Remote Workforce Security Survey: How remote work’s access expansion left the door open to hackers
Earlier this summer we developed a report with Cybersecurity Insiders to shed light on the issues IT and security professionals face to secure the “new, perimeter-less workforce.” One issue this has raised is that of “workforce expansion paths” which we will be discussing during this blog post.
When we asked respondents “How did you expand your capacity for providing remote employees with secure access to corporate resources?” we received the following responses:
47% answered that they had purchased more licenses for existing apps to secure remote access
29% purchased more hardware for their business
19% purchased more cloud applications for their employees
Why are we seeing this expansion? Although employees are using the same apps as ever – your marketing team has continued to use HubSpot, your sales team has continued to use SalesForce, your finance team has continued to use NetSuite – they now need to connect over VPN to connect to them instead of doing so securely from your office network.
As remote access increases, it’s important to also consider how this expansion impacts security controls. We found that 79% of organizations continued to enforce the same level of security controls and data management for all roles when accessing corporate resources remotely. Many IT teams were overwhelmed in the initial stages of the pandemic by the sudden move to remote access and did not have the right infrastructure of hardware/software to support the new remote users, which in large part led to the lagging in security controls. As remote access and working from home make it increasingly complicated to trust who is accessing what, IT leaders are now considering moving towards a Zero Trust security model to ensure they verify every identity on their network.
What this means for your security
Put simply, this means that businesses have had to extend their previously limited privileged access to more employees to ensure that they can work remotely with as little friction as possible. This requires new remote access to cloud-based applications and resources that they previously accessed in the office environment.
However, this increased level of access has clear downsides from a complexity perspective and a security perspective.
From a complexity perspective, increasing remote access to corporate resources for more employees often means issuing new multi-factor authentication credentials. Because employees are now authenticating from home instead of the corporate network, they can no longer be trusted with just password-based logins. Instead, they will need to deploy mobile authenticators, Windows Hello for Business, YubiKeys, smart cards, hardware tokens, etc. to verify their identity. These credentials will be added into what is likely an already complex patchwork of existing credentials that IT teams need to issue and users need to remember and manage.
Deploying these credentials can be extremely time-consuming for the IT department, as can the associated time that employees spend on help desks when they inevitably don’t know how to issue the credentials or are unable to log in when they lose or forget them. This system of authentication also distracts IT teams from focusing on more business-oriented tasks which could provide more long-term benefits for the enterprise in question.
From a security perspective, the simple fact of the matter is that more authentication methods mean increased complexity. As we all know, increased complexity in our IT systems leads to user confusion and human error – the ultimate opportunity for hackers. All it takes is for one employee to fall victim to a phishing attack in one instance, and the credentials for the application are compromised, which gives the attacker a foothold in a corporate network which they can leverage into a stronger position, gaining access to ever-more sensitive data which they can in turn use for their own financial gain.
This is why the Zero Trust security model emphasizes the “least privilege” principle, which allows individuals to only access the information which is relevant to their legitimate job role. The more users have access to additional information, the greater chance one of these attacks will happen. It’s essential for users at all access levels to have simple-to-manage solutions so an issue like this is less likely.
How Axiad can help
While the current system of multiple credentials is a frustrating fact of life for many businesses, only increased by the Pandemic, it doesn’t have to be complicated. Axiad manages all identity credentials your business needs in one unified platform, whether they’re for users, processes and, machines as well as integrating with existing applications seamlessly. The credential-issuance process is streamlined by allowing users to easily set up a new credential without IT support, in a matter of seconds.
Once they simply and securely authenticate with the credentials they need, the employee has full access to their system based on their privileges and is empowered to continue their working day unhindered by the usual back and forth between different authentication platforms. Authentication is simplified no matter what remote access your business requires, so you can operate securely throughout the changes of remote work.
To find out more about how Axiad can help you on your authentication journey, get in touch.
About the Author
Jerome Becquart is Axiad’s COO. Jerome has over 20 years of experience in identity and access management solutions, including 15 years at ActivIdentity. Jerome’s management experience includes roles in operational management, sales management, professional services, product and solution marketing, engineering, and technical support. After the acquisition of ActivIdentity by HID Global in 2010, Jerome served as general manager of the HID Identity Assurance business unit. He chaired the Global Platform Government Task Force for three years, and served on the board of directors of this Industry organization.