working becoming the new normal for many, people are having to find different ways of effectively functioning as a team. Microsoft Teams is designed to keep colleagues productively connected and ensure that everybody can continue to work as collaboratively, efficiently and securely as in the office. So, whether you already use it or […]