Article Details

How TeamViewer builds enterprise trust through security-first design. What to do when even your espresso machine needs end-to-end encryption. Sponsored Feature The security landscape is getting more perilous day by day, as both nation-state groups and financially-motivated hackers ramp up their activity. According to a PwC report late last year, both the number and scale of cyber incidents are increasing rapidly. Globally, 36 percent of businesses experienced a data breach costing them more than $1 million last year, up from just 27 percent in 2023. And this in turn means that the compliance landscape is becoming increasingly complex. The EU's NIS2 cybersecurity directive came into force last year, aiming to enhance cybersecurity across the bloc, with the Digital Operational Resilience Act (DORA) mandating various security practices for the financial sector. In the US, legislation consists of a combination of federal laws, sector-specific legislation such as the Health Insurance Portability and Accountability Act (HIPAA), and various different state laws. And, in the UK, the Cyber Resilience Bill looks set to come into force late this year or early next, building on the existing Network and Information Security (NIS) regulations with new requirements covering digital supply chains, strengthening the powers of regulators, and improving mandatory incident reporting. "There are many compliance requirements that have come up over the last couple of years: when we talk about NIS2, for example, or the UK's Cyber Resilience Bill, but also in the product space," says Jan Bee, Chief Information Security Officer at TeamViewer, a global leader in digital workplace solutions. "There's quite an overlap between all of those: it's really about fundamental security, and to be able to respond to the threats we are seeing out there in an effective and scalable way." All this means that organizations managing distributed work forces and complex IT infrastructures need to change the way they approach cybersecurity and operational resilience. This means building systems that can adapt to the evolving threats and regulations of the future. In the past, the usual approach was to define an overall security program and Information Security Management System (ISMS) and compliance was then a check-box operation. But, says Bee, all this has changed. "If you define your measures, even before you go into a compliance certification audit nowadays, for example, your measures are already tested by various threat actors out there. It has fundamentally changed how we should think about compliance because of the speed we need to operate at, the speed needed to remediate," he says. "We cannot spend ages figuring out how to restructure something, how to define things. We need to act." Security, baked in TeamViewer's own products, including its TeamViewer DEX platform, designed to monitor and improve the digital employee experience, are built from the start with this in mind, in a security-first approach. The 'shift left security' philosophy, which has been gaining prominence over the last couple of years, means incorporating security at the earliest possible stages of the software development lifecycle (SDLC). "I'm happy about how we managed to incorporate this at TeamViewer," says Bee. "At TeamViewer we have weekly security meetings with our product managers, and they tell us what's planned, what they have in mind and even in this early ideation phase, we discuss what could go wrong and how to adjust the idea or what to take care of in particular during the implementation." As a result, TeamViewer builds enterprise-grade protections into the foundation of every product. These go beyond simple encryption or access controls to include comprehensive audit trails, granular permission management, and proactive threat detection. TeamViewer uses AES-256 encryption that runs end-to-end with all the sensitive data encrypted. Every connection is verified, every time, and device health checks are carried before access is granted. There are role-based access controls, and enterprises can define a list of trusted devices to minimize the chances of unauthorized access. Session activity is logged and recorded, helping with detection and, crucially, compliance. And through TeamViewer Remote and TeamViewer ONE, organizations can securely connect to their IT systems from any location. "It's also about things like how we enable our customers to get visibility into our solution. It's not any more just about the features, it's also about supporting our customers to make our solution most effectively secure at scale," says Bee. "Our customers can go into our security center, for example, and understand what we recommend and how to prioritize these security measures to secure our solution in the best possible way, looking at their specific use-case and needs." A nice hot cup of security In terms of real-world deployments, Bee cites coffee machine La Cimbali. The firm previously relied on technicians, either from Cimbali Group or one of their distributors, who would then investigate and troubleshoot the problem on-site. However, Cimbali Group's fully automatic Series S machines now ship with the TeamViewer client installed. If a customer encounters an issue, they can open a support ticket with their Cimbali Group's service partner and create a session by pressing the TeamViewer icon on the machine's display. Technicians from Cimbali Group or one of its distributors then have reliable and secure remote access to the coffee machine screen, almost as if they were on-site. "You have a coffee machine at a restaurant, quite an expensive device. And these are smart devices now, so you can just go to the menu and basically press a button to get support, where the manufacturer or partner are able to connect to these devices and support you remotely," he says. "I really like this approach, because the problem is solved where the issue actually is, on the UI control panel of a coffee machine. It's quite different from what you usually have, where someone needs to travel there. You solve this issue remotely and at scale." The company says it's seen a 20 percent increase in technician efficiency, alongside reduced service travel costs of up to 15 percent. Achieving this, though, often requires integrations with existing software that need to be as seamless as possible. "Speaking of integrations, for TeamViewer Remote and Tensor, there is the Intune integration, where we allow customers to create sessions directly from their Intune console," says Bee. "And if they already have this trust relationship via Microsoft Intune and they have their devices managed there, then it's easy for us to integrate there in this flow, and allow the IT service desk to address a specific device in their fleet." Thinking about security in four dimensions Third-party and fourth-party risk are becoming an increasing problem. The recent Salesloft Drift breach, for example, is believed to have impacted around 700 organizations. It saw attackers bypassing MFA, exploiting OAuth tokens from the Drift–Salesforce connector to gain unrestricted access to sensitive customer data, cloud credentials, and other critical assets. "This is a really important reminder to all of us that it's not just third-party, but also fourth-party risk," says Bee. "You need to think about how many SaaS applications your organization is using, maybe a couple of hundred, maybe even thousands of applications." "And then it's about understanding for each of them what they need to do to secure them and prevent these fourth-party integrations or at least be able to governance them and control them and get this visibility." Soon to appear in TeamViewer products is the TeamViewer Security Center, giving customers recommendations on what they should focus on, and how they can prioritize over time as users, devices and configurations change. "Similarly, I also envision this for the fourth-party risk and security configuration," says Bee. "And then it comes from the manufacturer of these solutions. They know their solution best, and can give you the right recommendations to address these issues." Speaking of knowing solutions best, Bee is also enthusiastic about TeamViewer's bug bounty programs, through which independent security researchers check out the company's products for bugs and vulnerabilities in return for payment. "We just had a live hacking event last month at Nullcon Berlin that was very successful, and also got us much closer to this community, nicely complementing our overall security program," he says. A comprehensive look at every stage of the secure development lifecycle is crucial. The company also works to define something that it calls a "security RICE" (Reach, Impact, Confidence and Effort) at the early stage of product development to be able to adequately measure security aspects during general feature planning. "The impact could be as simple as closing a weakness, for example, or proving a compliance requirement, or something that's maybe demanded by a certain standard or new compliance needs coming up, but also even things like the ease of use and user experience when it comes to security" says Bee. "It's all really about compliance in various facets. When devices deviate it puts them at risk for various reasons and in various directions. Being able to become aware and address these issues, particularly in large fleets with solutions like TeamViewer ONE, is so important to keeping up with the fast-paced developments we are seeing." Sponsored by TeamViewer.