I was told there would be no Math!!!

Calculating the final frontier of risk to the enterprise

 Companies that were once staunch advocates of in-person work have been forced to adapt to remote and hybrid work models. While this has allowed for greater flexibility and productivity, it has also brought new risks that many companies have yet to fully comprehend. One of these risks is the rise of the digital nomad, and the impact they can have on enterprise security.

Digital nomads are individuals who use technology to work remotely from anywhere in the world.  They are not tied to a physical office or location and can work from a coffee shop in Paris one day and a beach in Bali the next. While this lifestyle has its advantages, it also presents a significant challenge for companies that rely on secure networks and require absolute data protection. Digital nomads and remote workers represent one of the final frontiers of risk to the enterprise, and it is crucial that companies understand and manage this risk effectively.

They say that the way we tame nature is by measurement. Logic would follow that we start measuring the various elements that might concern us about our remote users. Now, for each use case, user, location, time of year, as well as individual tactical and strategic goals there could be different things that we want to track, correlate, organize, and measure. However, having one indication or SCORE that denotes risk in nearly real time would be priceless.

Risk = Probability x Impact

We want to introduce the notion of tensors into the conversation around remote user risk management. 

"Tensors are simply multi-dimensional arrays of numbers that can be used to represent complex relationships between different quantities."

At the heart of risk management is an interest in using relevant & current data to make decisions. These decisions are usually made with imperfect or incomplete information, where things we deem "acceptable" or unforeseen, or too difficult to obtain are often be ignored. We would all tend to agree that better data helps make better decisions.

We have written before on the four primary "tensors" of measuring end user computing risk: prevalence, possibility of being a target, probability of the risk being successful, and the damage caused by a successful element of risk.

Each of these tensor domains has a range of comprising "scalar" elements that can be used to measure and manage risk (often binary). Additionally, there are "vectors" of information which add depth, clarity, and richness to our data and observations.  We then have matrix's that form of combined vectors. The matrix's form the tensor - or better said - a simple mathematical representation of a lot of changing data. For hybrid and remote workers alike, we feel that as many of the complexities that can be collected, organized, and quantified need to be considered in any analysis.

Prevalence of risk: Digital nomads are increasingly common in today's workforce. They are not limited by geography or time zones and can work from anywhere at any time. This means that the prevalence of risk is higher, as there are more potential entry points into a company's network.

• Frequency of the risk occurring over time
• Duration of the risk continuing over time (includes dwell time)
• Number of users or systems affected by the risk
• Geographic distribution of the risk across the organization /globe

Possibility of being a target: Digital nomads are often high-value targets for cyber criminals. They typically can have access to sensitive data and are often connected to the company's network from unsecured public Wi-Fi networks. This makes them an attractive target for attackers who are looking to exploit vulnerabilities in the company's network, systems, or defenses.

• User or system attributes that make them more likely to be targeted (e.g. high-value targets, access to sensitive data)
• Lack of antivirus / antimalware / encryption / Multi Factor Authentication
• Password Strength
• Browsing History
• Historical evidence of targeting (e.g. previous attacks or incidents)

Probability of the risk being successful: The probability of a successful attack or breach is higher when dealing with digital nomads. They often work from unsecured networks and are more likely to fall victim to phishing scams or other social engineering tactics. Training, software, policies, and hardware can all help.  This means that the risk of a successful attack or breach is higher when dealing with distributed team members. 

• Technical sophistication required to exploit the risk
• Access to needed system resources to breach
• Availability and effectiveness of mitigation controls
  • Prevention / Counter Measures
• Historical evidence of successful attacks or incidents
• Occurrence in / across other users in the organization

Damage caused by successful risk: If a remote or hybrid worker is successfully targeted, the damage to the company can be significant, not just in legal fees and lost productivity.  The adversaries may have access to sensitive or competitive data, records, or critical systems, which can be compromised in an attack. The damage caused by a successful breach or attack can be both financial and reputational, with potential legal or regulatory consequences, and given it's scale, even more lasting impact on shareholder value, or at worst, catastrophic.

• Financial impact on the organization (e.g. lost revenue, cost of remediation)
  • Patents, Financials, Health/Personnel Records
• Reputational damage to the organization or individual users affected
  • Sales / Trust / Renewals / Access to Markets
• Legal or regulatory consequences of a successful attack or incident
  • PCI/HIPPA/SEC/Homeland Security

Managing risk in a world of hybrid work requires a holistic approach that takes into account the unique challenges presented by this workforce and these adversaries. It's not enough to rely on point solutions that only focus on one of the primary tensors of risk. Computers are parts of systems - and to the extent possible we need to follow the wire and measure every part of that impacts that system. Companies need to take a comprehensive view of risk and develop strategies that address all aspects of the risk landscape, and the ability collect information about it.

This means investing in technologies and solutions that can help to secure remote workers, such as virtual private networks (VPNs) and multifactor authentication. It also means providing training and education to digital nomads on best practices for securing their devices and networks. Additionally, companies may need to reassess their policies and procedures around remote work, to ensure that they are able to manage risk effectively.  In some cases, it may even make sense to mandate a Return to Office policy.

The rise of hybrid work represents a significant new risk domain to the enterprise. However, by understanding the primary tensors of risk and the unique challenges presented by remote workers, companies can take steps to manage this risk effectively. It's time to embrace the math and use the tools and techniques available to us to quantify and manage risk in real time.

Fortunately, companies like Remotely Inc. are endeavoring to collect, organize, analyze, and quantify as many of the risk metrics and elements of end user computing as possible. From the cloud to the edge - if we had a complete manifest of weaknesses, vulnerabilities, applications, settings, policies, hardware, and user behavior (and more) we would be well on our way to better understanding our risk exposure.  However, that is a LOT of data, and a LOT of math.

We do your homework for you and use those measurements and our patent-pending Security Risk Index (SRI™) algorithm to deliver a veritable "risk credit score" for each and every user on the network, no matter where they are, updated in near real-time. This kind of real-time risk assessment can provide companies with the information they need to stay one step ahead of potential threats and ensure that their remote workers are operating in a secure and safe environment.

Better Data = Better Decisions

As we have all come to learn, behind every credit score - there is a credit report - the details that support the calculations.  We think of risk management and mitigation operate the same way. You cannot manage what you cannot measure - so having a holistic platform that collects, organizes, and quantifies your risk to help in decision support is highly valuable. 

Risk management is a process and with no signs of adversaries and challenges letting up, our mission is to optimize and engage the people, products, and process's to ensure safe, secure, and supported team members - no matter where or how they work.

#ShieldsUp

J.Tyler T.Rex Rohrer

March 2023