Covid-19 has dramatically changed the cyber-security landscape, highlighting those organisations that were most unprepared for the mass shift to remote working. With the majority of employees still working from home, workforces are more vulnerable than ever before. Not only are people more likely to click on suspicious links when isolated in their own homes, but attacks are also becoming far more sophisticated, targeting VPNs and other exposed areas of businesses.
For example, we’re increasingly seeing attacks over text messages and personal social media accounts. We are looking at a cyber-crime gold rush, as remote IT workers without adequate protection are a gift to cyber-criminals. In the current age of remote work, traditional defence perimeters can no longer effectively protect the workforce, and therefore the business.
With working routines changing, what do companies need to have in place both now and in the future?
While we’ve seen success with organisations quickly scaling remote working security tools, for many this short-term firefighting approach isn’t sustainable. Now more than ever, with this new dynamic way of working, businesses need to make security a top priority. Companies should be investing in security skills and cultivating IT teams that can sustain and keep a remote workforce secure. Covid-19 has highlighted the urgent need for businesses to shift their mindsets when it comes to security, and the increase in cyber-crime has accelerated the adoption of frameworks such as zero trust.
Zero trust throws away the idea of a trusted internal network versus an untrusted external network; instead, we should consider all network traffic untrusted. The core principle of zero trust is to “never trust, always verify.” In today’s security landscape, it’s all about the people who access your systems, and the access controls for those individuals. According to polls by Deloitte, 37.4 per cent of security professionals say the pandemic has sped up their organisation’s zero trust adoption efforts. The zero trust model is so important to implement if businesses hope to keep their workforce secure, no matter where employees log in from.
As part of this, employing rigorous security solutions such as adaptive multi-factor authentication (MFA) is critical to ensuring malicious actors are not able to access sensitive information. It is far easier to identify anomalous activity with a system of at least two-factor authentication, as it combines passwords with other factors such as physical tokens, contextual information or biometrics. A password is no longer a satisfactory way to make sure someone is who they say they are, and businesses should not rely only on this method of authentication to protect their workforces.
What technologies are needed?
From a security perspective, productised security automation and orchestration tools will be extremely valuable as IT teams become increasingly overstretched. Security orchestration can help solve this challenge, automating many processes such as flagging issues and then actioning the correct response to tackle threats. AI can provide an additional security and information layer by identifying suspicious behavioural patterns.
As more and more data is created, the attack surface grows, creating further access points for criminals to exploit. By integrating automation and AI, organisations can empower their teams to manage cyber-security measures in the most effective way possible.
What are the best practices for employees to follow?
In the new remote-working environment, IT and security teams are not as close to employees, which means employees are the new frontline when it comes to security practices. With more companies adopting zero trust approaches, employees must understand that being secure should be a company mindset. Employees must ensure that their connection to the company is secure and report any suspicious activity.
The main areas of best practice involve being aware and staying vigilant against phishing attempts and malware attacks or hacks. This means avoiding clicking on links in unsolicited emails, especially when it comes to clicking on attachments. Never reveal personal or financial information over email or via message, and do not respond to emails that ask for this information. Use a well-known, trusted password manager and generate unique, complex passwords for sites that do not support additional factors. Never trust unverified people or numbers, no matter who they say they are, asking for information about the company.
To find out more, click here
By Jesper Frederiksen, Vice President and General Manager, EMEA, Okta