Maintaining VDI security hygiene without resistance from employees

CISO’s are all too aware that maintaining 100% uptime is essential for productivity and to this end they prioritise the availability and protection of their organisations’ systems. The spectre of the WannaCry ransomware attack, which cost the NHS in the UK millions and could have been fended off by a software update made available weeks before, looms large in the minds of anyone with responsibility for security.  

It’s understandable. The cyberattack surface is constantly growing, and as well as safeguarding their companies and their colleagues against corporate threats, many CISOs feel they are now obliged to become the go-to authority on volatile global and national security issues too. 

Their determination to close gaps in their corporate armour by strictly imposing a rigid upgrade programme, however, can meet with considerable resistance. One of the biggest challenges is establishing a more cyber-security-focused culture. All too often the security team are regarded negatively, seen as imposing disruptive processes that are considered unnecessary by other departments. Many employees don’t want to engage with cyber-security practices, and while they fully expect to have access to systems and solutions 24/7, they have little patience for the impact on their everyday tasks that an update might present. Human nature also plays its part in the delaying tactics that are used to avoid installations that could change or impact employees’ familiar interactions with existing applications.   

The difficulty of keeping remote workers secure

Putting in place a cyber-security culture was tricky enough when employees were office-based, but it has become even more so now that hybrid and remote working are the norm and reliance on remote managed and unmanaged access solutions is commonplace.

Cloud-based solutions that provide virtual desktop and virtual PC infrastructure including Citrix, Azure Virtual Desktop, w365 and VMWare, have helped to establish hybrid working as standard practice. Not only do they deliver the data and applications that employees need they also enable companies to control resources such as identity and access policies and make system administration much easier. The flip side to this, however, is the frequency of security updates and re-configuration that must be factored in to protect users and information.  

From a CISO perspective virtual infrastructure allows them to keep their arms around the security ecosystem. They can take advantage of the often monthly patches to physical servers and guest virtual machines and keep systems up to date with new software versions as and when they become available, knowing that this will protect against recently launched malware and remote access security flaws.

While some security software updates can take just minutes, others can take hours, involve reinstallation, and require the involvement of employees and this can have operational implications. Employees are no longer in a confined, controllable space using only company-managed endpoints. Instead, a mixture of managed and unmanaged devices is now more commonplace, and while CISOs are under pressure to keep security update activity to a minimum, they are only too aware that they must balance this with the potential risk of a cyberattack and the growing vulnerability of unmanaged devices.   

There is no doubt that virtual desktops, particularly those that are regularly updated with security patches, can enhance systems against attacks on applications and data at a cloud level. Securing data input at the endpoint – even a virtual endpoint – however, carries the same risk that it always did.  

New approach could solve the issue

It is possible that adopting a new security strategy and/or implementing just one type of security solution could have the answer to both problems – enabling CISOs to reduce disruptive updates and at the same time defend devices against attack.

Fundamentally, and against a backdrop of increasing cyberattacks, all organisations should be implementing zero trust. It may not be a popular approach with employees initially and requires considerable buy-in at every level from the c-suite down, but it is the most effective way to ensure that access is given only after the user or device is assessed and verified. 

If zero trust is just a step too far, or while it is being established, CISOs should be looking for a security solution that enhances and supports their existing remote access infrastructure. This needs to protect against the most insidious cyber-attacks, such as kernel level keylogging and screen grabbing, which are commonly deployed on unmanaged endpoint devices as a means for bad actors to gain entry to corporate networks. 

This type of protection, which is as effective in defending virtual desktops as it is in combatting attacks on any physical device, will wrap data and applications securely, ensuring that they are containerised against malware, without any need to identify the malware itself. 

Combatting the complacency of employees when it comes to spending time on cyber-security practices means finding solutions that are easy to implement and deploy, and most importantly, which require a single download to the device they are using. CISOs or administrators should have visibility over who has already downloaded the solution and straightforward mechanisms to ensure non-users are directed to download it so they can gain access to their virtual desktop infrastructure. 

The net effect of this is that any device, whether it is outside the physical corporate perimeter, within it, or in transit, will continue to be protected. CISOs will also have the reassurance of knowing that they can achieve a more workable approach to keeping the company, and employees, secure, and can reduce the frequency of updates that threaten to impact operations, or which are meeting resistance from colleagues.