In the era of the perimeter-less network and BYOD, managing security for employees comes with a significant set of challenges. It’s a sign of our times that employees are demanding more flexibility and agility in their working world; from where they are based, their choice of device and the multitude of apps and cloud-based services used to communicate, collaborate and conduct business. This significantly changes how we must manage the security risks.
Commercial forces are at play, which could exacerbate these risks. This is because, many organisations now rely on a growing legion of temporary staff; freelancers, contractors or consultants brought in on a short term basis to keep their business operating. It means that the working world as we know it – and the network perimeters in which we operate - are shifting further.
To accommodate these changes, organisations need to balance flexibility with security: ensuring that users are who they say they are, in order to protect their data and manage the risk of compromised user accounts. So how can organisations strengthen their security when managing access for staff brought in on a short-term basis, without slowing them down?
Skills delivered on-demand
The way we work and hire staff is shifting significantly. More fluid working practices and the ability for teams to collaborate from wherever they are, have enabled significant changes in the way that organisations can hire and buy-in the skilled staff they need. Many businesses rely heavily on these skills provided ‘on-demand’ and recent figures underline that the freelancing economy is taking off. Estimates are that, in the US alone, by 2020, more than 40 per cent of the American workforce, or 60 million people, will be independent workers: freelancers, contractors, and temporary employees. The range of skills we buy-in is also broadening in scope. Organisations can hire-in workers by the week, day or even the hour to manage specific projects from designing a new corporate website, to providing any number of professional services – legal, financial or HR.
However, enabling external parties to connect to the corporate network poses some serious security questions. Often, the very nature of the work that they will be called in to do requires access to an organisation’s most sensitive and high value data. They will be logging on using PCs or tablets that haven’t been subject to the same IT checks, software upgrades, or security updates as devices used by staff that are on the payroll. And of course, it’s neither feasible nor practical for contractors or freelance staff to go through the same background checks as internal staff.
So whilst there are considerable financial benefits to buying in skills ‘on-demand’, it takes away an element of control when it comes to ensuring that security best practices are adhered to. However, as with all staff, freelancers and contractors need to be empowered to get on with their jobs quickly and efficiently – adding multiple security barriers is only going to impede their productivity.
Tackling the security risks
Hackers will usually choose the easiest target, one that doesn’t require much effort or time, which is why they are increasingly targeting end users directly, with an estimated 95 per cent of breaches involving stolen user credentials. There’s been a continued rise in phishing scams and social engineering techniques used to gain access to users’ credentials and even the most ingenious of passwords is not enough to combat the risk of compromised user accounts.
It’s not just the users themselves that pose a risk. Devices, which are running outdated browsers, plugins, and operating systems, pose a significant security threat for organisations. In fact, research from our own labs team has highlighted a concerning lack of device security in the enterprise; for example, we found that 25 per cent of all Windows devices are running outdated and unsupported versions of Internet Explorer, which leaves those unpatched systems open to more than 700 vulnerabilities.
Mitigating these risks is achievable by following some golden rules on access control and device visibility:
Firstly, you need to ensure that your external users are who they say they are. As a first line of defence, passwords are simply not enough as a method of authentication, access or proof of identification. Using a password-only security approach can leave organisations vulnerable to stolen credentials or through more sophisticated password-busting software. Users often reuse passwords across multiple accounts, including personal and work accounts.
Using two-factor on all of your logins protects against an attack that leverages stolen passwords to access your accounts, providing an essential extra layer of security that doesn’t rely on user behaviour. The key, here, is ease-of-use; solutions such as cloud-based two-factor solutions are quick to deploy for external workers and easy to manage for administrators and IT teams.
Improve visibility into employee devices accessing their networks
Attackers will exploit vulnerabilities on out-of-date systems, which could lead to breaches. As such, organisations also need to remove any blindspots when it comes to the health of all devices accessing their business applications – including those from contractors and temporary staff – to mitigate risks from out-of-date and unsecured devices. Providing administrators with data on device ownership and health enables them to make risk-based access control decisions. Any out-of-date device should not be permitted to connect to the network or access highly sensitive data.
Just as the BYOD era has driven specific policies on employee-owned PCs, smartphones and tablets we now need to address the rules that govern how external workers access the corporate network. It doesn’t mean relinquishing control: we can achieve a balance between security to accommodate this new world, and more flexible and fluid working practices.
Henry Seddon, VP EMEA, Duo Security