How to Maintain Security When Employees Work Remotely

Beyond Identity Blog | Wednesday, August 18, 2021

The widespread adoption of remote work seemed to occur overnight. Companies rapidly changed their business processes to accommodate remote workers. The pandemic compelled IT executives to reconsider their strategy for securely managing workers outside the office, driving a digital transformation.

Remote work offers several advantages, including greater productivity, better mental health, and lower office space expenses. However, it is not without its difficulties. Your remote workers may be unintentionally jeopardizing the security of your company's data. Working from home can result in data breaches, identity theft, and a slew of other undesirable outcomes. 

Remote employment introduces a new set of cybersecurity risks. We already know that your workers are your weakest link in information technology security and that 95% of security incidents begin with human mistakes. In addition, the remote working environment has the potential to blur the boundaries between work and personal life and workers may develop poor cybersecurity practices, such as utilizing work equipment for personal activities.

Cybercriminals are aware that more individuals are working from home than at any point in history, which provides them with a more distributed threat surface with more opportunities to cause data breaches, utilize backdoors to access networks, introduce ransomware for financial gain, or otherwise disrupt companies on a large scale.

They are also aware that many businesses have resorted to remote operations as the last option and, as a result, have not invested sufficient effort in developing robust cybersecurity procedures. Consequently, businesses employing remote workers have become more popular targets, to the point that the Federal Bureau of Investigation (FBI) issued a press statement warning employers about the heightened dangers associated with remote employment.

Remote workers are more susceptible to attacks, specifically phishing

The growth in phishing attacks is proportional to the rise of remote employees. Cybercriminals have seen a business opportunity, with vulnerable people working from home being ideal targets for phishing operations because hackers are aware that remote employees may not have access to the same security protocols as they may have in the office. 

Phishing attacks use psychological manipulation tactics to trick recipients into revealing sensitive data. The types of phishing attacks with the highest response rates include:

  • Unpaid invoices
  • Login issues
  • Password breaches
  • Message from executives or management

After all, remote employees cannot immediately go over to the next desk and confirm the legitimacy of a bank transfer request with a colleague. They also lack the in-house assistance of an IT staff and companies that moved to the cloud to accommodate remote work may have ditched their multi-factor authentication (MFA) that scanned emails for suspicious activity coming into the network.

Legacy security solutions don’t work

Passwords are behind most breaches

According to MobileIron, passwords continue to be the most widely used form of authentication and the leading source of data breaches. In fact, 81% of security breaches are the result of stolen or hacked passwords. Also, according to a Google/Harris Poll study, 75% of Americans struggle with trying to manage their passwords.

While password hygiene is continuously pushed in security training, around 59% of Americans continue to reuse their passwords for multiple accounts. Also the top five passwords aren’t helping:

  1. 123456
  2. Password
  3. 12345678
  4. qwerty
  5. 123456789

Passwords are outdated and introduce additional cybersecurity threats, and forward-thinking organizations need a frictionless option other than passwords. Moreover, employees want convenience. One increasingly popular option is passwordless authentication, which uses two or more verification elements in place of a password. 

VPNs for remote work are not made to scale

VPNs made their debut in the late 1990s to digitize TCP/IP network access for connectivity. At the time, the primary use case was to link disparate corporate offices into a single network. Since then the use of VPNs has risen and with remote work on the rise, many businesses rushed to install VPNs so their employees could work from home.

However, VPNs are not always the best option for work from home, particularly when users are not utilizing IT-managed and hardened equipment. When users log into their company's VPN, they establish a virtual network interface. The user's device's traffic is subsequently routed into and out of the company's network. 

Any program running on the user's device, whether an authorized user or malicious hacker, may connect to the company's network, including printers, file sharing, servers and databases, intranet-based web applications, and legacy applications. It only takes one bad actor to infiltrate the system and carry out attacks and wreak havoc on your systems.  

While VPNs provide more connectivity and access to company networks and resources, they do not solve the security issues of passwords and offer little in the way of security. 

Password managers may seem safe, but they can be cracked

Since memorizing passwords is extremely difficult to do, many have resorted to utilizing password managers. Unfortunately, password managers can also expose end-user credentials after being hacked.

Findings released by the Independent Security Evaluators (ISE) discovered that many popular password management services have exploitable security flaws. According to reports, widely-used password managers such as KeePass, 1Password, LastPass, and Dashlane were all vulnerable to these risks, which may allow end-users credentials to be stolen.

Traditional MFA is not as secure as end-users think

Numerous businesses have used two-factor authentication through SMS as a security measure. An SMS containing a one-time code is often sent to the user's phone to guarantee safe app access. While many businesses think this approach increases the security of an account or app access, it exposes them and their customers to new cybersecurity risks like SIM swapping or porting.

SIM swapping is when cybercriminals prey on human error. They use phishing to target their intended recipients to switch a target's phone number from the SIM in their phone to a SIM in another device in their ownership or control.

That is precisely what occurred when cybercriminals hijacked Jack Dorsey's Twitter account. With growing cases of hackers successfully exploiting this vulnerability, SMS-based two-factor authentication is no longer considered a safe practice for maintaining security when employees work remotely.

SIM swapping is just one way that MFA can be hacked. Attackers can utilize man in the middle attacks, phishing emails, and more to gain access. 

So what is the best course of action for a remote workforce?

Better, and safer, solutions to secure your remote workforce

Strengthen security with risk-based authentication

Company executives are accountable for safeguarding their organization's data, systems, and intellectual property. It is critical to utilize the appropriate technology to ensure that system access is safe, secure, and convenient. Passwords must be phased out and replaced with something that is simple to implement and unobtrusive to the end-user.

Both requirements are met by risk-based authentication solutions (RBA). This approach protects against sophisticated security breaches and hackers while alleviating the problems associated with passwords and one-size-fits-all authentication methods.

RBA is a kind of strong authentication in which a risk score is calculated in real-time for each access attempt based on a specified set of criteria. After that, users are provided with authentication choices commensurate with their risk level.

In addition, risk scores are compared to a policy-defined threshold in your authentication or identity and access management (IAM) systems. This comparison establishes the method of authentication required for the login attempt.

Some examples of variables used for risk ratings include:

  • Geo-location
  • User identity specifications
  • Geo-velocity

Personal risk characteristics include the length of employment with the business, position or job level, history of security incidents and certifications, and rights. To illustrate, suppose a user fails an internal security certification exam or is the victim of an internal phishing test. In that case, the user is immediately mandated to transition to two-factor authentication.

You can learn more about what is risk-based authentication

Implement zero-trust policies

With the threat landscape becoming more complex and recent workplace changes to accommodate remote users, many businesses use a zero trust security architecture to prevent, identify, and react to cyber threats throughout their environment.

Zero trust requires all users, whether inside or outside the organization's network, to be authenticated, authorized, and continuously validated for security configuration and posture checks before being granted access to applications and data. These zero trust principles help protect against identity and access-based security risks.

Zero trust protects apps and data against new and emerging threats by relying on strong user authentication and device validation in addition to network and endpoint security. Rather than enforcing security at the network border, zero trust focuses on application and surface area protection. Users and devices are not automatically trusted because they are within the corporate perimeter or connected to a trusted network.

While each company may approach zero trust differently, the fundamentals remain consistent, including establishing trust in every access request and safeguarding access across their apps and network.

By implementing the zero trust fundamental components first, such as single-sign ons (SSOs), MFA, and device trust, the move to securing your remote workforce will be more seamless and scalable.

Secure mobile devices and BYOD 

To mitigate the risks associated with Bring Your Own Device (BYOD) and to guarantee compliance with a zero trust architecture, security standards must be both practical and actionable when it comes to mobile devices. Without a method to enforce your business's mobile device policies, your organization will continue to lack the fundamental security necessary to protect against credential-based attacks. 

We have a mobile device security checklist, which will help you ensure that only secure mobile devices can access company resources. 

How to take friction out of security measures: go passwordless 

Remove passwords from the equation with passwordless authentication

Today's remote employees depend on a diverse range of apps to accomplish their tasks. Users are compelled to remember and keep track of an absurdly large number of regularly-changing passwords. Bad actors may use inadequate password management methods to launch cyberattacks and steal sensitive information through methods like credential stuffing, social engineering, and more. 

Simple authentication techniques that rely only on username and password combinations are by definition insecure. And replacing passwords with multiple step login processes will have users trying to find workarounds and create vulnerabilities. 

Passwordless authentication allows access to an application or device without inputting a password and is incredibly secure. At Beyond Identity, passwordless authentication is achieved by using biometrics and the Trusted Platform Module (TPM) where a secure private key is stored. To authenticate a user, the TPM signs a certificate with the private key that can be validated using the corresponding public key. It makes the login process easy, frictionless, and secure. 

Passwordless authentication is often combined with MFA and SSO systems to enhance the user experience, increase security, and simplify IT processes. Gartner forecasts that by 2022, 60% of worldwide businesses will use passwordless authentication.

Passwordless authentication improves security by obviating the need for hazardous password management methods and limiting attack vectors, while creating an authentication process that isn’t laborious for users and is easy to adopt. 

Transition to passwordless MFA, not legacy MFA

To compensate for the password's inherent insecurity, MFA is often used. As a result, authentication is no longer entirely based on what the user knows (the password). Traditional MFA requires something the user has, like a cell phone to enter in a one-time code. 

The issue is that traditional MFA often impairs the user experience. The employee has to login with a username and password and then has to move on to an additional step that may require another device. This is inefficient and particularly infuriating if the user doesn’t have their second device on hand.

Passwordless MFA improves the user experience and additional security is accomplished by including a third element: something you are. That is, to have a biometric component, such as a fingerprint, a face, or an eye. By removing passwords, users are relieved of remembering them and get quicker access to apps and services. You break the endless loop of password resets, help desk calls, and lockouts, which are especially cumbersome for a remote workforce. 

Some of the benefits of passwordless MFA include: 

  • No passwords to steal
  • It’s extremely challenging for threat actors to replicate biometrics
  • End-users do not have to manage or memorize multiple passwords

Pick a solution with seamless adoption and make it scalable

Passwordless authentication enables workers to log in seamlessly across all channels without entering a password or submitting help desk requests for password resets. Allowing workers to log in quickly and securely through biometrics or other technologies immediately improves the user experience by eliminating the need to input a complicated password.

Typically, the procedure is quick and straightforward, alleviating the daily hassles of signing in and memorizing complex passwords. Passwordless authentication enables IT professionals to maintain complete control — even in a scattered work environment.

Security teams often struggle to balance security and employee convenience, all while addressing department-specific authentication requirements. By using a passwordless platform, businesses may quickly handle various authentication requirements across different departments.

You can improve the employee experience by allowing several layers of authentication and identity verification inside a straightforward registration and login procedure. You can also significantly eliminate the friction associated with filling out forms or remembering usernames and passwords. As a result, you retain benefits from passwordless authentication that combines full authentication, incontrovertible identity verification, and sophisticated biometrics.

Secure your remote organization

As remote work becomes the new normal, businesses must evaluate the security risks associated with a hybrid workforce. Many breaches may be avoided by implementing passwordless authentication aligned with a zero trust architecture. They can help businesses remain ahead of the security curve and finally phase out unsafe passwords.

Are you ready to make the transition to passwordless authentication with a solution that benefits your whole remote organization? Learn more about Beyond Identity’s secure remote access solution or request a demo.