A Look Back: The Sprint to Remote Work Created Security Gaps
The global shift to remote work happened fast: millions of employees went home last March and adjusted to new ways of working – thanks to the IT teams and cybersecurity leaders working tirelessly behind the scenes to make it happen.
The risk landscape changed dramatically during this period of transition. Global VPN usage skyrocketed, while 66% of remote employees adopted new communication and collaboration tools and 77% started using personal devices to access corporate systems. Existing security policies were relaxed or abandoned altogether in the name of business continuity, and it wasn’t long before risky work-from-home shortcuts, such as sharing corporate devices with family members, became hard-to-break habits that put organizations in danger of identity-related breaches.
Opportunistic attackers massively scaled their attacks but continued using tried-and-true methods like phishing, social engineering and brute force to steal credentials and use them to gain illegitimate privileged access to sensitive assets. A recent Identity Defined Security Alliance (IDSA) study reveals that nearly 80% of organizations have experienced an identity-related breach in the past two years (and 19% have since the pandemic crisis started). Employees were targeted in 75% of those breaches.
Where We Are Today: Identity Security Is a Work in Progress
Today, most employees are still working from home. While social distancing mandates have eased in some geographies, it’s becoming increasingly clear that the way we work has changed for good. According to a recent PwC study, 83% of office workers expressed interest in working remotely at least one day a week, while more than half of executives (55%) plan to extend work-from-home options for the long term.
To keep users, workstations and critical assets secure in this new reality, security programs and policies must evolve. Yet for many organizations, there is much work to be done. Our remote work study found 40% of organizations have not yet increased security protocols despite significant changes to remote access needs and cloud application use. According to the IDSA study, less than 50% of organizations have fully implemented any of the following strategies:
- Requiring multi-factor authentication (MFA) for all privileged access
- Granting privileged access according to the principle of least privilege (meaning each user has only the minimum level of access needed to do their job)
- Revoking access upon detection of a high-risk event associated with that identity
- Continuously discovering all privileged access rights and user access rights
- Transparently auditing and enforcing application access
- Using device characteristics and expected user behavior for authentication
Where to Go from Here: Practice Risk Distancing to Secure the Remote Workforce
By following these five best practices for risk distancing, you can master the basics, align security controls with the evolving risk landscape, and strategically mature your program to mitigate the risk of identity-based attacks:
Secure Remote Access for all Users. Both remote employees and third-party vendors need access to enterprise resources to do their jobs. Yet traditional approaches like using VPNs can frustrate users, add risk with overly broad network access and create administrative and helpdesk headaches. As organizations settle into the remote work reality, many are seeking to provide convenient, secure remote access to enterprise applications without VPNs. They’re also looking for ways to secure third-party remote vendor access to critical systems using Zero Trust approaches and just-in-time provisioning.
It is important to note – if you do still use a VPN, it’s critical to secure VPN access with MFA to reduce risk.
Strengthen Workstations with MFA. Multi-Factor Authentication (MFA) protects user devices, logins, applications, and even VPN connections with stronger authentication than passwords alone. User-friendly authentication methods like push notifications, Windows Hello, Apple Touch ID, YubiKeys or mobile authenticator apps help keep employees productive and home-based work environments safe. Since many employees admit to reusing passwords between the work and personal world, passwordless authentication (i.e. biometrics that use built-in smartphone capabilities to confirm identities) is fast becoming a top security priority and should be considered.
Lock Down Privilege on the Endpoint. In the wrong hands, local administrative rights can be used to establish a foothold leading to further compromise such as ransomware, privilege escalation attacks, and lateral movement. Fundamental user control begins with removing these admin rights from employee workstations. To do this, first identify where local admin rights exist across your distributed workforce. Then, remove local admin rights and institute just-in-time provisioning to effectively implement least privilege and keep users productive.
Don’t stop there. Since 37% of remote workers admit to insecurely saving passwords in browsers on corporate devices, credential theft blocking capabilities are key. Additionally, strong application control enables users to work with their preferred tools and workflows while restricting or blocking risky applications.
Manage Access to Applications With SSO. Adaptive single sign-on (SSO) enables a secure and frictionless sign-in experience for both internal and external users that adjusts automatically based on risk. By managing access to applications using SSO capabilities, you can improve security through reduced use of passwords, increased productivity with simplified access to employee resources, and enhanced IT ability to meet compliance requirements.
Educate Employees. A staggering 99% of IDSA survey respondents who have experienced an identity-related breach in the past two years believe these breaches were preventable. The majority (71%) said better security awareness training could have helped them avoid an attack. Ongoing education on common cyber threats, information handling guidelines, and security best practices for remote work – such as using strong passwords, encrypting home Wi-Fi networks, and only using company-sanctioned collaboration tools – will go a long way. Plus, regular Red Team exercises can help test defenses and inform education programs to drive continuous improvement.
The rise in remote work has created new challenges, but it also presents new opportunities for employers and employees alike. To succeed in this new normal, Jason Fried, author of “Remote: Office Not Required,” encourages organizations to “focus on reaping the great benefits and mitigating the drawbacks.”
To learn how CyberArk solutions can help you protect your critical assets and workstations while empowering users wherever they work, visit our Risk Distancing Resource Center and join our webinar, “Four Key Recommendations for Securing Remote Work” on Wednesday, October 21, 2020 at 9:00 a.m. EDT.