For more than a century, the working day has revolved around employees travelling to a fixed company location for eight or nine hours. However, the status quo has dramatically shifted in the last few years.
Advances in technology have gradually granted workers more freedom and flexibility in when and where they work, and the advent of the cloud has accelerated the process rapidly. Cloud-based applications now enable users to access work resources at any time or location, whether it’s an early start at home, an overnight flight, or at a coffee shop between meetings.
These new working practices were reflected in the 2018 Duo Trusted Access Report, which analysed data from nearly 11m devices and a half a billion logins per month. The research found that 43% of requests to access protected apps and data now come from outside the office and network. For the largest businesses, Duo observed a 24% spike in the number of unique networks accessed over the last year.
We are likely to see this figure continue to increase as technology develops and businesses experiment with new working models.
As is too often the case, however, as companies race to take advantage of the new opportunities, security is frequently left behind. In this new era, the firewall-centred approach of building the perimeter walls higher simply isn’t viable. Instead, organisations need to adopt a ‘zero trust’ approach to users and devices connecting to the network, which can better accommodate the many variables of modern working practices.
The risks of remote working
Many of the risks around remote working result from poor security practices for endpoint devices. Software updates are one of the most common problems, and a massive 90% of the Android devices we analysed were running outdated operating systems, followed closely by 85% of Chrome OS devices. Just 8% of Android devices had applied the latest security patch, released 26 days earlier at the time of the analysis.
Endpoints running without the latest OS updates or security patches are at a much higher risk of being hit by malware exploits, and threat actors can then use a compromised device to spread their attack to the enterprise network. They may also be able to steal credentials from the device to perpetrate further attacks, or even retrieve confidential data directly if access is not properly secured.
The risk posed by outdated devices is exacerbated further for employees who connect to many new and unknown Wi-Fi networks during their day. Duo’s research found that 26% of users now access two or more different networks every week. Further, 8% accessed three or more networks a week, reflective of the fact that many workers are now almost constantly on the move.
Users who are constantly logging in from new locations are more likely to encounter unsecured Wi-Fi networks, which are at risk of being monitored or vulnerable to “man in the middle” attacks by criminals. In either case, an attacker can potentially intercept confidential data, steal login credentials, or infect the device with malware.
An increasingly remote workforce also makes the process of securing the enterprise network far more complicated. With workers now able to access applications and data from anywhere in the world at any time of day, it is far easier for a cybercriminal to infiltrate the network without being noticed. Unless an organisation has the right controls and tools in place, it is almost impossible to tell the difference between a legitimate user logging on during a business trip, and a threat actor using stolen credentials.
As the enterprise model continues to shift and adapt to the opportunity afforded by new technology, it is essential for organisations to ensure their security models are refocused to match. Rather than the old perimeter-approach that was effective for the fixed 9-5, office-based workday, the era of flexible working requires security controls based on risk factors related to users and their devices.
The most effective way of ensuring that remote access requests are coming from legitimate users rather than a cybercriminal using stolen credentials, or a compromised device, is to implement a zero-trust security model.
The State of Technology This Week
This security framework provides visibility into, and control over, the organisation’s authenticated users and their verified devices, granting them secure access to applications and data only after they meet specific security policy requirements.
Several processes must be carried out each time a user requests access to network assets. The first step is to verify the identity of the user themselves, which is best achieved with a strong two-factor authentication tool. At the same time, the endpoint device should be assessed to ensure it is fully up-to-date and has not been compromised with any malware.
Organisations can establish their own policies that define the minimum trust and security requirements needed to access applications and data. More valuable and at-risk assets can be protected with stricter controls.
While there should be no compromise on strong security, organisations should also be aware of the need to balance this with usability for their workforce. If the security process is too onerous or cumbersome, it will either discourage users from remote working, or encourage them to circumvent the policy with less secure methods. Implementing a single sign-on interface will enable users to access all protected applications in a frictionless way that does not disrupt their working day.
By balancing strict controls and visibility with a seamless, secure login process, organisations can empower their employees to access applications and data at any time or place – without leaving a way in for the cyber criminals.