Partner Insight: Home working: the need for multi-factor security
During the months of lockdown and widespread uncertainty, it can be easy for unwary staff to fall victim to data breaches. Convincing scams and malicious links are rife, some linked to health or finance issues that prey on people's hopes and fears.
Computer viruses and malware can lurk in IT systems for long periods dormant and undetected, while crypto-jacking tools can do something just as insidious and costly: covertly use the organisation's processors and electricity to make money for others.
The home working risk
At the same time, the dispersed nature of most teams at present means that some home workers may be taking security risks of their own without realising it: sharing devices with family members, using unsecured WiFi connections, ‘shadow' IT, or unsanctioned apps within their departments.
Like the IT functions of a much earlier age, many organisations have had to ‘make do and mend' during the COVID-19 crisis, feeling their way into this world of home working at unprecedented scale.
Others may have found that their corporate laptops or operating systems are out of date, and so are unable to run recent apps for online collaboration and videoconferencing - increasing costs for the organisation as upgrades are forced on them just to keep business ticking over.
Supporting the team
Even those companies that had factored remote, agile working into their corporate strategies are likely to have found themselves ill prepared for up to 100 percent of staff doing their jobs away from the office for months on end. For many CIOs and IT leaders, supporting this level of remote access as the senior responsible owner and protector of the organisation's data has been a significant challenge.
A Verizon report in 2015 found that over 50 percent of data breaches were due to lost login details, passwords, and other credentials. Other surveys have found that many people still use weak, guessable passwords, while some use the same strong password across dozens of different services to avoid having to remember multiple identities.
In the latter case, a successful hack of an online repository could reveal those details to organised criminals; there is a healthy trade in stolen credentials on hackers' forums.
Don't make it easy for them
The ease with which a criminal or opportunistic hacker could assume an employee's identity is just one part of the problem, particularly if home workers are using insecure smart-home devices that give attackers an easy route into the domestic network - and from there into the corporate one.
Other techniques, such as phishing or spear-phishing, aim to trick people into divulging their details, while ransomware locks up devices and data, forcing people to make cryptocurrency payments.
The multi-factor solution
In our private lives, most of us expect strict levels of security from the apps and platforms we use for sensitive tasks, such as online banking, so it's reasonable to expect similar precautions when logging on to corporate networks and applications. After all under GDPR and the Data Protection Act 2018, the penalties for not securing private data can be severe, while the damage to reputations can be long lasting.
All of these threats are why the simple ‘user name plus password' approach to security is no longer deemed sufficient by sensible organisations. Multi-factor authentication (MFA) is essential. Such techniques are particularly effective when deployed at hardware level, and they have the additional advantage of negating the need for passwords at all, which makes the hacker's task much harder.
Amongst the multiple elements that can be triggered or demanded by MFA include a personal identification number known only to the user, a unique code sent by text to the user's registered phone number, or even a biometric identifier, such as a fingerprint. In most cases, it's highly unlikely that a hacker would have access to each of these identifiers.
The greater the number of factors included at the checkpoint or security gate, the greater the assurance that the person is who they say they are and so should have authorised access to the device, application, network, and/or data.
One feature that would be particularly beneficial in a home-working scenario is presence detection and/or a timed lock-out, so if a user leaves their device logged in but is away from their machine, or inactive for an extended period, they can be disconnected from the resource.
By making security a more seamless and less inhibiting experience for the user - and for the IT support team - organisations can enhance the user experience of their employees whilst making them more secure at the same time.
To learn more about how the Intel vPro® Platform supports MFA, click here