ISP security played a significant role during the pandemic, to securely connect home routers with business networks; however, CIOs are doubtful regarding the level of security
The remote workforce was the forced new normal for organizations due to a global pandemic’s sudden onslaught. All the remote employees are now dependent on their domestic ISPs to provide effective security and uninterrupted connectivity with colleagues, clients, and suppliers.
CISOs point out that ISPs are not well known for their security measures. They have increased the defense mechanisms against threat actors, but it remains doubtful if the organization can solely depend on that.
Security leaders believe that it is not possible to do so. The current scenario has seen a sudden increase in advertising trends, focusing on security for organizations and individuals from ISPs. These are basic minimalistic features driven by marketing requirements rather than security.
CIOs say that there is a vital reason why ISP security features are still doubted in the IT industry. A conventional ISP is mostly targeted at delivering predictable, reliable bandwidth to the clients. Clients value connectivity and reliability over every other facility. If the ISPs need to make a critical trade-off decision between uptime and security, they will ultimately choose and focus on uptime.
Security leaders say that in the true sense, demand for reliable connections and speed has increased significantly and crushed the domestic ISPs in the initial days of the pandemic. That continues to be a serious strain for many providers.
The pandemic’s start saw a sudden rise in the residential connections, which resulted in increased botnet traffic and bandwidth oversubscription. This resulted in severe bottlenecks for people working remotely or in-home offices. CIOs point out that ISPs often use inadequately protected and aging home hardware, resulting in many security liabilities.
Remote employees often rent network devices from the local ISP. This equipment is directly exposed to the Web and often lacks normal security controls. Most of these devices very rarely receive any updates and expose corporate networks to potential security breaches. They mostly run on self-signed certificates, no TLS for login sites, and common, widespread use credentials. This equipment can be easily targeted by botnets and behave as access points for attackers to leverage in-home networks.
Why ISPs disagree?
ISPs beg to differ and say that security liabilities are not solely their responsibility. CIOs agree that a lot of the incidents are a result of user behaviors. Despite this, user and organizations’ expectations on ISP security remains to be high. As a result, ISPs have upped their security game regardless of the challenges.
Security leaders say that security is a multilevel problem
Specific security problems are due to conflicts of interest, too- maybe not the obvious ones that enterprises expect. The biggest challenge is expecting ISPs to ensure security when privacy and security are in direct conflict with the business model. Most end-users expect to use ISP for all their requirements without monitoring from the ISP’s end. To provide effective security functionality, ISPs should first pierce through the privacy veil.
CIOs say that this was the main reason most organizations decided to implement VPNs as part of the access protocol to secure their corporate networks.