An employee’s work laptop can be a treasure trove for any malicious actor who can get access to it.
Think about it. Many of the apps you use on your laptop don’t ask you for credentials, especially if your organization doesn’t have strong multi-factor authentication (MFA) policies. Your app passwords may be cached in your browser for convenience, but this also makes them an easy target for credential theft attacks. If your organization uses certificate-based authentication or iWA as a practice for convenience, most of the apps would be directly accessible from a trusted device, without any authentication challenge. Considering that even a mid-sized company may use more than 100 SaaS applications, imagine the extent of damage one can do with access to even a few of these applications.
Even though the world is moving towards cloud storage, some workers like to store copies of important, sensitive files using One Drive, Box or Dropbox. Employees who are constantly on the move, such as sales folks, like to keep critical information locally, as they may not always get access to cloud. Such files may contain sales leads, financial information, partners information, code, trade secrets, and so on. Worst case, a careless employee may have stored his passwords in a spreadsheet.
In addition to sensitive corporate data, an average laptop may contain several files with personal information of the owner, such as their address, phone number, email, SSN, bank account information and credit card details. In the wrong hands, these vital financial records can be used for identity theft.
What’s more, email clients such as Outlook are typically in an “always open” state, putting them at risk. Employee email addresses can often be used to reset passwords for various services, plus emails themselves often contain sensitive information about the employer. Using social engineering, attackers can use one employee email to procure sensitive information about other employees.
In short, it could be disastrous if even one of your employees loses their laptop. Without strong enterprise password policies in place, chances are good that the password is weak and won’t even withstand a basic brute force attack.
Malicious insiders also target unsecured laptops, looking to steal valuable information colleagues or senior executives, or gain privileged access to corporate systems and data they don’t have rights to. Insider threats are increasing in frequency, and can be particularly dangerous as they can go undetected for weeks, months – or even years.
So, it’s absolutely essential that work (and even personal) laptops are protected with strong MFA on the boot screen and lock screen. Not doing so would leave a dangerous gap in your organization’s digital security.
To address this pain point, CyberArk Idaptive cloud agents support strong MFA for boot screen and lock screen of Windows and macOS devices with features such as:
- Risk-based adaptive MFA
- Support for MFA on RDP/RDS access to Windows servers
- Self-service password reset based on authentication challenges to minimize IT helpdesk support and costs
- MFA for offline devices, with the ability to lock and wipe Windows and macOS devices if they are stolen
- Flexible authentication factors, such as OTP, SMS, email, mobile push, FIDO2 keys (such as Yubikey), etc.
Endpoints pose significant security risks for today’s digital businesses – especially with the current large remote workforce. Savvy attackers can exploit endpoint vulnerabilities to steal confidential information or disrupt IT services. By taking a defense-in-depth approach to endpoint security – instituting a strong mix of security controls from MFA to privileged access management – you can strengthen overall security posture and reduce exposure.
To learn more about securing remote users, endpoints and critical assets, visit our Risk Distancing Resource Center.
