The concept of working from home and remote workforces has been around and in practice for a while now, but recent global events have changed the game entirely, with many governments – including the UK’s – now urging citizens to dramatically increase social distancing measures. Indeed, Covid-19 has driven entire offices to close and whole companies to work from home resulting in an unprecedented shift in the working landscape in just a few months. Organisations are having to rapidly adapt, and a vital consideration must of course be security, particularly given cyber attackers’ propensity for opportunism during times of crisis.
Unfortunately, distressed global climates and times of uncertainty are prime times for hackers to launch attacks and we can already see targeted Coronavirus-themed phishing attacks in circulation. Therefore, it is imperative that organisations implement business contingency plans that prioritise protecting remote workforces from attacks. Securing a remote workforce, while also ensuring that productivity is not negatively affected, is a daunting task but there are several ways this can be achieved and considerations that should be made:
Step up authentication for password managers – Far too many of us remember our passwords by writing them down or by creating passwords so easy that we couldn’t forget them. For example, according to a review by the UK’s National Cyber Security Centre, ‘123456’ is the most common password. What’s more, recent research from Ponemon Institute has revealed 43 percent of IT security respondents say sticky notes are used to manage passwords in their organisations. This creates obvious security issues, given that these passwords could be found or very easily guessed by a bad actor. Remote workers or not, employees need a simple and safe way to create, store, and manage passwords. Hardware security keys integrated with enterprise-grade password managers are a good step to take in achieving this.
Acknowledging limitations of basic multi-factor authentication (MFA) – MFA methods are commonly used as an additional layer of security to business IT networks. Given that home networks are often less secure than business networks, MFA is vital in these new circumstances. The most basic examples are two-factor authentication (2FA) methods such as memorable words or SMS One Time Passwords (OTPs), but, while these do provide some increased security, they are still vulnerable to modern phishing and man-in-the-middle (MitM) attacks. In fact, phone-based attacks are increasingly common, with ‘SIM-swap’ fraud on the rise. Not to mention that the cumbersome process of inputting answers and passcodes doesn’t exactly fulfil the brief of increased security without hindering productivity. If OTPs via SMS are to be used, it’s therefore advisable for these to also be backed up by a separate, external authenticator.
Embrace superior multi-factor authentication (MFA). Doing away with passwords altogether and implementing more superior methods of MFA, such as a mobile authentication app or a hardware security token, is the most secure option that will have little impact on user security. New standards are offering security without the issues outlined above, for example WebAuthn, the first global accepted standard for web authentication and a core component of FIDO2. WebAuthn offers users multiple ways to authenticate, for example hardware security tokens or an app. This is especially important in the current global climate as it allows organisations to offer a degree of personalisation so employees can find an authentication method that works for them.
In these ever-changing times, it is increasingly important that organisations address security concerns head on and work to find measures that will keep remote workers safe. All the options presented here will increase security beyond the traditional password and username combination, so it is important that businesses find the method that works best for their employees.
John Gilbert is General Manager UK&I at Yubico