How companies can enhance digital identity protection when adopting remote work
The threat of coronavirus infection has prompted organisations to take swift action—employees are encouraged to stay put and work from home. This allows businesses to continue operating while mitigating employees’ risk of infection. But remote work opens up another threat, this time to your company’s cybersecurity.
Unlike in an office setting where IT departments can easily monitor data security within the company’s network, remote workers are accessing company databases through unsecured networks. This makes their devices, such as smartphones and laptops, more susceptible to malware attacks from third parties, thus putting sensitive information and customer data at risk.
This is especially true if remote employees lack an understanding of the severity of cybersecurity-related risks. Cybercriminals are also becoming more sophisticated with their hacking techniques, particularly when it comes to stealing digital fingerprints. They’re even starting to use artificial intelligence to impersonate people and break into robust security systems.
To avoid inadvertently becoming a gateway for hacks and cybercrime, companies need to build up their employees’ cybersecurity awareness and employ various access and identity management tactics to minimise any security breach due to remote working:
Educate staff on security measures
The first step is to educate employees on the importance of cybersecurity. Guide them on the proper protocols for accessing company data, and provide best practices for them to follow.
- Avoiding downloading non-work related files or downloading from unsecured source files on company devices
- Avoiding the sharing of work computers and other devices with unauthorised personnel
- Disabling “remember password” functions on browsers
- Strengthen security by using an effective two-factor authentication solution
You should also train (or re-train) employees to recognise and report phishing measures. In light of current events, the World Health Organization (WHO) warned of cybercriminals sending malicious emails and pretending to be WHO officials to steal money. These phishing scams trick readers into providing sensitive information, clicking malicious links, and opening malicious attachments.
Phishing scams exploit employees’ lack of awareness of security practices. It was a phishing email that allowed a hacker to steal hundreds of thousands of pounds sterling from Cayman National Isle of Man Bank in 2016. From June to October 2018, a phishing attack targeting Centerstone Insurance and Financial Services went undetected, leading to the potential breach of almost 112,000 customers’ data.
The ability to exploit employees’ lack of suspicion is one reason why malicious emails are among the most common forms of cyberattacks. These emails are often used to launch ransomware—and damage costs to businesses arising from ransomware are expected to reach US$20 billion by 2021.
Also, it’s important to provide employees with clear guidelines on how to report suspicious activity and potential data breaches. This information will be your best defence in the context of remote working.
Establish secure access
Deploying a Virtual Private Network (VPN) for remote access is a common way to ensure a secure connection between company systems and external employees. VPN services can hide the user’s IP address, encrypt data transfers, and mask the user’s location. These tactics can help protect sensitive information from the prying eyes of cybercriminals. Companies should also deploy additional authentication mechanisms on VPN log in to ensure the right employees are entering the network.
For employees who need to access sensitive data, companies can deploy session monitoring and recording capabilities to identify any possibility of compromise that will impact your systems. It will also aid you in performing security audits, especially in the event of a suspected breach.
Keep passwords strong and varied – or use Single Sign-On solution
A weak password is all it takes to break into a company’s system. The best way to get your employees to stop using simple passwords such as “123456789” for everything is to enforce a company password policy.
Traditional advice would recommend:
- Having a minimum of 12 characters
- Including numbers, symbols, and uppercase and lowercase letters
- Staying away from words found in the dictionary
- Not relying on substitutions (e.g., h3ll0 for “hello”)
There’s a catch: it’s difficult to remember several complex passwords, so employees might end up listing them down on paper or noting them down on their phones or laptops. This exposes your firm to the possibility of password theft.
One way to combat this is by enabling universal sign-on to the company’s database and cloud systems. Opt for a single sign-on server so you can avoid the time and cost required to manually install software on every single device. This will also help you lower help-desk costs by reducing the number of password reset calls.
Implement access controls
Depending on their tasks, you can delegate access to your remote team so they gain entry only to documents that are relevant to them at the time. Consider when access becomes unnecessary, and place restrictions once your employee has completed a task.
Be sure to customise the level of access employees have to data as well. As the administrator, you probably have all the rights to move around and edit information. But for others, you can restrict their access by granting them viewing rights only. This ensures that they are unable to copy or download sensitive data into their personal devices.
If you already have access controls in place, be sure to keep them updated, especially as employees’ roles change.
You can also add an extra layer of security by enabling multi-factor authentication, where users who want access to certain data need to go through several identity verification measures before they can see it.
Develop a contingency plan
The worst has happened: your data has been hacked! What now?
To address the security breach as soon as possible, you need to provide a clear and detailed contingency plan so your employees will know exactly what to do in this situation. That means training them on whom to get in touch with and how best to inform the designated recipient.
Conversely, your IT or breach response team should also be extra alert during these periods of increased risk.
Coronavirus isn’t the only thing we need to worry about
Pandemic or none, in the age of digital mobility, one of the best security precautions an organisation can take is to raise awareness. While VPNs and company-issued work devices can create secure environments, companies must be vigilant in implementing extra security measures.
As discussed, these include:
- Increase staff awareness on cybersecurity
- Step up remote access security like VPN access, session monitoring and recording
- Enforcing company password policies to ensure password strength
- Managing access to the company’s databases and systems
- Reinforcing the need to set up two-factor authentication to prevent unauthorised access to private information
Especially in light of the COVID-19 pandemic, more organisations are becoming open to the idea of remote work. Amid this rapid shift in the way we work, companies need to adjust and maintain their companies’ cyber defences.
i-Sprint is a leading solution provider in identity, credential, and access management that enables organisations to create a trusted environment and optimise productivity even in the face of evolving cyber threats and identity fraud tactics. You can find more information on i-Sprint here.