2020 has been trying. COVID-19 has completely disrupted our collective existence; everyone on the planet has had to deal with the effects of our current reality. Just a few months ago, we were concentrated on staying safe and sane, while businesses wrangled with how to stay in existence in a period of stay-at-home orders, social distancing, and an economic downturn.
Not every business has felt negative economic impacts in 2020. In fact, some industries are thriving, working much the same as they were before. Others have quickly transitioned to a remote workforce, and despite minor disruptions those shifts caused, business remains steady. Some are viewing the move to dispersed workforces as a temporary zeitgeist, born of necessity. But there are real indications that it’s a trend that may be growing roots.
Google recently announced that they’re keeping their entire 200,000-person workforce remote until at least July 2021. Facebook has announced plans to have a considerable percentage of their staff work remotely in the coming years. Many other businesses are keeping their staff out-of-office for at least the foreseeable future.
While quickly shifting to remote workforces has largely been successful, it’s also exposed the fragility of an internet-connected system where credentials are needed to access enterprise systems, applications, and devices. Many dispersed workers connect from unsecured WiFi networks or unmanaged personal devices. And in general, when working from home, most of us feel safer and more comfortable. We let our guard down just a little bit. We shouldn’t. Phishing scams are rife, targeting credentials of remote employees. Hackers have amplified their attempts at malfeasance just as quickly as businesses have changed their workforce model.
For CISOs and those charged with ensuring the security of enterprises, this rapid change in the way we work means solving issues related to remote workers, like how they can access company systems safely. It’s a lot to take on in a rapidly changing landscape. With hackers actively attempting to intercept credentials—particularly those of remote employees—creating and maintaining identity security is more essential to organizations than it has ever been.
Accelerating a growing trend
Remote work is far from new; neither are attempts by hackers to exploit its weaknesses. Back in February of 2020, which feels like years ago, Flexjobs published a report on remote work trends within the U.S. They found that from 2016 to 2017, remote work grew 7.9%. During the previous five years, it had grown 44%; over the past ten, 91%. From 2005 to 2017, there was a 159% increase in remote work.
There are multiple impetuses for this. First, the massive growth in internet technologies allows it. The generations that have entered the workforce since 2005 have also largely grown up with the internet, and are much more adept at learning and adopting new technology. And coming out of the 2008 global recession, workers—particularly younger generations beginning their careers—were wary of the in-office, nine-to-five schedule, and demanded a better work-life balance. So, while COVID-19 has rapidly accelerated the percentage of remote workers, it’s also building on a very established trend.
Exploiting the system
While there are many advantages to remote work, there are also inherent weaknesses. Both enterprises and hackers have been aware of potential cracks in the system for a long time. Employers issue employees a litany of credentials to access everything requisite to perform their duties, and hackers know it. Back in February, a report estimated that 80% of security breaches involved the abuse and misuse of privileged credentials. The report also estimated that the average enterprise with 10,000 employees had 2,500 unique applications and users were required to utilize dozens, if not hundreds of passwords.
Herein lies the weakest point in any organization’s IT infrastructure. Employees reuse duplicate passwords, creating weaknesses. They also, understandably, forget many of these passwords, which causes multiple significant issues. First, they have to contact the IT team to be restored to the system. If the employee is remote, this often leads to significant amounts of downtime for the worker as they await a resolution. Forbes cites a recent study that found that two-thirds of employees say their work has been disrupted while IT departments fixed an issue. A quarter say they were unable to work at all while the issue was resolved. Just shy of three-quarters say they had to wait up to weeks for their problems to be fixed.
IT staff are already incredibly busy dealing with the needs of a modern workplace. This adds more work, more stress, and in many cases, increased costs as more IT professionals are hired to deal with the workload.
But the most significant issue this causes is the issuance of temporary passwords. When a staff member is locked out of a system or application, many organizations email them a temporary password or link to reset their credentials. Hackers know this, and actively exploit this system to gain access to sensitive company information or internal systems. Data breaches have exploded this year, up 273% from the same date last year.
While the above number includes personal data breaches, not just those of a corporate nature, security incidents in companies show that hackers are actively targeting, and succeeding in breaching, corporate systems. We’ve seen a large influx of this type of activity in the healthcare system in recent months.
With the influx in patients during the pandemic, and the race to find a vaccine, hackers will likely continue to step up their attempts. Hackers want access to medical records to sell on the dark web. State actors are trying to steal information on COVID-19 vaccine research. While companies operating in healthcare generally have more stringent mandates for identity security than many other industries, they haven’t proven failsafe (or haven’t been followed scrupulously). A data breach in this realm would have profound geopolitical, not just financial repercussions.
Passwordless identity security is a must. But it can overburden your IT team.
Passwords should be a thing of the past. Staff shouldn’t be using them to access various company assets, and your IT team shouldn’t be issuing them as a temporary solution to access. They’re cumbersome, forgettable, and exploitable.
MFA was, in large part, created to deal with the security issues of remote employees. It remains a best practice for any industry, but identity security is rapidly evolving. As the technology that supports the modern workplace expands, so do the needs for identity and credential assurance.
There are multiple identity credential options that allow enterprises to move to a passwordless existence. And many of them do an excellent job at securing part of your infrastructure. The larger issue surrounding credentials is, while they are effective at securing part of your infrastructure, to date, there is no single credential to solve all of the use cases of a modern enterprise. Therein lies the problem in moving to and securing passwordless digital interactions.
Consider this: To start a typical workday, team members are often asked to use a smart badge to enter the workplace. Next, once at their workstation, they utilize a YubiKey to log into their machine and to the corporate network. They may be required to have another credential to log in to Office 365. And in most cases, they’ll also have a phone-based token to get into corporate enterprise apps via their mobile device. The situation is even worse for privilege users who may have multiple MFA devices to access admin accounts.
Setting up your network in this manner can maintain security. The difficulty is really in managing all of these credentials, which creates an onerous load for IT teams. Each credential has a lifecycle, supported on its own platform, which has to be managed. Users still forget to carry their credentials at times, requiring further intervention from IT. Employees quit, which requires action. Others are promoted, and require a different level of security access, which requires another interaction with IT. Each of these scenarios is exacerbated when an employee works remotely, and requires a secure way to regain access in order to perform their tasks without using a temporary password reset.
In the future, we may truly have one credential for everything, or comprehensive biometric authentication, or risk-based (adaptive) authentication, but the technology isn’t quite ready for widespread corporate adoption. Basically, as identity security needs expand, we’re caught in a place where organizations are choosing between the incredibly complex, time consuming, and secure, or something less complex but less secure.
Enterprises require the highest level of identity security. Those in healthcare, financial, or government sectors require additional layers of security for compliance. In both instances, IT teams have to deal with the complexity of the system, which requires additional personnel and investment from the company. Because multiple credentials and managing them is a reality, organizations should be looking for solutions to simplify this system—to automate the issuance and management of the various credentials required for work, without having to log into multiple platforms.
This is true whether your staff works in an office or remotely. In our current reality, with largely remote workforces, the issues surrounding security are amplified as hackers look for opportunities to exploit and IT staff are stretched thin by the demands of off-premise staff. You can’t compromise on security. But maintaining rigorous identity security standards shouldn’t have to overwhelm your IT team or budget.
By finding a solution that allows remote workers to regain access without circumventing MFA and strong credentials, with simple management of credential lifecycles, you can cut down on the considerable amount of downtime and disruptions for remote employees caused when IT is called in to solve system access issues. You can completely eliminate temporary passwords and the vulnerabilities they cause. You can help relieve the considerable burdens on your IT team and the costs associated with it. And ultimately, you can manage a remote workforce in an era where hackers are looking to exploit it without compromising on security.