The new prolonged stint of home working for so many of us poses significant challenges to businesses. Many have already written about the social and psychological issues that have arisen from home working including isolation and stress, but one aspect is sometimes overlooked: maintaining security and avoiding data compromise from afar.
Millions of people are now handling sensitive work data outside their office for the first time. It can be hard enough to keep data locked down in the office, where there are IT security officers to monitor the network, and employees are in their ‘work mindset.’ Working from home presents a new set of challenges, including employees using company devices on their home networks, feeling more relaxed and being caught off guard by phishing scams and hacker attempts, and having less access to their internal IT team members.
In an ever-changing work climate that can be quickly shifted by a crisis, companies have a lot of work to do when preparing and handling changes. According to a survey performed by PwC, more than two-thirds of global CEOs believe that their businesses are experiencing more threats to business growth than three years prior.
With the week 2 theme of National Cybersecurity Awareness Month being “securing devices at home and work,” this is the perfect time to shine a light on some of the rising technological issues we’ve seen in our shift to WFH and how to proactively combat them.
Trouble with VPNs
One of the first issues that organizations faced when scaling up their remote workforce was the short time that they had to get their new IT infrastructure in place. Most organizations will opt for virtual private networks (VPNs) to enable employees, vendors and third parties to access their network systems remotely. However, the majority of VPNs on the market today are unable to scale quickly enough, and lack sufficient security to meet the current demand.
VPNs were originally developed to create a connection between two internal points within a network and eliminate intrusion. Although this particular application of VPN is still a relevant way to mitigate these attacks, over time, the use case of VPN has been stretched to not only connect points within the same network but also from within a network to an external point. As the security landscape has developed, it has become apparent that VPNs are too vulnerable to be used to facilitate connections like these because they are not set up to give any significant, granular control. Just look at the recent vulnerability reports around some of the most popular VPNs on the market — such as Pulse Secure™, Palo Alto GlobalProtect™ and Fortinet FortiGate™ VPN products.
Secure Remote Access with Privileged Access Management
When you consider business continuity challenges related to a 100% remote workforce, the organization needs to:
- Allow secure access to the resources required, but not the entire network
- Ensure that only the admin is taking actions on the resources
- Provide granular privilege – not everyone with access needs complete administrative access
- Manage resources anywhere without requiring knowledge of the network configuration to access the resources
- Allow an admin to access the resources they need to manage from a business point of view without the dependencies of VPN
To accomplish these goals, organizations should avoid the VPN altogether, and use the full capabilities privileged access management (PAM) provides to enforce least privilege.
By providing your IT administration teams, outsourced IT, and third-party vendors with secure access to critical infrastructure resources regardless of location, it enables security professionals to control, monitor, and manage access to critical systems by privileged users.
If faced with scaling a VPN solution to support a huge uptick in remote users, this approach is much more cost-effective. Arguably, the biggest benefit is keeping users off the network, and in the process, ensuring a “clean source” that doesn’t require IT to worry about the health of third-party workstations or laptops, VPN infrastructure and software, etc.
Not all remote access is secure as we’ve seen, and certainly not all equal. A VPN may be serviceable and better than nothing, but there are far better options available that provide more granular control, reduce risk, and enable outsourced IT without the need of including administrators in Active Directory.
Many organizations thought they were ready, or adapted well to the new normal of a larger remote workforce. But relying on VPNs rather than maintaining consistent security postures will create more risk and vulnerability to breaches. By forgetting about the VPN, and solidifying your secure remote access, you’ll be well on your way to enabling automated, intelligent, real-time decisions for granting privileged access.