The sudden shift to remote work poses two challenges to organizations: fending off cyber attacks and keeping your remote workers productive, according to LogMeIn’s Rachael Stockton in this opinion * piece. Multi-factor authentication offers one solution.
Businesses around the world have transformed their organizations into remote ones overnight – something many were likely not prepared for. And the transition to a remote workforce isn’t an easy one, especially taking into consideration how many cybercriminals are evolving their strategies to target remote workers. The increase has been so drastic that some organizations have seen phishing schemes targeting remote workers rise by 40%.
The security challenges of a remote workforce are two-fold: the external-facing angle to set up measures to prevent cyberattacks, but there’s also the internal-facing view of securely connecting employees to their work without slowing them down. The conflict between security and simplicity is always a difficult balance in cybersecurity (and is even more so now), but it doesn’t have to be that way.
Secure business, empower employees
Authentication can help organizations meet both: the security demands of the business and the experience demands from employees, which is even more critical now for remote employees to remain productive.
There are a variety of authentication types, one of which is multi-factor authentication, or MFA, which combines two or more authentication factors as requirements in the login experience prior to the employee gaining access. MFA is framed around the concept of something you know (a password), something you have (a mobile device) and something you are (a biometric).
MFA adds an additional layer of security to every single employee login, giving IT teams the assurance that employees are who they are while logging in. This is particularly critical in a time where IT does not have physical oversight over employees. The extra layer of security through MFA helps prove to IT that the employee login is legitimate, and that the employee hasn’t fallen victim to a phishing scheme.
Contextual authentication raises the bar
Contextual authentication is a type of MFA and is termed literally: it adapts with the context of the login. The value of contextual authentication is that legitimate employees can seamlessly authenticate into their work, while higher risk transactions are presented with more authentication requirements. Contextual authentication is underpinned by a machine learning data model or a set of policies, both of which have a standard for what is considered normal user behavior. When the employee login behavior deviates from the normal, the contextual authentication would flag the login as high risk or deny it.
When employees are working remotely, contextual authentication is of increased importance for IT because it offers additional information about the user logging in. Where is the employee logging in from? What device is the employee on? What time of day is the employee attempting to log in at? All of these factors play a role in whether the employee should be successful authenticated or not. And in a time when IT has less physical oversight into employee access and authentication, contextual authentication can help supplement this lack of physical oversight with deeper context about the employee login to enable IT to make more informed authentication decisions.
Consider location, an especially critical consideration during times of remote work. Should employees be able to authenticate into a work application outside of a specific radius from the office? A state in which the employee does not live? A country in which the business does not operate from? If an employee regularly authenticates into their work from a specific location, an authentication request coming from an unknown geographic area would be considered high risk with contextual authentication.
Geofencing is a common type of contextual authentication and enables IT to restrict access based on location. IT can define geographic areas in which an employee is approved to log in from, whether it be within a certain radius from the office or the entire state, as well as areas where an employee is not able to authenticate from, such as a country where the business does not operate. These defined geofences can help IT teams ensure that remote employees not only who they say they are, but also where they say they are which is an added assurance that the login is legitimate. If an authentication request comes from an unknown location, contextual authentication gives IT deeper insight about the login to make an informed decision on whether to approve or deny the request.
Keep it simple, password-less
A simple login experience is critical for remote employees. The transition to a remote workforce comes with a variety of changes and challenges, not only from the IT perspective, but also from the employee perspective. Employees personal lives and work lives are closer than ever, and employees have no time to spare but that does not mean work is slowing down.
Passwordless authentication enables employees to securely log into their work without having to type a traditional username and password – which is a more streamlined and secure login experience. This helps employees maintain productivity with their work because the authentication process does not slow them down. Employees can navigate between applications without the friction of stopping to type a password for each, all while every login is secure. Passwordless authentication helps IT balance security and user experience and is made possible by technologies such as biometrics.
Biometrics are physically who employees are as an individual – their fingerprint, face or even voice. Biometrics are becoming an increasingly used authentication factor due to their ease of use. Employees can simply authenticate into their work by the touch of their fingerprint and enables them to spend less time logging in and more on the task at hand.
Passwordless authentication can be coupled with contextual authentication and is a great example of increasing security without slowing employees down. IT can add an additional layer of security to every employee login, and passwordless authentication enables the login experience for employees to be seamless.
For remote workers: MFA everywhere
When it comes to where you should add MFA, whether the team is working in the office or remote, the short answer is to everywhere you can: VPNs, workstations and even applications.
Since so many employees are working remote, the use of Virtual Private Networks (VPN) are skyrocketing. The trouble with VPNs is that by default they don’t require much to verify that a user is who they say they are, and if a hacker gains access, they will be able to log into the corporate network. The best way to mitigate these risks when using a VPN is to enable MFA; after a user enters their corporate credentials to connect to the VPN, they are also prompted to provide additional authentication factor to verify their identity. Because the additional information is only something the employee could possibly provide – like a fingerprint, or access to a personal smartphone – any would-be hackers are thwarted.
Employee workstations are one of the most exposed access points in an organization, and that risk exists even more so as employees work remote, particularly if employees are working in a public location. 80% of data breaches are caused by passwords and 30% of data breaches involved employee workstations. By adding an additional layer of security to the workstation, even if your employee’s device is compromised, hackers will be unable to log into the workstation because they would not be able to authenticate with MFA.
Also consider applications. The average employee actively uses 36 cloud services at work, and some of those applications may be more business-critical than others. Evaluate which applications require an additional layer of security, for example those with financial data or personally identifiable information, to ensure the organization is in compliance and that sensitive data does not end up in the wrong hands. Evaluate whether there are some applications that are more business critical than others, and whether they need an extra layer of security.
Security and simplicity are key
As businesses worldwide are working remotely, now is more important of a time than ever to ensure every access point in the business is protected. As more and more cybercriminals capitalize on the opportunity for phishing and hacking, MFA is one simple and secure method to thwart the risk and secure your remote workforce.
While there are many options and different facets of MFA to choose from, adding MFA everywhere can help secure every remote employee login, regardless of where that login is coming from. And most of all, it’s crucial to consider the right balance of security and experience – too much friction slows employees down and not enough security opens the business up to risk.
(*) Disclosure: This opinion was sponsored by LastPass, a LogMeIn brand. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.