A Security Playbook for Working from Home
Chances are you are deep in the middle of a remote working scenario that is not of your own creation. The current infectious disease outbreak has sent workforces everywhere scrambling. Employees who have never worked remotely suddenly find themselves dispatched to home offices, IT is under incredible stress, and—as of this writing—it’s hard to predict when we will return to normal. Hang in there, brave, kindred IT spirit! You’re not alone. While global remote working has been growing for some time (in fact, by 140% since 2015 according to a 2019 Global Workplace Analytics report) this latest situation is pushing all known boundaries. We’ve put together a list of some best practices to consider as we move into the “new normal” of remote working—broken down for IT Managers, Facility Managers and the C-Suite.
For the IT Manager
The newfound influx of remote working by users who don’t traditionally work from home means a lot of access control issues such as password resets, IT help desk tickets and potential security risks, like password-phishing malware. Every enterprise is somewhere on the spectrum between standard username-password and passwordless—the vanguard of the industry. Take stock of where you are on this journey and realize that—no matter where you are—there is room to grow: Using username/passwords only If you find yourself here, realize you are rife for attack. This is because credential-stealing malware is already out there looking to harvest your employees’ passwords and use them against you. Your best choice is to implement simple two-factor authentication—the “something you know, something you have” protocol. One of the best two-factor, or 2FA, options that can be quickly deployed is “push” notification. It can be easily deployed to your workforce and relies on the mobile phone for the “something you have”. Get this going soon, as it is your best defense against unauthorized access. If you already have 2FA deployed Congratulations! If done properly 2FA prevents data and network breaches from phishing attacks. This has been popularly demonstrated by Google using FIDO2-enabled USB security tokens as a second factor since 2017. This may be a good time to consider taking the next step toward MFA, or multi-factor authentication. By integrating an advanced authentication platform, you can leverage your existing 2FA factors while adding more human-friendly authentication factors such as smartcards, biometrics, UBA (a.k.a. behavioral) and risk analytics. Look for a solution that will not break the bank. It needs to be fast to deploy, seamlessly fit into your Active Directory domain, require minimal computing power and be available on a scalable subscription basis. If you have already deployed multi-factor authentication You are well protected and already on your journey to passwordless. This might be a good time to ask vendors to demonstrate the latest technology in biometrics, smartcards & USB tokens enabled with FIDO2 or risk-based analytics. Additionally, enterprises at this maturity level are often integrating physical and IT security systems. If this is you, look for a vendor that is savvy in both physical access and advanced authentication for IT assets and can provide a converged offering. Ready for Passwordless This might come as a surprise, but there is such a thing. Passwordless eliminates the use of selected passwords and replaces them with FIDO2 keys, cards and mobile apps, in addition to a PIN. Your users never have to update a password because there are no passwords. This relieves the burden on the IT helpdesk, especially during times of great stress.
For the Facilities Team (Security and Front Desk)
If you are in facilities management and focused on security of the front desk, you may suddenly find yourself sheriff of a ghost town. But that doesn’t mean you let your security awareness down. In fact, there are significant reasons to step up your game. Take for example what a leading cancer clinic recommends for all their facilities. During a crisis like this, in order to keep the institution running, they need to quickly and accurately identify emergency transfer workers and ensure their credibility and validation of skills. (Your organization may need to identify your own emergency workers during this time and create a workflow for them to visit your facilities.) To do this, each of their institutions can issue a “temporary institution badge” that would be accounted for by the manager or supervisor of an area. The badge would provide the non-entity employee access to all areas necessary to perform the functions required. The non-entity employee’s regular badge would need to be displayed while on the premises.
For the C-Suite (Explore the Opportunity for a Tech Refresh)
If you are embracing the remote worker model, then you are probably realizing the value to your business in terms of increased productivity and reduced facility costs. Yet you may be concerned that without proper cybersecurity, phishing attacks and stolen credentials could damage the business. Which leads to the ultimate question, how much is this going to cost me? Luckily for you, the high demand for effective multi-factor authentication has provided many highly secure, cost-effective solutions that can provide your business with protection from phishing attacks and misused passwords. The ultimate solution is finding the balance between high-security and greater convenience and minimizing investment and maximizing ROI. Talk to your security professionals about where your business is along the journey to passwordless. Ask them how the latest advanced authentication technologies can enable higher security AND a convenient employee experience while possibly even lowering costs. Taken together, these best practices are simple, but effective. Implemented properly, they can lead to a much smoother, secure and seamless transition of your workforce to the remote world. Get the latest blogs on identity and access management delivered straight to your inbox. Jeff Carpenter is Director of Cloud Authentication at HID Global. In his 15+ years in cybersecurity, Jeff has held positions with several top tier cybersecurity and technology companies including Crossmatch and RSA, a Dell Technologies company. He holds both Certified Information Systems Security Professional (CISSP) and Certified Cloud Security Professional (CCSP) designations.