Applying a zero-trust approach while working from home

By now, many companies have accepted that working from home and remote working are likely to become the new ‘normal’. But that doesn’t necessarily mean their network and systems are up to the task.

Many businesses will have rushed to set up quick-fix systems, inadequate network controls, encryption or used sub-par authentication services — an indication that they didn’t have a robust remote access strategy or plan in place already.

However, whilst this may have worked okay up to this point, it’s only a matter of time before they experience a breach. Organisations, therefore, need to start putting more concrete long-term solutions in place to secure their systems and data as employees and third parties continue to work from home for the foreseeable future.

Disregarding best practices

It shouldn’t come as a surprise that many employees — and indeed, companies — aren’t following cyber security best practices while working remotely. Entrust Datacard recently released the findings of its State of Remote Work Cyber Security Survey, which highlights the critical need to address security concerns for employees working from home.

According to the findings, 30% of respondents are using one or more personal devices for work rather than company-issued ones. This creates opportunities for employees to make use of shadow IT, which could leave company data and systems vulnerable to phishing and malware. Worryingly, 29% of these people are then sharing that device with other members of their household, which creates further risk.

The survey also found that most employees (64%) still use passwords to log into work accounts, whilst 20% reuse the same password across multiple work accounts — rather than using more secure solutions like single sign-on with multi-factor authentication.

Although 63% of those surveyed are connecting to their company’s Virtual Private Network (VPN), 25% are not, and 9% say their company doesn’t have a VPN. Many companies rely on VPNs to grant access to corporate applications from remote locations.

However, in many cases, companies are deploying VPNs with broad and unlimited access rights to organisational networks. This is evident in the survey findings, which show that 61% of employees only use a password and username when logging into the company VPN, instead of a multi-factor authentication method.

Finally, and perhaps most concerning of all, was the fact that 24% of respondents continue to click on a link from an unknown sender before determining their legitimacy — despite 81% being aware of phishing attacks.

What’s the solution?

In short, adopting a zero-trust approach, which is based on the premise that all users are untrusted. We recently spoke about the concept and how to establish zero-trust architecture across networks, applications and access points. This model is emerging as the preferred remedy for addressing working from home and other remote working security challenges.

Authentication is a good tactical start to adopting a zero-trust approach. With software as a service (SaaS) solutions, multi-factor authentication — which often includes user behaviour analysis algorithms — is quick and easy to implement and carries a much higher level of trust than a standard username and password.

Security that relies on just a password or two-factor authentication like a one-time password is woefully inadequate for insecure home WiFi networks. However, authentication services (as described above) require additional proof of identity, meaning it could prevent an attacker from successfully accessing systems or applications if a cyber-attack — such as password spoofing through a coronavirus-related phishing email — exposes employee passwords and usernames.

A zero-trust model also allows for a substantial reduction in traditional VPN networks, which are struggling to keep up with increased demand as employees continue to work from home. VPNs were originally sized to meet the needs of a small number of remote users — not entire companies.

Once authentication services have been implemented, more complex network zoning and trusted networking, together with a cloud access security broker (CASB) solution, can then be implemented over time to establish a more robust zero-trust architecture.

Entrust Datacard offers a range of multi-factor authentication solutions which help to secure and enable remote working. The company was also named as the #1 Overall Leader in the 2019 KuppingerCole Consumer Authentication Leadership Compass Report.

To find out more about our Entrust Datacard services and how to adopt a zero-trust approach, contact info@burningtree.co.uk.