Securing the Enterprise When Employees are Remote

Saw a number of variants of this as I worked from home during COVID.  Good thoughts

Securing the Enterprise When Employees are Remote,  By Keith Kirkpatrick

Commissioned by CACM Staff, September 29, 2022

Permitting workers to split their time between their home and office can improve job satisfaction and, in some cases, productivity. However, hybrid work arrangements can introduce additional layers of complexity and risk to an organization's technology systems and data. As such, IT departments need to consider several security technologies, processes, and policies to guard against cybersecurity threats that can be more easily exploited by workers that are on the go, or are working in unsecure environments.

For starters, security experts interviewed for this article highlight the importance of insisting that hybrid workers utilize virtual private networks (VPNs), which allow a direct, secure connection between their device and a corporate system, as well as virtual desktops (which ensures all activity and data remain within a corporate, secure environment) when accessing company inormation offsite.

IT leaders also must reinforce to hybrid workers that the most basic strategies used to mitigate security risks within a traditional enterprise environment are still relevant, no matter where a worker may be physically located, or what type of device is being used to access network resources.

"Before purchasing the newest endpoint protection software or cloud-based identity solution to help secure assets and connectivity, leadership should instead begin by authoring policy and standards that support the both the organization's remote work strategy and the overall business strategy," says Jon Anderson, manager of Schellman & Co., a global cybersecurity assessor. "The policy and standards should include language which clearly defines expectations regarding the physical security of the remote work environment, rules for the use of corporate equipment, security considerations for working from public locations, remote network access requirements, employee bring-your-own-device responsibilities, and incident reporting guidelines."

Steve Tcherchian, chief information security officer and chief product officer at cybersecurity solutions company XYPRO, says that if a worker is permitted to use their personal devices, such as laptops or smartphones to access any company resources or networks, children, spouses, or others in the household should not have any access to these devices, given the possibility that malware or viruses could've ben inadvertently downloaded. Says Tcherchian, "You don't want a game or app your kids downloaded three months ago to be the reason your company's network is now compromised."

For hybrid workers, providing them with ongoing training in short bursts may be the key to establishing good cybersecurity practices that become second nature, even when the user is not under the watchful eye of the onsite IT team, explains Rahul Mahna, managing director at EisnerAmper's Outsourced IT Services team. "We don't have a one- or two-hour cybersecurity training, like some firms do," Mahna says, noting that EisnerAmper will conduct phishing tests every quarter, and then if a worker fails a random phishing test, they're immediately prompted with a two-to five-minute video to teach them what they did wrong. "We found a really high [information] retention rate and level of understanding with those learning 'snacks,' versus making them sit down for a couple of hours of extended cybersecurity training."

Security experts say organizations need to take a risk-based approach to security, which can involve three key strategies: zero trust, validating users rather than devices, and monitoring data and nework access patterns for anomalies.

"Employees will be connecting from everywhere," says Murat Kantarcioglu, a professor of computer science at The University of Texas at Dallas and director of the Data Security and Privacy Lab at UT Dallas. "And this requires the use of a zero-trust architecture, where you don't trust anyone or anything."

A zero-trust security architecture requires all users, whether in or outside the organization's network, to be authenticated, authorized, and continuously validated before being granted or keeping access to applications and data. Many organizations have adopted the NIST 800-207 standard, which recommends specific authentication and authorization functions that must be performed before granting access to a specific resource, and was initiated in response to the growing use of distributed network assets, remote users, and bring-your-own-device policies which gained popularity during the pandemic.

Organizations have used some sort of multi-factor authentication to control access to a company resource. This authentication works on the principal of so-called trusted devices, which presumes that the recipient of the code is also the owner of the device it was sent to. A typical process involves a user entering a login credential, and then, a second verification code is sent either via an SMS message, or through an authentication app on a second device. The user must then enter that code to gain access to the requested asset or network.

However, criminals and scammers have tricked some users into sharing the access codes, often by calling users and pretending to be a legitimate organization such as the post office, bank or even an IT professional from a company, and asking for the code that was just delivered to your phone by text or email. That's why some companies are moving to a security concept known as identity access management, where individuals, rather than devices, are consistently verified and authenticated.

Through the ubiquity of cellphone cameras and facial recognition techniques, users can be authenticated and verified each time they need to access a sensitive application or system. One such system is offered by Nametag, which employs the use of AI to scan a user's government-issued identification to ensure its legitimacy, and establish a person's identity. Then, a user shares a photo of themselves so it can be matched to the photo on their government-issued credential using AI, which compares the specific, non-changing features on a person's face, such as the distance between their pupils, across the two images to ensure confidence in the match. ... '