How to reduce work from home risks in a post-COVID world
With vast numbers of employees now working from home, we have entered a new normal.
Whilst a few people are now going back to their workplaces as restrictions ease, many office workers are likely to continue to work from home for the rest of the year. The technology giants like Google, Microsoft, Facebook, Amazon, Slack and Twitter have all made this move with some saying it has proven to be just as productive as the traditional office. These innovative market leaders often set the standards for best practices, which could influence how other companies develop their secure work from home strategies going forward.
Whilst Australian organisations continue to navigate this difficult time — focusing on maintaining productivity, boosting employee morale, and equipping remote teams with the software and tools they need — many companies are also thinking about how this ‘new’ way of working will change their business for good and accelerate their path to digital transformation. James Calder, the global director of Woods Bagot-owned office design consultancy, Era-co has said that hot-desking, shared kitchens and crowded public transport are a thing of the pre-COVID era and he said: “It's the end of activity-based work as we know it.”
One thing is certain; as more core business functions and applications move to the cloud, a strong, yet flexible, security foundation is critical to reducing risk exposure for an organisation. In fact, we’re seeing this now.
Working from home introduces new complexities that aren’t typically present in a secure and trusted office environment. Managing access to essential corporate applications, while also adjusting to rapidly support a remote workforce, has been challenging for many companies and rightfully so. When supporting a remote workforce, there is more ambiguity and uncertainty of an employee’s environment, making it critical for organisations to re-establish trust with their users and the devices they’re using.
Back to the basics with two-factor authentication
How do you ensure individuals accessing your IT systems are really who they say they are? You lock the front door. It’s a simple concept that’s often forgotten, but if your organisation has a complex security infrastructure complete with firewalls, end-to-end encryption, virus scanning and more, it’s irrelevant if you haven’t first safeguarded your access points with strong authentication.
Two-factor authentication (2FA) plays an important role as the first line of defence against phishing scams, credential stuffing, or man-in-the-middle attacks. But not all 2FA is equal. When considering a 2FA method, it’s important to understand that there are varying levels of effectiveness.
SMS codes can be compromised by SIM swapping and number porting scams, while one-time passcodes on authenticator apps can be inconvenient and impede productivity. In fact, research proves that SMS and mobile authenticators are not as effective at preventing account takeovers and targeted attacks as other methods like security keys. Security keys leverage open authentication standards, like FIDO2 and WebAuthn, to provide the highest level of security assurance while also providing a seamless user experience.
Regardless of the 2FA method you believe is best for your organization, it’s important to implement it for all employees, across all systems and applications. It is the single best step you can take to drastically improve your security posture with little effort. For many enterprises, my best recommendation is to turn on 2FA with these three business-critical tools.
Identity and access management systems (IAM) and identity providers (IdP)
Access management tools are a good place to start when enforcing 2FA. Most organizations already leverage an Identity and Access Management (IAM) solution or identity provider (IdP) — whether it’s Google, RSA, Microsoft, Okta, Ping, Duo, or something similar — to streamline access and reduce the hassle that comes with multiple logins. Combining an IAM service with strong 2FA results in a winning joint solution that can immediately improve an organisation’s security posture by protecting all business-critical applications with a single point of sign-on.
Virtual Private Network (VPN) solutions
In the age of remote work, it’s important for organisations to ensure employees are using a secure network. With a VPN, only permitted users are allowed to access the data being transmitted, which is why accessing a VPN can be risky when relying solely on passwords. Leveraging 2FA will help to secure VPN access from malicious attackers.
Computer logins
With the influx of remote work, many users are using their personal devices for work-related functions or work devices for personal use. In a perfect world, users should designate the appropriate devices to either work or personal use only, but that is not as realistic as it sounds. If devices like laptops and desktops are not secured properly, they can be potential entry points for external threats. Protecting computer logins with 2FA is a tactic that can help safeguard devices from unwanted access or misuse.
With the current climate, there are many unknowns, but the security infrastructure doesn’t have to be one of them. By taking the necessary precautions, like setting up 2FA wherever possible, an organisation can continue business operations with the majority of its workers at home while also having peace of mind regarding security.
This article was contributed by Geoff Schomburgk, Vice President for Australia & New Zealand at Yubico
