76% of enterprises increased their use of endpoint devices since the beginning of the COVID-19 pandemic, supporting their remote, work-from-home (WFH) and hybrid workforces globally.
66% of enterprises believe securing their networks and infrastructure requires a more focused, proactive approach to endpoint resilience that doesn’t leave endpoint security to chance.
Cybersecurity leader’s top challenges today are maintaining compliance, enforcing security standards, and understanding the health of security controls on each endpoint.
Just 38% of IT leaders can track the ROI of their cybersecurity investments, accentuating the need for more resilient, persistent endpoints that provide greater visibility and control.
These and many other fascinating insights are from Forrester Consulting’s latest study on endpoint security, Take Proactive Approach To Endpoint Security, completed in collaboration with Absolute Software. The study is noteworthy for its impartial, accurate view of the current state of endpoint security and the challenges IT teams face in creating greater endpoint resilience. The study’s methodology is based on 157 interviews with IT and security professionals located in the U.S. and Canada who are decision-makers in endpoint protection, with interviews completed in November and December 2020.
Key insights from the study include the following:
Security leaders are reprioritizing endpoint automation efforts with a strong focus on sensitive or at-risk data. In 2021 automation efforts will focus on sensitive or at-risk data (60%), geolocation (52%), security control health (48%), web-based application usage (36%), patch management (35%), and hardware inventory (32%). Each of these technologies is integral to supporting remote workers. There’s also a significant shift from how automation strategies were prioritized before the pandemic, as the graphic from the study below illustrates:
Maintaining compliance, enforcing security standards, understanding security controls’ health, and measuring security investments are the top challenges to managing endpoint security today. The majority of enterprises, 59%, cannot maintain or prove compliance of endpoints at any given time. Lack of compliance drags down the efficiency of endpoint security efforts, making an entire network more vulnerable. Just over half of enterprises can’t enforce security standards across endpoints or don’t know today’s health. The most surprising finding of the study: 62% of enterprises cannot measure the ROI of their security investments – with half (31%) – strongly disagreeing with how measurable security ROI spend is.
Enterprises see four key areas where endpoint management could improve today. Forrester asked enterprise IT and security leaders which capabilities need to be added to endpoint management systems to make them more effective. The executives first focused on securing sensitive and at-risk data, a sure sign enterprises are moving to a more data-centric cybersecurity model in the future. That’s good news as cyber attackers want to penetrate software supply chains and take control of systems managing data assets. Managing devices remotely at scale is second, which is also a frequent challenge IT and security teams encounter when attempting to patch endpoints. Having an unbreakable digital tether to devices is solving the scale issue while also providing greater endpoint resiliency, visibility, and control.
The pandemic forced every business to become more innovative in supporting work-from-home and hybrid work environments, improving endpoint security an immediate priority. What’s needed is an unbreakable digital tether to all devices, capable of delivering complete visibility and control, enabling real-time insights into the state of those devices, and allowing them to repair security controls and productivity tools autonomously. Of the many solutions available for securing endpoints today, the ones that take a firmware-embedded approach to secure endpoints are proving the most reliable. The more integrated an endpoint is to firmware, the more likely self-healing agents will be reliable while also providing complete visibility across every device on or off the network. Absolute’s firmware-embedded approach is noteworthy in its track record of securing endpoints during the pandemic.
Bottom Line: Today’s largely-distributed enterprises need to make sure they are putting endpoint security first in 2021– which includes closely managing every stage of the device lifecycle, from deployment to decommission, and ensuring all sensitive data remains protected.
There’s a looming paradox facing nearly every organization today of how they’ll secure thousands of remote endpoints without having physical access to devices, and without disrupting worker productivity. Whether there’s the need to retire hardware as part of down-sizing or cost-cutting measures, or the need to equip virtual teams with newer equipment more suitable for long term work-from-home scenarios, this is one of the most pressing issues facing CISOs and CIOs today.
Wanting to learn more about how their customers are tackling their endpoint security challenges and how their companies are helping to solve it, I sat down (virtually) with Absolute Software’s President and CEO Christy Wyatt and Matthew Zielinski, President of North America Intelligent Devices Group at Lenovo. The following is my interview with both of them:
Louis Columbus:Christy and Matt, thanks so much for your time today. To get started, I would like each of you to share what you’re hearing from your customers regarding their plans to refresh laptops and other endpoint devices in 2021.
Christy Wyatt: We’re seeing a strong desire from organizations to ensure that every individual is digitally enabled, and has access to a screen. In some cases, that means refreshing the hardware they already have in the field, and in other cases, that means buying or adding devices. From the endpoint security standpoint, there’s been a shift in focus around which tools matter the most. When laptops were primarily being used on campus, there was a certain set of solutions to monitor those devices and ensure they remained secure. Now that 90% of devices are out of the building, an entirely different set of capabilities is required – and delivering those has been our focus.
Matt Zielinski: We are seeing historic levels of demand from consumers, as many are transitioning from having maybe one or two devices per household to at least one device per person. We’re also seeing the same levels of demand on both the education and enterprise side. The new dynamic of work-from-anywhere, learn-from-anywhere, collaborate-from-anywhere underscores that the device hardware and software need to be current in order to support both the productivity and security needs of hugely distributed workforces. That’s our highest priority.
Louis: Where are CISOs in their understanding, evaluation, and adoption of endpoint security technologies?
Christy: The journey has been different for the education market than for the enterprise market. Most enterprise organizations were already on the digital path, with some percentage of their population already working remotely. And because of this, they typically have a more complex security stack to manage; our data shows that the total number of unique applications and versions installed on enterprise devices is nearly 1.5 million. What they’ve seen is a trifecta of vulnerabilities: employees taking data home with them, accessing it on unsecured connections, and not being aware of how their devices are protected beyond the WiFi connection and the network traffic.
In the education space, the challenges – and the amount of complexity – are completely different; they’re managing just a small fraction of that total number of apps and versions. That said, as the pandemic unfolded, education was hit harder because they were not yet at a point where every individual was digitally connected. There was a lot of reliance on being on campus, or being in a classroom. So, schools had to tackle digital and mobile transformation at the same time – and to their credit, they made multiple years of progress in a matter of weeks or months. This rapid rate of change will have a profound effect on how schools approach technology deployments going forward.
Matt: Whether in enterprise or education, our customers are looking to protect three things: their assets, their data, and their users’ productivity. It’s a daunting mission. But, the simplest way to accomplish it is to recognize the main control point has changed. It’s no longer the server sitting behind the firewall of your company’s or school’s IT environment. The vulnerability of the endpoint is that the network is now in the user’s hands; the edge is now the primary attack surface. I think CISOs realize this, and they are asking the right questions… I just don’t know if everyone understands the magnitude or the scale of the challenge. Because the problem is so critical, though, people are taking the time to make the right decisions and identify all the various components needed to be successful.
Louis: It seems like completing a laptop refresh during the conditions of a pandemic could be especially challenging, given how entire IT teams are remote. What do you anticipate will be the most challenging aspects of completing a hardware refresh this year (2021)?
Matt: The PC has always been a critical device for productivity. But now, without access to that technology, you are completely paralyzed; you can’t collaborate, you can’t engage, you can’t connect. Lenovo has always been focused on pushing intelligent transformation as far as possible to get the best devices into the hands of our customers. Beyond designing and building the device, we have the ability to distribute asset tags and to provide a 24/7 help desk for our customers whether you’re a consumer, a school, or a large institution. We can also decommission those devices at the end, so we’re able to support the entire journey or lifecycle.
The question has really become, how do you deliver secure devices to the masses? And, we’re fully equipped to do that. For example, every Lenovo X1 Carbon laptop comes out of the box with Lenovo Security Assurance, which is actually powered by Absolute; it is in our hardware. Our customers can open a Lenovo PC, and know that it is completely secure, right out of the box. Every one of our laptops is fortified with Absolute’s Persistence technology and self-healing capabilities that live in the BIOS. It’s that unbreakable, secure connection that makes it possible for us to serve our customers throughout the entire lifecycle of device ownership.
Louis:Why are the legacy approaches to decommissioning assets falling short / failing today? How would you redesign IT asset-decommissioning approaches to make them more automated, less dependent on centralized IT teams?
Christy: There have been a few very visible cases over the past year of highly regulated organizations, experiencing vulnerabilities because of how they decommissioned – or did not properly decommission – their assets. But, I don’t want anyone to believe that that this is a problem that is unique to regulated industries, like financial services. The move to the cloud has given many organizations a false sense of security, and it seems that the more data running in the cloud, the more pronounced this false sense of security becomes. It’s a mistaken assumption to think that when hardware goes missing, the security problem is solved by shutting down password access and that all the data is protected because it is stored in the cloud. That’s just not true. When devices aren’t calling in anymore, it’s a major vulnerability – and the longer the device sits without being properly wiped or decommissioned, the greater the opportunity for bad actors to take advantage of those assets.
The other piece that should be top of mind is that once a device is decommissioned, it’s often sold. We want to ensure that nothing on that device gets passed on to the next owner, especially if it’s going to a service or leasing program. So, we’ve concentrated on making asset decommissioning as precise as possible and something that can be done at scale, anytime and anywhere.
Matt: Historically, reclaiming and decommissioning devices has required physical interaction. The pandemic has limited face-to-face encounters, so , we’re leveraging many different software solutions to give our customers the ability to wipe the device clean if they aren’t able to get the asset back in their possession, so that at least they know it is secure. Since we’re all now distributed, we’re looking at several different solutions that will help with decommissioning, several of which are promising and scale well given today’s constraints. Our goal is to provide our enterprise customers with decommissioning flexibility, from ten units to several thousand.
Louis:Paradoxically, having everyone remote has made the business case for improving endpoint security more compelling too. What do you hear from enterprises about accelerating digital transformation initiatives that include the latest-generation endpoint devices?
Christy: The same acceleration that I spoke about on the education side, we absolutely see on the enterprise side as well, and with rapid transformation comes increased complexity. There has been a lot of conversation about moving to Zero Trust, moving more services to the cloud and putting more controls on the endpoint – and not having these sort of layers in between. Our data tells us that the average enterprise device today has 96 unique applications, and at least 10 of them are security applications. That is a massive amount of complexity to manage. So, we don’t believe that adding more controls to the endpoint is the answer; we believe that what’s most important is knowing the security controls you have are actually working. And we need to help devices and applications become more intelligent, self-aware, and capable of fixing themselves. This concept of resiliency is the cornerstone of effective endpoint security, and a critical part of the shift to a more modern security architecture.
Matt: I think there are two major forcing functions: connection and security. Because we are all now remote, there’s a huge desire to feel connected to one another even though we aren’t sitting in the same room together. We’re modifying our products in real-time with the goal of removing shared pain points and optimizing for the new reality in which we’re all living and working. Things like microphone noise suppression and multiple far field microphones, so that if the dog barks or kids run into a room, the system will mute before you’ve even pressed the mute button. We’re improving camera technology from a processing standpoint to make things look better. Ultimately, our goal is to provide an immersive and connected experience.
Security, however, transcends specific features that deliver customer experiences – security is the experience. The features that make hardware more secure are those that lie beneath the operating system, in the firmware. That is why we have such a deep network of partners, including Absolute. Because you need to have a full ecosystem, and a program that takes advantage of all the best capabilities, in order to deliver the best security solution possible.
Louis:How is Absolute helping enterprise customers ensure greater endpoint security and resiliency in 2021 and beyond?
Christy: We spend a lot of time sitting with customers to understand their needs and how and where we can extend our endpoint security solutions to fit. We believe in taking a layered approach – which is the framework for defense in-depth, and an effective endpoint security strategy. The foundational piece, which we are able to deliver, is a permanent digital tether to every device; this is the lifeline. Not having an undeletable connection to every endpoint means you have a very large security gap, which must be closed fast. A layered, persistence-driven approach ensures our customers know their security controls are actually working and delivering business value. It enables our customers to pinpoint where a vulnerability is and take quick action to mitigate it.
Lenovo’s unique, high value-add approach to integrated security has both helped drive innovation at Absolute, while also providing Lenovo customers the strongest endpoint security possible. Their multilayer approach to their endpoint strategy capitalizes on Absolute’s many BIOS-level strengths to help their customers secure every endpoint they have. As our companies work together, we are both benefitting from a collaboration that seeks to strengthen and enrich all layers of endpoint security. Best of all, our shared customers are the benefactors of this collaboration and the results we are driving at the forefront of endpoint security.
Louis:How has the heightened focus on enterprise cybersecurity in general, and endpoint security specifically, influenced Lenovo’s product strategy in 2021 and beyond?
Matt: We have always been focused on our unique cybersecurity strengths from the device side and making sure we have all of the control points in manufacturing to ensure we build a secure platform. So, we’ve had to be open-minded about endpoint security, and diligent in envisioning how potential vulnerabilities and attack strategies can be thwarted before they impact our customers. Because of this mindset, we’re fortunate to have a very active partner community. We’re always scouring the earth for the next hot cybersecurity technology and potential partner with unique capabilities and the ability to scale with our model. This is a key reason we’ve standardized on Absolute for endpoint security, as it can accommodate a wide breadth of deployment scenarios. It’s a constant and very iterative process with a team of very smart people constantly looking at how we can excel at cybersecurity. It is this strategy that is driving us to fortify our Lenovo Security Assurance architecture over the long-term, while also seeking new ways of providing insights from existing and potentially new security applications.
Louis:What advice are you giving CISOs to strengthen endpoint security in 2021 and beyond?
Christy: One of our advisors is the former Global Head of Information Security at Citi Group, and former CISO of JP Morgan and Deutsche Bank. He talks a lot about his shared experiences of enabling business operations, while defending organizations from ever-evolving threats, and the question that more IT and security leaders need to be asking – which is, “Is it working?” Included in his expert opinion is that cybersecurity needs to be integral to business strategy – and endpoint security is essential for creating a broader secure ecosystem that can adapt as a company’s needs change.
I believe there needs to be more boardroom-level conversations around how compliance frameworks can be best used to achieve a balance between cybersecurity and business operations. A big part of that is identifying resiliency as a critical KPI for measuring the strength of endpoint controls.
Bottom Line: Absolute’s 2020 Endpoint Resilience Report illustrates why the purpose of any cybersecurity program needs to be attaining a balance between protecting an organization and the need to keep the business running, starting with secured endpoints.
Enterprises who’ve taken a blank-check approach in the past to spending on cybersecurity are facing the stark reality that all that spending may have made them more vulnerable to attacks. While cybersecurity spending grew at a Compound Annual Growth Rate (CAGR) of 12% in 2018, Gartner’s latest projections are predicting a decline to only 7% CAGR through 2023. Nearly every CISO I’ve spoken with in the last three months say prioritizing cybersecurity programs by their ROI and contribution to the business is how funding gets done today.
Cybersecurity Has Always Been A Business Decision
Overcoming the paradox of keeping a business secure while fueling its growth is the essence of why cybersecurity is a business decision. Securing an entire enterprise is an unrealistic goal; balancing security and ongoing operations is. CISOs speak of this paradox often and the need to better measure the effectiveness of their decisions.
This is why the findings from Absolute’s 2020 State of Endpoint Resilience Report are so timely given the shift to more spending accountability on cybersecurity programs. The report’s methodology is based on anonymized data from enterprise-specific subsets of nearly 8.5 million Absolute-enabled devices active across 12,000+ customer organizations in North America and Europe. Please see the last page of the study for additional details regarding the methodology.
Key insights from the study include the following:
More than one of every three enterprise devices had an Endpoint Protection (EP), client management or VPN application out of compliance, further exposing entire organizations to potential threats. More than 5% of enterprise devices were missing one or more of these critical controls altogether. Endpoints, encryption, VPN and Client Management are more, not less fragile, despite millions of dollars being spent to protect them before the downturn. The following graphic illustrates how fragile endpoints are by noting average compliances rate alongside installation rates:
When cybersecurity spending isn’t being driven by a business case, endpoints become more complex, chaotic and nearly impossible to protect. Absolute’s survey reflects what happens when cybersecurity spending isn’t based on a solid business decision, often leading to multiple endpoint security agents. The survey found the typical organization has 10.2 endpoint agents on average, up from 9.8 last year. One of the most insightful series of findings in the study and well worth a read is the section on measuring Application Resilience. The study found that the resiliency of an application varies significantly based on what else it is paired with. It’s interesting to see that same-vendor pairings don’t necessarily do better or show higher average compliance rates than pairings from different vendors. The bottom line is that there’s no guarantee that any agent, whether sourced from a single vendor or even the most innovative vendors, will work seamlessly together and make an organization more secure. The following graphic explains this point:
60% of breaches can be linked to a vulnerability where a patch was available, but not applied. When there’s a compelling business case to keep all machines current, patches get distributed and installed. When there isn’t, operating system patches are, on average, 95 days late. Counting up the total number of vulnerabilities addressed on Patch Tuesday in February through May 2020 alone, it shows that the average Windows 10 enterprise device has hundreds of potential vulnerabilities without a fix applied – including four zero-day vulnerabilities. Absolute’s data shows that Post-Covid-19, the average patch age has gone down slightly, driven by the business case of supporting an entirely remote workforce.
Organizations that had defined business cases for their cybersecurity programs are able to adapt better and secure vulnerable endpoint devices, along with the sensitive data piling up on those devices, being used at home by employees. Absolute’s study showed that the amount of sensitive data – like Personal Identifiable Information (PII), Protected Health Information (PHI) and Personal Financial Information (PFI) data – identified on endpoints soared as the Covid-19 outbreak spread and devices went home to work remotely. Without autonomous endpoints that have an unbreakable digital tether to ensure the health and security of the device, the greater the chance of this kind of data being exposed, the greater the potential for damages, compliance violations and more.
Absolute’s latest study on the state of endpoints amplifies what many CISOs and their teams are doing today. They’re prioritizing cybersecurity endpoint projects on ROI, looking to quantify agent effectiveness and moving beyond the myth that greater compliance is going to get them better security. The bottom line is that increasing cybersecurity spending is not going to make any business more secure, knowing the effectiveness of cybersecurity spending will, however. Being able to capable of tracking how resilient and persistent every autonomous endpoint is in an organization makes defining the ROI of endpoint investments possible, which is what every CISO I’ve spoken with is focusing on this year.
86% of all breaches are financially motivated, where threat actors are after company financial data, intellectual property, health records, and customer identities that can be sold fast on the Dark Web.
70% of breaches are perpetrated by external actors, making endpoint security a high priority in any cybersecurity strategy.
55% of breaches originate from organized crime groups.
Attacks on Web apps accessed from endpoints were part of 43% of breaches, more than double the results from last year.
These and many other insights are from Verizon’s 2020 Data Breach Investigations Report (DBIR), downloadable here (PDF, 119 pp. free, opt-in). One of the most-read and referenced data breach reports in cybersecurity, Verizon’s DBIR, is considered the definitive source of annual cybercrime statistics. Verizon expanded the scope of the report to include 16 industries this year, also providing break-outs for Asia-Pacific (APAC); Europe, Middle East and Africa (EMEA); Latin America and the Caribbean (LAC); and North America, Canada, and Bermuda, which Verizon says is experiencing more breaches (NA).
The study’s methodology is based on an analysis of a record total of 157,525 incidents. Of those, 32,002 met Verizon’s quality standards, and 3,950 were confirmed data breaches. The report is based on an analysis of those findings. Please see Appendix A for the methodology.
Key insights include the following:
Verizon’s DBIR reflects the stark reality that organized crime-funded cybercriminals are relentless in searching out unprotected endpoints and exploiting them for financial gain, which is why autonomous endpoints are a must-have today. After reading the 2020 Verizon DBIR, it’s clear that if organizations had more autonomous endpoints, many of the most costly breaches could be averted. Autonomous endpoints that can enforce compliance, control, automatically regenerating, and patching cybersecurity software while providing control and visibility is the cornerstone of cybersecurity’s future. For endpoint security to scale across every threat surface, the new hybrid remote workplace is creating an undeletable tether to every device as a must-have for achieving enterprise scale.
The lack of diligence around Asset Management is creating new threat surfaces as organizations often don’t know the current health, configurations, or locations of their systems and devices. Asset Management is a black hole in many organizations leading to partial at best efforts to protect every threat surface they have. What’s needed is more insightful data on the health of every device. There are several dashboards available, and one of the most insightful is from Absolute, called the Remote Work and Distance Learning Insights Center. An example of the dashboard shown below:
85% of victims and subjects were in the same country, 56% were in the same state, and 35% were even in the same city based on FBI Internet Crime Complaint Center (IC3) data. Cybercriminals are very opportunistic when it comes to attacking high-profile targets in their regions of the world. Concerted efforts of cybercriminals funded by organized crime look for the weakest threat surfaces to launch an attack on, and unprotected endpoints are their favorite target. What’s needed is more of a true endpoint resilience approach that is based on a real-time, unbreakable digital tether that ensures the security of every device and the apps and data it contains.
Cloud assets were involved in about 24% of breaches this year, while on-premises assets are still 70%. Ask any CISO what the most valuable lesson they learned from the pandemic has been so far, and chances are they’ll say they didn’t move to the cloud quickly enough. Cloud platforms enable CIOs and CISOs to provide a greater scale of applications for their workforces who are entirely remote and a higher security level. Digging deeper into this, cloud-based Security Information and Event Management (SIEM) provides invaluable real-time analysis, alerts, and deterrence of potential breaches. Today it’s the exceptional rather than the rule that CISOs prefer on-premise over cloud-based SIEM and endpoint security applications. Cloud-based endpoint platforms and the apps they support are the future of cybersecurity as all organizations now are either considering or adopting cloud-based cybersecurity strategies.
Over 80% of breaches within hacking involve brute force or the use of lost or stolen credentials. One of the most valuable insights from the Verizon DBIR is how high of a priority cybercriminals are placing on stealing personal and privileged access credentials. Shutting down potential breach attempts from stolen passwords involves keeping every endpoint completely up to date on software updates, monitoring aberrant activity, and knowing if anyone is attempting to change the configuration of a system as an administrator. By having an unbreakable digital tether to every device, greater control and real-time response to breach attempts are possible.
Autonomous endpoints that can self-heal and regenerate operating systems and configurations are the future of cybersecurity, a point that can be inferred from Verizon’s DBIR this year. While CIOs are more budget-focused than ever, CISOs are focused on how to anticipate and protect their enterprises from new, emerging threats. Closing the asset management gaps while securing every endpoint is a must-have to secure any business today. There are several cybersecurity companies offering endpoint security today. Based on customer interviews I’ve done, one of the clear leaders in endpoint resilience is Absolute Software, whose persistent-firmware technology allows them to self-heal their own agent, as well as any endpoint security control and productivity tool on any protected device such as their Resilience suite of applications.