Remote Work Doesn’t Mean The Risk Is Remote
By: Chad Carter, VP of North American Sales, WALLIX
Ever since the pandemic prompted millions of office workers to start working remotely, company cybersecurity teams have been playing catch-up to mitigate risk exposure. It’s a long-term project. Even though vaccines are on the way, remote work will likely continue because employees value the flexibility of working from home. When it’s safe to reopen, many companies may shift to a hybrid workforce model, so cybersecurity leaders will need a remote work-friendly security solution.
The danger is real. A Malwarebytes survey found that remote work heightens risk significantly. Nearly a quarter of surveyed cybersecurity and IT professionals said their companies incurred unexpected costs related to an attack. Also, 18% said employees don’t make cybersecurity a priority, and 5% said employees don’t know security best practices and are themselves a security risk.
Since the heightened risks associated with remote work are here to stay, now is the time to upgrade the company’s cybersecurity posture, educate employees on risks and put additional preventive measures in place. Stopping breaches in the work-from-home environment requires adjusting the company’s security stance to eliminate new avenues of risk. One way to do that is to adopt a Zero Trust approach.
Trust No One, Verify Everyone
A Zero Trust approach means what it says: a cybersecurity policy based on the principle that no one who is trying to access sensitive company assets is automatically able to do so. Users have to be granted access to network resources to do their jobs, of course, but Zero Trust is much more robust than a system that merely asks users for login credentials and grants broad access based on that alone.
Zero Trust takes it several steps further by asking users to demonstrate that 1) they are who they say they are, 2) they have authorization to access the resources, and 3) they only have access to the resources necessary to do their job. Only then is entry granted under a Zero Trust policy. In other words, users can’t access the organization’s critical assets until they offer proof that they have the credentials and identity required to access it, plus that they have a need to gain access to those specific resources.
A Zero Trust approach is a cybersecurity policy stance, not a technology solution. Companies that build a Zero Trust architecture can put the technology in place to seamlessly control who has access to which resources and secure any endpoint used to gain that access. That’s what makes a Zero Trust strategy much more solid than traditional credentials-based access. With the right technology, Zero Trust doesn’t slow users down, but it improves security and provides a way to trace all user activities on the network.
Implementing a new Zero Trust security architecture can be a challenge, determining the right tools to secure systems without disrupting workflows or straining budgets. One solution is to start with the most sensitive assets, implementing privileged access management (PAM) controls first to protect the most sensitive IT assets and then scale up. Centralized PAM technology facilitates privileged user access to ensure the highest level of security and enable tracing and monitoring to protect sensitive data.
With a PAM solution in place, the cybersecurity team can then move towards securing access to less-sensitive assets. Adding an endpoint privilege management (EPM) solution and deploying multi-factor authentication (MFA) technology complete the holistic Zero Trust architecture. EPM controls privileges at the application level, regardless of user privileges, and eliminates local admin rights, enabling effective endpoint control. MFA requires proof of identity to prevent misuse of credentials, which completes the Zero Trust ecosystem.
Think Security to Take the Risk Out of Remote Work
As the Malwarebytes survey showed, cybersecurity professionals believe a significant portion of employees don’t prioritize security. That’s a serious problem, and it’s exacerbated in a work-from-home environment where more than a quarter of employees admit they use personal devices more than they use equipment provided by the company, potentially opening a new point of risk exposure.
Cybersecurity leaders can reduce the risk by working with colleagues to build a stronger security culture throughout their organizations. Employee training can help by putting security best practices top of mind. It’s also critical to educate the executive level so that everyone understands the stakes. When executives model good security behavior and make it clear that mitigating risks is a priority at the top, it encourages staff at every level to focus on security more.
Adopting a Zero Trust approach as a mindset can be an important element of an organization’s security culture. The concept might seem somewhat negative at first — employees don’t want employers to perceive them as untrustworthy, after all. But under Zero Trust, everyone is treated the same way. A Zero Trust framework by definition makes no assumptions and requires proof before granting access.
The fact is, a Zero Trust approach and a strong security culture backed by a Zero Trust security architecture keep data and systems safer, and that benefits everyone involved, including employees, customers and the company. In the current environment where threats are proliferating because more employees are working remotely on their own devices, the Zero Trust approach is the best way to ensure minimal risks while remote.