Why remote workforces need better strategies for security and data protection [Q&A]
The last couple of years have seen businesses undergo a major shift to remote and hybrid working, largely driven by the pandemic. But this same period has also seen record numbers of data breaches.
Often these attacks begin with phishing to get hold of credentials which can then put both in-house and cloud systems at risk.
What strategies can companies put in place to address these challenges and improve their protection? We spoke to Horacio Zambrano, CMO at workforce authentication specialist Secret Double Octopus to find out.
BN: Have businesses been caught out by the sudden shift in working patterns?
HZ: Most businesses were caught off guard in one way or another. Some were already virtual and cloud-oriented so the shift to remote work just meant scaling what they were already doing For others, it was much more drastic and meant immediately scaling age old VPN technologies as a first step. The VPN reaction was good but only one of a few steps companies need to be enacting for better security around remote work.
BN: What are the first steps towards strengthening protection for remote workers?
HZ: The first steps include enabling VPN, turning on MFA for all workers, ensuring OS patches are applied and turning on endpoint protection suites. End user education around phishing and ransomware is also very important. When it comes to MFA, passwordless is best but traditional MFA is better than just a password.
BN: Does providing better security necessarily have to harm productivity?
HZ: In many areas, security no longer has to harm productivity. In authentication for example, MFA is better security but introduces more friction. Passwordless is a newer form of MFA and more fluid than traditional MFA while providing better security at the same time.
The key benefits of passwordless authentication include much lower data breach risk, given compromised credentials drive many of them, lower costs related to help desk end user support and maintenance, and reduced cost for some companies with complex multi-vendor access management and MFA stacks.
BN: How important is education in ensuring everyone understands their role in protecting data?
HZ: Humans are still the weakest link and education is very important. End users may complain when new technologies are enabled even if they are more seamless, just because they are different. The companies with the most successful security programs are educating their end users, helping them see the big picture and creating avenues for feedback, onboarding and support.
BN: What additional precautions can businesses take to secure multiple endpoints across their remote workforce? Is passwordless authentication enough to narrow vulnerable attack surfaces?
HZ: Passwordless authentication is more secure then MFA, which is more secure than password only. Strong authentication by itself won’t protect against everything but it is likely the most impactful single prevention strategy an organization can take outside of ensuring that every home user has a firewall correctly set on their internet modem and endpoint.
BN: What are the most common challenges businesses with remote workers face in the adoption of passwordless authentication?
HZ: The most common challenge businesses will face with respect to remote workers is having a solution offering full coverage in their chosen solution. It’s important to enable passwordless for every possible use case a worker encounters. Not only are cloud or mobile apps required, but logins to desktops, VPN, VDI systems and legacy on-premises applications can be tricky for many vendors to negotiate end-to-end.
BN: If a data breach occurs despite implementing more robust security measures, what are the immediate steps you'd recommend?
HZ: Companies should have comprehensive plans in place for when this takes place. The list is long but includes deploying SecOps to fully ascertain the 'blast radius' or extent of the breach, bringing in outside investigatory groups if the in-house expertise is limited, notifying authorities per regulatory disclosure requirements, contacting their cyber insurance provider and potentially going into PR crisis mode.
BN: Besides the ones we've discussed, what other tools can remote workers and businesses adopt to strengthen their data security?
HZ: Endpoint file disk encryption is a must for data security. Technologies like VDI, local hypervisors and browser isolation platforms are also effective strategies. Disallowing connectivity to IT sanctioned cloud apps (via the use of SSO and CASB solutions) or the corporate network from unmanaged devices is also effective.
Perhaps the most effective security protocol is to never allow executables or files with macros as email attachments and encourage people not to click on such files from individuals outside of the organization.