The COVID-19 pandemic saw a seismic shift in remote working, with over 70% of office workers working from home all or most of the time, according to PEW Research Center. While initially intended to be a temporary measure, the advantages of remote work means that many won’t be shifting back, particularly since evidence points to no significant impact on productivity. Many industries, especially IT, expect remote work to become permanent.
This has affected various aspects of working life for both organizations and employees, but, perhaps most importantly, it has created serious gaps in cybersecurity defenses. We look at some of those security issues and how you can start securing your remote and hybrid workforce.
Remote workforce security was never a top priority for most security teams. It was a relatively rare occurrence, and attackers couldn’t consistently rely on identifying and compromising permanently remote accounts. The large-scale move to WFH shifted the remote workforce security paradigm and created significant challenges for security teams.
Increased Attacks: The sudden move to remote work led to a massive surge in cyberattacks. An HP study found a 238% increase in global cyberattack volume during the pandemic. Additionally, it reported a 667% increase in phishing attacks and a near 500% increase in ransomware attacks exploiting vulnerable access points in remote workforce security.
Expanded Attack Surfaces: Remote working circumvents the standard secure perimeter cybersecurity approach, with secure firewalls and approved devices. Now, there are potentially thousands of backdoors accessible through unsecured individual devices that are given network access. Moreover, remote work required new apps and services with no time for thorough security vetting. Nearly three-quarters of organizations surveyed by Forrester say recent cyberattacks came from insecure technology deployed to cope with remote work.
Insecure Home Networks: Home Wi-Fi networks are shared by every other personal device in the household, such as children’s laptops, domestic IoT devices and home printers. These are rarely configured to the same enterprise security standards as a corporate office. A recent Bitsight study found that home networks were 3.5 times more likely than corporate networks to have at least one malware family and that nearly one in seven work from home IP addresses have exposed cable modem control interfaces.
Security Protocol Fatigue: Previously, employees could rely on their in-house security teams to ensure the security of all workspace devices. With the lack of in-person help, the lines between secure professional equipment and personal devices have become blurred; 70% of workers in a report by HP admit to using their work devices for personal tasks, and nearly the same amount use personal devices for work tasks. This lax approach makes securing your remote and hybrid workforce even more difficult.
According to a recent Gartner survey, 82% of organizations plan to offer a remote work option at least some of the time. Businesses need to provide these employees with consistent, convenient access while making sure their remote workforce security controls protect systems and data against an ever-growing number of cyberthreats. The below measures can greatly assist in securing your remote and hybrid workforce while also improving productivity and reducing strain on security and IT resources.
Passwords are one of the biggest weaknesses in any security system — so much so that the federal government issued an executive order mandating MFA for its agencies and contractors and cyber insurers are requiring MFA to get coverage.
Multi-factor authentication requires signing in with two independent factors: something a person knows (e.g., a password), something they have (e.g., a phone or security key), or something they are (e.g., biometric identifiers). MFA adds a layer of protection for remote workforce security but just how much protection varies widely. Hackers can bypass MFA solutions that use phishable factors such as OTP codes or SMS fairly easily, or with attacks that exploit "push fatigue." In fact, HYPR's State of Passwordless Security Report 2022 showed that push notification attacks increased 33% over the past year alone.
The most secure MFA is one that removes passwords altogether. This holds for two reasons — anytime a password, OTP or any type of shared secret is part of authentication, it can be phished or intercepted. The other comes down to the irritating, fragmented login experience with traditional, password-based MFA, which often causes employees to cut corners or find workarounds. That’s why, despite heavy pushing, Microsoft found that among its Azure AD customers, only 22% use multi-factor authentication.
Passwordless authentication solutions replace the password with biometrics or other secure authentication factors. To be considered passwordless MFA, it must use at least two verification factors that do not involve any kind of knowledge element. Passwordless solutions vary widely in their security and user experience. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) considers FIDO-based solutions the gold standard.
Remote working means many employees access corporate resources through virtual private networks (VPN), virtual desktop infrastructure (VDI) and Remote Desktop Protocol (RDP). While these are meant to provide secure remote access, often they are riddled with security holes and may require only a password for login, leaving your systems and data exposed to attack. Make sure to regularly patch All VPN systems against any discovered vulnerabilities. In addition, hardening your defenses at the point of access to these systems through robust MFA goes a long way to securing your remote and hybrid workforce. Ideally a single MFA solution covers your apps, desktops and remote access points.
Remote work increases the occurrence of devices needing to be unlocked while the user is offline due to patchy or inaccessible internet coverage. Some methodologies, such as passwordless remote login using decentralized device-stored PINs, enable, enable users to securely identify themselves offline to gain access to the systems they need. Hardware security keys (e.g. YubiKeys) are another option, particularly for administrators or employees without a smartphone.
Even if your organization doesn’t have a specific Zero Trust initiative, workforce identity security for remote users requires you go beyond the notion of a secure perimeter and assume that any user, device, or service could be compromised. In other words, Zero Trust. In this scenario, multi-factor authentication becomes your gatekeeper. As mentioned, organizations often find gaps in employee MFA adoption, especially among remote workers.
HYPR’s Passwordless MFA technology removes dependence on vulnerable passwords, OTPs and other insecure authentication methods by turning off-the-shelf smartphones into FIDO-based security keys. It protects your remote and hybrid workforce against phishing, credential stuffing, account takeover and other credential-based attacks while providing a smoother remote work experience.
To learn how HYPR’s True Passwordless solution can help your organization secure your remote and hybrid workforce, our guide to a Passwordless Remote Workforce or talk to our team.