The UK’s workforce has been working from home, where possible, for over two months now. And whilst the lockdown restrictions are starting to ease, its impact on growth has been less significant than first thought.
Some companies, such as Twitter, have even gone on record to offer employees the opportunity to work from home “forever”, if they choose. The truth is that the pandemic has merely been a catalyst to a transition already in process, rather than a watershed in itself; almost three quarters (73%) of UK employees considered ‘flexible working’ to be the new norm before the pandemic had even plotted its course.
Remote working does, however, bring a host of new realities that businesses must account for before taking the plunge. It’s not as simple as just logging on from home. Changing cyber security dynamics are a key issue that must be recognised when employees work from outside the office. Many organisations rely heavily on legacy solutions such as VPNs, which simply don’t cut it in today’s advanced-threat landscape. Each end user must ultimately be treated as an individual and receive proportionate, appropriate access to an organisation’s network based on their specific job role. This can prove a tricky situation to handle, with contemporary businesses collaborating with myriad number of differing workers: IT technicians, third parties, and consultants to name a few.
We’ve identified below the top five types of remote workers who require elevated privileges to systems, and how best to secure them, to help clarify these intricacies.
Remote IT Employees
Domain admins and network admins are included under the banner of ‘remote IT employees’. These workers often access critical internal systems when working within the office and have now been forced to do so from home. This, to put it bluntly, causes problems.
Whether in the office or working remotely, these users should already be a priority in terms of controlling their access through Privileged Access Management. Time and time again, attackers specifically target these users due to the wide-ranging, full-administrative access that they possess. The majority of this user base is now working remotely – resulting in a highly targeted group of users, with high impact if compromised, operating in an area of much greater risk exposure.
Traditional solutions like VPNs were not designed to secure this high-risk group, resulting in separate processes being deployed for this community to get the access they need. Instead, organisations should look to more modern approaches that directly integrate with their Privileged Access controls, for greater security, operational ease and (importantly) a better user experience.
Supply Chain Vendors
Supply-chain vendors are often brought in to support the delivery or production of goods – an area that has been disrupted on a massive scale by recent events. Part of their work includes monitoring inventories and other data such as quality control and forecasted output, so these teams naturally need access to an organisation’s network.
These vendors may not be the first that come to mind because they’re not as qualified as administrators. But supply chain vendors are often provided access that could be leveraged in a dangerous way by malicious attackers, and become a serious problem due to inadvertent internal misuse. Businesses can use specified privileged credentials to diminish the threat they pose, as these allow vendors to access only the specific areas of a network they require to operate.
Third-Party Hardware and Software Vendors
Third-party vendors are seen by businesses as a top 10 security risk, according to our . This includes both hardware and software vendors, both of whom normally require admin-level access to a variety of servers and databases to operate effectively.
Third parties are therefore entitled to very high, and in some cases, far-reaching privileges, which represents a huge risk if their access is targeted by attackers. Identifying these users and accounting for their individual levels of remote vendor access is usually done on a case-by-case basis by administrators. The downside of this vital measure is that it can take a huge amount of time, so many businesses are beginning to introduce automated security policies which authenticate each user when they try to access certain information or systems.
When it comes to users from external services – PR, marketing, legal, and so on – identification should be the first step – as is the case with all other users. Then, enforcing the principle of least privilege should be a priority, stopping them from having access to any sensitive data or assets.
Additionally, business-critical applications such as Customer Relationship Management (CRM) or Enterprise Resource Planning (ERP) software are important for business continuity and operations, but in the wrong hands the data that lives in these applications can be misused. Identifying who has access to said applications is important. It’s rare that attackers directly exploit a vulnerability in such products, instead they identify mis-configurations which could be leveraged. The path of least resistance here, for the attacker, are the unsecured credentials used to access said applications – both by human users but also automated processes (used for, as example, reporting, data processing, etc.).
Consultants, whether providing business or IT support, need access to internal data. They are often working in a temporary capacity and may only require access for a few days, but within those few days they will likely need a high-level of access to specific assets.
Identifying these users early on and what type of access they require helps reduce risk and safeguard the business. In addition, an external consultant’s access should be proactively monitored and closely secured while active. Their access should also be automatically deprovisioned as soon as their contract concludes to prevent it from being abused.
Whilst it can seem like an overwhelming task to secure the broad range of users who have access to an internal network, there do exist some solutions that bear the weight of the burden. One such solution is Privileged Access Management, a cyber security measure that provides individual accounts with unique access controls. Third-party vendors, consultants, and service companies therefore only ever have access to the areas of a network that are vital to their functions. Contemporary SaaS solutions provide the answer to those businesses that are looking for a one-stop-shop for remote security.
If businesses are seriously shifting to a model where remote access to critical assets and data is common amongst the various types of users that may have once done so only within the confines of corporate infrastructure, this must be done under a ‘new normal’ model of security. They will have to adapt to the differing security threats that accompany the freedom of working from home. This means that what and how all types of user – from remote employees to external consultants and supply chain vendors – access critical data and assets must be accounted for, monitored, and controlled. Without doing so, organisations risk losing the benefits of a flexible work force and ecosystem. Convenience must not trump security in the pandemic era.
Author: David Higgins, EMEA Technical Director at CyberArk